Posts: 103
Threads: 8
Joined: May 2013
Mengamankan halaman login wordpress dengan tampilan 404 Not Found, sebenarnya sama konsepnya kayak webshell WSO, 1n73ction. Jadi, pas pertama dibuka halaman loginnya, tampilannya 404 Not Found. Namun, kalau klik Tab dan masukan password maka akan tampil halaman login wordpress yang asli. Oke, gak usah basa basi langsung saja ke inti.
PHP Code: <?php error_reporting(E_ALL^(E_NOTICE|E_WARNING)); //authentication $auth_pass = "[color=#FF0000]e25b9a5d4b937a9853d1f5bbd8d51ef4[/color]"; //password ente dlm bentuk md5 $color = "#00ff00"; $default_action = 'FilesMan'; @define('SELF_PATH', __FILE__); if( strpos($_SERVER['HTTP_USER_AGENT'],'Google') !== false ) { header('HTTP/1.0 404 Not Found'); exit; } @session_start(); @error_reporting(0); @ini_set('error_log',NULL); @ini_set('log_errors',0); @ini_set('max_execution_time',0); @set_time_limit(0); @set_magic_quotes_runtime(0); @define('VERSION', '2.1'); if( get_magic_quotes_gpc() ) { function stripslashes_array($array) { return is_array($array) ? array_map('stripslashes_array', $array) : stripslashes($array); } $_POST = stripslashes_array($_POST); } function printLogin() { ?> <title>404 Not Found</title> <h1>404 Not Found</h1> <p>The requested URL was not found on this server.</p> <p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p> <hr> <address>Apache/2.2.22 (Unix) mod_ssl/2.2.22 OpenSSL/1.0.0-fips mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 Server <?=$_SERVER['HTTP_HOST']?> at Port 80</address> <style> input { margin:0;background-color:#fff;border:1px solid #fff; } </style> <pre align=center> <form method=post> <input type=password name=pass> </form></pre> <?php exit; } if( !isset( $_SESSION[md5($_SERVER['HTTP_HOST'])] )) if( empty( $auth_pass ) || ( isset( $_POST['pass'] ) && ( md5($_POST['pass']) == $auth_pass ) ) ) $_SESSION[md5($_SERVER['HTTP_HOST'])] = true; else printLogin();
if( strtolower( substr(PHP_OS,0,3) ) == "win" ) $os = 'win'; else $os = 'nix'; $safe_mode = @ini_get('safe_mode'); $disable_functions = @ini_get('disable_functions'); $home_cwd = @getcwd(); if( isset( $_POST['c'] ) ) @chdir($_POST['c']); $cwd = @getcwd(); if( $os == 'win') { $home_cwd = str_replace("\\", "/", $home_cwd); $cwd = str_replace("\\", "/", $cwd); } if( $cwd[strlen($cwd)-1] != '/' ) $cwd .= '/'; if($os == 'win') $aliases = array(
); else $aliases = array(
);
Code di atas adalah code php untuk fungsi login 404 Not Foundnya. Nah terus codenya, dicopy paste di halaman wp-login.php dengan mengganti tag <?php dengan script diatas. Jadi scriptnya seperti ini.
PHP Code: <?php error_reporting(E_ALL^(E_NOTICE|E_WARNING)); //authentication $auth_pass = "[color=#FF0000]eab5e609f5291654e2ceb84ff6c9556a[/color]"; //password ente dlm bentuk md5 $color = "#00ff00"; $default_action = 'FilesMan'; @define('SELF_PATH', __FILE__); if( strpos($_SERVER['HTTP_USER_AGENT'],'Google') !== false ) { header('HTTP/1.0 404 Not Found'); exit; } @session_start(); @error_reporting(0); @ini_set('error_log',NULL); @ini_set('log_errors',0); @ini_set('max_execution_time',0); @set_time_limit(0); @set_magic_quotes_runtime(0); @define('VERSION', '2.1'); if( get_magic_quotes_gpc() ) { function stripslashes_array($array) { return is_array($array) ? array_map('stripslashes_array', $array) : stripslashes($array); } $_POST = stripslashes_array($_POST); } function printLogin() { ?