HanYazilim Paper Submission System .NET 1.0 Shell Upload

2019.02.25
Risk: High
Local: No
Remote: Yes
CVE: N/A

################################################################################# # Exploit Title : HanYazilim Paper Submission System .NET v1.0 Privilege Escalation / Shell Upload # Author [ Discovered By ] : KingSkrupellos # Team : Cyberizm Digital Security Army # Date : 22/02/2019 # Vendor Homepage : hanyazilim.com # Software Information Link : hanyazilim.com/hakemlimakaletakipsistemi.pdf videolar.hanyazilim.com # CKEditor Simogeo Download : github.com/simogeo/ckeditor-adv_link/archive/master.zip # Software Version : 1.0 # Tested On : Windows and Linux # Category : WebApps # Exploit Risk : High # Vulnerability Types : CWE-266: Incorrect Privilege Assignment CWE-269: Improper Privilege Management CWE-284: Improper Access Control CWE-250: Execution with Unnecessary Privileges # PacketStormSecurity : packetstormsecurity.com/files/authors/13968 # CXSecurity : cxsecurity.com/author/KingSkrupellos/1/ # Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos ################################################################################# # Description about Software : *************************** HanYazilim Makale Takip Sistemi .NET v1.0 is a kind of Turkish Software that can be tracked articles and the journals is used for Turkish University Faculties. ################################################################################# # Impact and Consequences : **************************** * This Software [ Product ] HanYazilim Makale Takip Sistemi .NET v1.0 incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor. * The software does not restrict or incorrectly restricts access to a resource from an unauthorized actor. * The software performs an operation at a privilege level that is higher than the minimum level required, which creates new weaknesses or amplifies the consequences of other weaknesses. * The software does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor. ################################################################################# # Vulnerable Source Code : [ uyelikbilgilerim.aspx ] ********************************************* <%@ Page Language="C#" MasterPageFile="~/Uye.master" AutoEventWireup="true" CodeFile="UyelikBilgilerim.aspx.cs" Inherits="UyelikBilgilerim" Title="Untitled Page" culture="auto" meta:resourcekey="PageResource1" uiculture="auto" %> <asp:Content ID="Content1" ContentPlaceHolderID="head" Runat="Server"> <style type="text/css"> .style1 { width: 801px; height: 70px; } .style7 { width: 135px; } .style351 { color: #FF0000; } .style357 { width: 135px; height: 28px; } .style358 { width: 1200px; height: 28px; } </style> <link href="images/mainstyle.css" rel="stylesheet" type="text/css" /> </asp:Content> <asp:Content ID="Content2" ContentPlaceHolderID="ContentPlaceHolder1" Runat="Server"> <table class="tablosayfaadi"> <tr> <td class="tablosayfayazi"> <asp:Label ID="Label1" runat="server" Text="Uye Detay/Member Details" meta:resourcekey="Label1Resource1"></asp:Label></td> </tr> </table> <table class="style1"> <tr> <td class="style7"> &nbsp;</td> <td class="style6"> <asp:Label ID="Label4" runat="server" CssClass="style351" Text="Label" Visible="False" meta:resourcekey="Label4Resource1"></asp:Label> </td> </tr> <tr> <td class="style7"> <asp:Label ID="Label2" runat="server" Text="AdA+- SoyadA+-" meta:resourcekey="Label2Resource1"></asp:Label> </td> <td class="style6"> <asp:TextBox ID="TextBox1" runat="server" Width="290px" meta:resourcekey="TextBox1Resource1"></asp:TextBox> <asp:RequiredFieldValidator ID="RequiredFieldValidator1" runat="server" ControlToValidate="TextBox1" ErrorMessage="*" meta:resourcekey="RequiredFieldValidator1Resource1"></asp:RequiredFieldValidator> </td> </tr> <tr> <td