Penulis : Darkzzzz a.k.a X-Cisadane
:————————————————————————————————————————-:
: # Exploit Title : AV Arcade v5.3.2 Multiple Vulnerabilities
: # Date : 31 July 2011
: # Author : X-Cisadane
: # Software Link : http://www.avscripts.net/avarcade/
: # Version : 5.3.2
: # Category : Web Applications
: # Vulnerability : Persistent XSS & Upload Shell
: # Tested On : Mozilla Firefox 4.x (Windows)
: # Dorks : inurl:/task/allnews.html
: # Greetz to : X-Code, Muslim Hackers, Depok Cyber, Hacker Cisadane, Borneo Crew, Dunia Santai, Jiban Crew, Winda Utari
:———————————————————
—————————————————————-:
POC :
1.Shell Upload
[1] Login As Administrator.
[2] Go To http://your site//admin/?task=manage_games
[3] Click (+) Add A Game.
[4] Upload A File & Image (Browse Your Php Shell).
[5] Submit.
[6] Go To http://your site//games/images/.php
2.Persistent XSS
XSS Defacing Script (Deface With Layer)
#Section : Game
[1] Login As Administrator.
[2] Go To http://your site//admin/?task=manage_games
[3] Click (+) Add A Game.
[4] Insert XSS Defacing Script Into These Field : Description & How To Play.
[5] Insert Your Game, Pics, Etc.
[6] Submit.
[7] Go to your game, click “Game Name”.
#Section : Pages
[1] Login As Administrator.
[2] Go To http://your site//admin/index.php?task=manage_pages
[3] Click (+) Add A Page.
[4] Insert XSS Defacing Script Into Page Content.
[5] Submit.
[6] In The Page Manager Click “Edit” (pencil), Edit your desire page & click Submit.
[7] Go to your page, click “Page Name” or see The Page ID, Example Page ID = 2 Then Go to http://your site//page//.html
Or
http://your site//index.php?task=view_page&id=
#Section : News
[1] Login As Administrator.
[2] Go To http://your site//admin/index.php?task=manage_news
[3] Click (+) Add News.
[4] Insert XSS Defacing Script Into News Content.
[5] Submit.
[6] In The News Manager Click “Edit” (pencil), Edit your desire news & click Submit.
[7] Go to http://your site//task/allnews.html
#Section : Categories
[1] Login As Administrator.
[2] Go To http://your site//admin/?task=manage_categories
[3] Click (+) Add Category.
[4] Insert XSS Defacing Script Into Available Field.
[5] Submit.
[6] Refresh current page, voila!
[7] Go to http://your site//
#Section : Links
[1] Login As Administrator.
[2] Go To http://your site//admin/?task=manage_links
[3] Click (+) Add a Link.
[4] Insert XSS Defacing Script Into Description Field.
[5] Submit.
[6] Go to http://your site//task/links.html
Langganan:
Posting Komentar (Atom)
0 komentar:
Posting Komentar