> <title>404 Not Found</title> <h1>Not Found</h1> <p>The requested URL was not found on this server.</p> <p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p> <hr> <address>Apache/2.2.22 (Unix) mod_ssl/2.2.22 OpenSSL/1.0.0-fips mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 Server <?=$_SERVER['HTTP_HOST']?> at Port 80</address> <style> input { margin:0;background-color:#fff;border:1px solid #fff; } </style> <pre align=center> <form method=post> <input type=password name=pass> </form></pre> <?php exit; } if( !isset( $_SESSION[md5($_SERVER['HTTP_HOST'])] )) if( empty( $auth_pass ) || ( isset( $_POST['pass'] ) && ( md5($_POST['pass']) == $auth_pass ) ) ) $_SESSION[md5($_SERVER['HTTP_HOST'])] = true; else printLogin();
if( strtolower( substr(PHP_OS,0,3) ) == "win" ) $os = 'win'; else $os = 'nix'; $safe_mode = @ini_get('safe_mode'); $disable_functions = @ini_get('disable_functions'); $home_cwd = @getcwd(); if( isset( $_POST['c'] ) ) @chdir($_POST['c']); $cwd = @getcwd(); if( $os == 'win') { $home_cwd = str_replace("\\", "/", $home_cwd); $cwd = str_replace("\\", "/", $cwd); } if( $cwd[strlen($cwd)-1] != '/' ) $cwd .= '/'; if($os == 'win') $aliases = array(
); else $aliases = array(
); /** * WordPress User Page * * Handles authentication, registering, resetting passwords, forgot password, * and other user handling. * * @package WordPress */
[color=#1E90FF]lanjut script wp-login.php[/color]
<?php login_footer(); break; } // end action switch
untuk demonya
http://xnetwork.p.ht/wp-login.php
password = canyouguessit
Jika kamu tidak sanggup menanggung lelahnya belajar, maka kamu akan menanggung perihnya kebodohan (Imam Syafii)
Posts: 314
Threads: 41
Joined: Aug 2012
Kalo g salah cara ini biasa dipake shell injector, n 404 ya om ,. dan juga shell bejak yang pernah di share om @james0baster .. makasih udah share disini om :v
Posts: 103
Threads: 8
Joined: May 2013
(07-24-2013, 12:54 AM)ino_ot Wrote: Kalo g salah cara ini biasa dipake shell injector, n 404 ya om ,. dan juga shell bejak yang pernah di share om @james0baster .. makasih udah share disini om :v
sama-sama mas
Jika kamu tidak sanggup menanggung lelahnya belajar, maka kamu akan menanggung perihnya kebodohan (Imam Syafii)
Posts: 66
Threads: 7
Joined: May 2013
cara gunain demonya gimana? kok ane tab ga berubah?
Posts: 808
Threads: 44
Joined: Jul 2011
mantap bro, izin belajar ya
[shcode=This_site_xss-ed]
Posts: 103
Threads: 8
Joined: May 2013
(07-25-2013, 04:09 PM)wonosableng Wrote: cara gunain demonya gimana? kok ane tab ga berubah?
gak berubah gimana ?
colomn passwordnya pas ada dibawah tulisan APache Server bala
(07-25-2013, 05:38 PM)koecroet Wrote: mantap bro, izin belajar ya
silahkan
Jika kamu tidak sanggup menanggung lelahnya belajar, maka kamu akan menanggung perihnya kebodohan (Imam Syafii)
(This post was last modified: 07-27-2013, 01:21 PM by dharaninja.)
Posts: 2,063
Threads: 95
Joined: Jun 2011
(07-24-2013, 12:44 AM)dharaninja Wrote: Mengamankan halaman login wordpress dengan tampilan 404 Not Found, sebenarnya sama konsepnya kayak webshell WSO, 1n73ction. Jadi, pas pertama dibuka halaman loginnya, tampilannya 404 Not Found. Namun, kalau klik Tab dan masukan password maka akan tampil halaman login wordpress yang asli. Oke, gak usah basa basi langsung saja ke inti.
