Thread Rating:
  • 1 Vote(s) - 1 Average
  • 1
  • 2
  • 3
  • 4
  • 5
binternationalbank.com Bank vulnerabilities /FDP/FileUpload/UserDisclosure
#1
Shield 
the bank does not pay me .. vulnerabilities

http://binternationalbank.com

http://www.banpluspr.com

Directory Exposed:

http://www.banpluspr.com/administrador/uploads/
http://binternationalbank.com/administrador/uploads/

admin panel:

http://www.banpluspr.com/administrador/
http://binternationalbank.com/administrador/

Full Patch Disclosure:

/home/binternationalba/public_html/site/

cpanel user: binternationalba
default username: binternationalba

Full patch FDP:

http://www.banpluspr.com/site/p_contenid...nth=9&year=``

Posible Blind Injection:

http://www.banpluspr.com/site/p_contenid...s=39&idc=2``

Arbritary file upload:

http://www.banpluspr.com/administrador/c...?Connector=

http://www.banpluspr.com/administrador/c...&Connector=  add: editor/filemanager/connectors/php/config.php

good configuration:

<Connector>
<Error number="1" text="This connector is disabled. Please check the "editor/filemanager/connectors/php/config.php" file"/>
</Connector>

filebrowserBrowseUrl: 'ckeditor/filemanager/browser/default/browser.html?Connector=' + path + 'ckeditor/filemanager/connectors/php/connector.php',
filebrowserImageBrowseUrl: 'ckeditor/filemanager/browser/default/browser.html?Type=Image&Connector=' + path + 'ckeditor/filemanager/connectors/php/connector.php',
filebrowserFlashBrowseUrl: 'ckeditor/filemanager/browser/default/browser.html?Type=Flash&Connector=' + path + 'ckeditor/filemanager/connectors/php/connector.php',
filebrowserUploadUrl: path + 'ckeditor/filemanager/connectors/php/upload.php?Type=File',
filebrowserImageUploadUrl: path + 'ckeditor/filemanager/connectors/php/upload.php?Type=Image',
filebrowserFlashUploadUrl: path + 'ckeditor/filemanager/connectors/php/upload.php?Type=Flash',

Disclosure directory:

home/httpd/html/maes/sites/default/files/ficheros/file/" (mkdir(): open_basedir restriction in effect. File(/home) is not within the allowed path(s): (/dev/urandom:/home/httpd/html/alojamientos/maes))
Biggrin
Ban reason: Carding is against the rules. (Permanent)
Reply
#2
(11-15-2017, 04:48 PM)securityteam Wrote:  the bank does not pay me .. vulnerabilities

http://binternationalbank.com

http://www.banpluspr.com

Directory Exposed:

http://www.banpluspr.com/administrador/uploads/
http://binternationalbank.com/administrador/uploads/

admin panel:

http://www.banpluspr.com/administrador/
http://binternationalbank.com/administrador/

Full Patch Disclosure:

/home/binternationalba/public_html/site/

cpanel user: binternationalba
default username: binternationalba

Full patch FDP:

http://www.banpluspr.com/site/p_contenid...nth=9&year=``

Posible Blind Injection:

http://www.banpluspr.com/site/p_contenid...s=39&idc=2``

Arbritary file upload:

http://www.banpluspr.com/administrador/c...?Connector=

http://www.banpluspr.com/administrador/c...&Connector=  add: editor/filemanager/connectors/php/config.php

good configuration:

<Connector>
<Error number="1" text="This connector is disabled. Please check the "editor/filemanager/connectors/php/config.php" file"/>
</Connector>

filebrowserBrowseUrl: 'ckeditor/filemanager/browser/default/browser.html?Connector=' + path + 'ckeditor/filemanager/connectors/php/connector.php',
filebrowserImageBrowseUrl: 'ckeditor/filemanager/browser/default/browser.html?Type=Image&Connector=' + path + 'ckeditor/filemanager/connectors/php/connector.php',
filebrowserFlashBrowseUrl: 'ckeditor/filemanager/browser/default/browser.html?Type=Flash&Connector=' + path + 'ckeditor/filemanager/connectors/php/connector.php',
filebrowserUploadUrl: path + 'ckeditor/filemanager/connectors/php/upload.php?Type=File',
filebrowserImageUploadUrl: path + 'ckeditor/filemanager/connectors/php/upload.php?Type=Image',
filebrowserFlashUploadUrl: path + 'ckeditor/filemanager/connectors/php/upload.php?Type=Flash',

Disclosure directory:

home/httpd/html/maes/sites/default/files/ficheros/file/" (mkdir(): open_basedir restriction in effect. File(/home) is not within the allowed path(s): (/dev/urandom:/home/httpd/html/alojamientos/maes))
Biggrin

Dont host this directly on raid forums Please put it on a hastebin or something so your post isn't removed.
Reply
 


Possibly Related Threads...
Thread Author Replies Views Last Post
  Qatar National Bank records & Official Pamela Martin & Associates Telephone Records Crazyoldfart 0 51 8 hours ago
Last Post: Crazyoldfart
  Small leaked bank cust data porosus 4 605 12-10-2018, 07:02 AM
Last Post: porosus
User Chinese citizenship authentication information including bank card contact informatio eickr 5 803 11-28-2018, 06:40 PM
Last Post: markluluo
  120K VIP information from the Bank of Shanghai xingge86 4 695 06-14-2018, 09:30 AM
Last Post: tikeer
Pencil [FREE] www.jobs-bank.com - 165K SOLENYA 0 627 11-21-2017, 07:56 PM
Last Post: SOLENYA



Users browsing this thread: 1 Guest(s)