Monday, March 12, 2012

"Testing Image collection" shell and files upload vulnewrablity

Dorks : inurl:"modules/filemanagermodule/actions/?picker.php??id=0"
            intitle:"Testing Image Collections"
Goto Google or Bing and Type Dork  inurl:"modules/filemanagermodule/actions/?picker.php??id=0" or intitle:"Testing Image Collections"
now see search results in google or bing search ..
select any site from search results and look for upload option
here is demo of upload button :


Now select your shell or deface page and upload it
To view your upload shell or deface go to:
http://website.com/files/yourfilehere  or
http://websites.com/path/yourfilehere
Live Demo :
http://www.bantamorloff.co.uk/modules/filemanagermodule/actions/picker.php?id=&highlight_file=472
result :  http://www.bantamorloff.co.uk/files/backlinks.html
other live examples :

http://www.admiralfc.co.uk/modules/filemanagermodule/actions/picker.php?id=0
http://www.dogandduckfc.com/newsite/modules/filemanagermodule/actions/picker.php?id=0
*UPDATE : Demo sites are patched now Find a new target >:D<
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)