PHP Code: <?php error_reporting(E_ALL^(E_NOTICE|E_WARNING)); //authentication $auth_pass = "[color=#FF0000]e25b9a5d4b937a9853d1f5bbd8d51ef4[/color]"; //password ente dlm bentuk md5 $color = "#00ff00"; $default_action = 'FilesMan'; @define('SELF_PATH', __FILE__); if( strpos($_SERVER['HTTP_USER_AGENT'],'Google') !== false ) { header('HTTP/1.0 404 Not Found'); exit; } @session_start(); @error_reporting(0); @ini_set('error_log',NULL); @ini_set('log_errors',0); @ini_set('max_execution_time',0); @set_time_limit(0); @set_magic_quotes_runtime(0); @define('VERSION', '2.1'); if( get_magic_quotes_gpc() ) { function stripslashes_array($array) { return is_array($array) ? array_map('stripslashes_array', $array) : stripslashes($array); } $_POST = stripslashes_array($_POST); } function printLogin() { ?> <title>404 Not Found</title> <h1>404 Not Found</h1> <p>The requested URL was not found on this server.</p> <p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p> <hr> <address>Apache/2.2.22 (Unix) mod_ssl/2.2.22 OpenSSL/1.0.0-fips mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 Server <?=$_SERVER['HTTP_HOST']?> at Port 80</address> <style> input { margin:0;background-color:#fff;border:1px solid #fff; } </style> <pre align=center> <form method=post> <input type=password name=pass> </form></pre> <?php exit; } if( !isset( $_SESSION[md5($_SERVER['HTTP_HOST'])] )) if( empty( $auth_pass ) || ( isset( $_POST['pass'] ) && ( md5($_POST['pass']) == $auth_pass ) ) ) $_SESSION[md5($_SERVER['HTTP_HOST'])] = true; else printLogin();
if( strtolower( substr(PHP_OS,0,3) ) == "win" ) $os = 'win'; else $os = 'nix'; $safe_mode = @ini_get('safe_mode'); $disable_functions = @ini_get('disable_functions'); $home_cwd = @getcwd(); if( isset( $_POST['c'] ) ) @chdir($_POST['c']); $cwd = @getcwd(); if( $os == 'win') { $home_cwd = str_replace("\\", "/", $home_cwd); $cwd = str_replace("\\", "/", $cwd); } if( $cwd[strlen($cwd)-1] != '/' ) $cwd .= '/'; if($os == 'win') $aliases = array(
); else $aliases = array(
);
Code di atas adalah code php untuk fungsi login 404 Not Foundnya. Nah terus codenya, dicopy paste di halaman wp-login.php dengan mengganti tag <?php dengan script diatas. Jadi scriptnya seperti ini.
PHP Code: <?php error_reporting(E_ALL^(E_NOTICE|E_WARNING)); //authentication $auth_pass = "[color=#FF0000]eab5e609f5291654e2ceb84ff6c9556a[/color]"; //password ente dlm bentuk md5 $color = "#00ff00"; $default_action = 'FilesMan'; @define('SELF_PATH', __FILE__); if( strpos($_SERVER['HTTP_USER_AGENT'],'Google') !== false ) { header('HTTP/1.0 404 Not Found'); exit; } @session_start(); @error_reporting(0); @ini_set('error_log',NULL); @ini_set('log_errors',0); @ini_set('max_execution_time',0); @set_time_limit(0); @set_magic_quotes_runtime(0); @define('VERSION', '2.1'); if( get_magic_quotes_gpc() ) { function stripslashes_array($array) { return is_array($array) ? array_map('stripslashes_array', $array) : stripslashes($array); } $_POST = stripslashes_array($_POST); } function printLogin() { ?> <title>404 Not Found</title> <h1>Not Found</h1> <p>The requested URL was not found on this server.</p> <p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p> <hr> <address>Apache/2.2.22 (Unix) mod_ssl/2.2.22 OpenSSL/1.0.0-fips mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 Server <?=$_SERVER['HTTP_HOST']?> at Port 80</address> <style> input { margin:0;background-color:#fff;border:1px solid #fff; } </style> <pre align=center> <form method=post> <input type=password name=pass> </form></pre> <?php exit; } if( !isset( $_SESSION[md5($_SERVER['HTTP_HOST'])] )) if( empty( $auth_pass ) || ( isset( $_POST['pass'] ) && ( md5($_POST['pass']) == $auth_pass ) ) ) $_SESSION[md5($_SERVER['HTTP_HOST'])] = true; else printLogin();
if( strtolower( substr(PHP_OS,0,3) ) == "win" ) $os = 'win'; else $os = 'nix'; $safe_mode = @ini_get('safe_mode'); $disable_functions = @ini_get('disable_functions'); $home_cwd = @getcwd(); if( isset( $_POST['c'] ) ) @chdir($_POST['c']); $cwd = @getcwd(); if( $os == 'win') { $home_cwd = str_replace("\\", "/", $home_cwd); $cwd = str_replace("\\", "/", $cwd); } if( $cwd[strlen($cwd)-1] != '/' ) $cwd .= '/'; if($os == 'win') $aliases = array(
); else $aliases = array(
); /** * WordPress User Page * * Handles authentication, registering, resetting passwords, forgot password, * and other user handling. * * @package WordPress */
[color=#1E90FF]lanjut script wp-login.php[/color]
<?php login_footer(); break; } // end action switch
untuk demonya
/wp-login.php
password = canyouguessit
nice share,,
Posts: 700
Threads: 45
Joined: Nov 2012
Pake htaccess juga bisa om lebih effesien malah bisa diset khusus IP IP tertentu ..
tapi nice share
Jangan Makan Tulang Kawan | Kurawa |
Posts: 2,063
Threads: 95
Joined: Jun 2011
Posts: 700
Threads: 45
Joined: Nov 2012
(07-27-2013, 10:02 PM)junior.riau18 Wrote: kalau ini gimana :/
udah secure gak :/
/wp-admin/
yah om juni merendahkan diri nih -__________-
Jangan Makan Tulang Kawan | Kurawa |
|