class="style7"> <asp:Label ID="Label5" runat="server" Text="Unvan /Title" meta:resourcekey="Label5Resource1"></asp:Label></td> <td class="style8"> <asp:DropDownList ID="DropDownList2" runat="server" meta:resourcekey="DropDownList2Resource1"> <asp:ListItem Value="1" meta:resourcekey="ListItemResource1">AraAtA+-rma GAPrevlisi</asp:ListItem> <asp:ListItem Value="2" meta:resourcekey="ListItemResource2">Doktor</asp:ListItem> <asp:ListItem Value="3" meta:resourcekey="ListItemResource3">Yrd.DoASSent</asp:ListItem> <asp:ListItem Value="4" meta:resourcekey="ListItemResource4">DoASS. Dr.</asp:ListItem> <asp:ListItem Value="5" meta:resourcekey="ListItemResource5">Prof. Dr.</asp:ListItem> <asp:ListItem Value="6" meta:resourcekey="ListItemResource6">DiAer</asp:ListItem> </asp:DropDownList> <asp:RequiredFieldValidator ID="RequiredFieldValidator10" runat="server" ControlToValidate="DropDownList2" ErrorMessage="*" InitialValue="0" meta:resourcekey="RequiredFieldValidator10Resource1"></asp:RequiredFieldValidator> </td> </tr> <tr> <td class="style7"> <asp:Label ID="Label6" runat="server" Text="E-Posta /Email" meta:resourcekey="Label6Resource1"></asp:Label> </td> <td class="style6"> <asp:TextBox ID="TextBox3" runat="server" Width="290px" ReadOnly="True" meta:resourcekey="TextBox3Resource1"></asp:TextBox> <asp:RequiredFieldValidator ID="RequiredFieldValidator3" runat="server" ControlToValidate="TextBox3" ErrorMessage="*" meta:resourcekey="RequiredFieldValidator3Resource1"></asp:RequiredFieldValidator> </td> </tr> <tr> <td class="style357"> <asp:Label ID="Label7" runat="server" Text="Parola /Password" meta:resourcekey="Label7Resource1"></asp:Label> </td> <td class="style358"> <asp:TextBox ID="TextBox4" runat="server" Width="290px" meta:resourcekey="TextBox4Resource1"></asp:TextBox> <asp:RequiredFieldValidator ID="RequiredFieldValidator4" runat="server" ControlToValidate="TextBox4" ErrorMessage="*" meta:resourcekey="RequiredFieldValidator4Resource1"></asp:RequiredFieldValidator> </td> </tr> <tr> <td class="style7"> <asp:Label ID="Label8" runat="server" Text="AdegA Telefonu /Office Telephone" meta:resourcekey="Label8Resource1"></asp:Label> </td> <td class="style6"> <asp:TextBox ID="TextBox5" runat="server" Width="290px" meta:resourcekey="TextBox5Resource1"></asp:TextBox> </td> </tr> <tr> <td class="style7"> <asp:Label ID="Label9" runat="server" Text="Cep Telefonu /GSM" meta:resourcekey="Label9Resource1"></asp:Label> </td> <td class="style6"> <asp:TextBox ID="TextBox6" runat="server" Width="290px" meta:resourcekey="TextBox6Resource1"></asp:TextBox> <asp:RequiredFieldValidator ID="RequiredFieldValidator12" runat="server" ControlToValidate="TextBox6" ErrorMessage="*" meta:resourcekey="RequiredFieldValidator12Resource1"></asp:RequiredFieldValidator> </td> </tr> <tr> <td class="style7"> <asp:Label ID="Label10" runat="server" Text="Adresi /Address" meta:resourcekey="Label10Resource1"></asp:Label> </td> <td class="style6"> <asp:TextBox ID="TextBox7" runat="server" Width="290px" meta:resourcekey="TextBox7Resource1"></asp:TextBox> <asp:RequiredFieldValidator ID="RequiredFieldValidator9" runat="server" ControlToValidate="TextBox7" ErrorMessage="*" meta:resourcekey="RequiredFieldValidator9Resource1"></asp:RequiredFieldValidator> </td> </tr> <tr> <td class="style7"> <asp:Label ID="Label11" runat="server" Text="Kurumu /Institution" meta:resourcekey="Label11Resource1"></asp:Label></td> <td class="style6"> <asp:TextBox ID="TextBox8" runat="server" Width="290px" meta:resourcekey="TextBox8Resource1"></asp:TextBox> <asp:RequiredFieldValidator ID="RequiredFieldValidator6" runat="server" ControlToValidate="TextBox8" ErrorMessage="*" meta:resourcekey="RequiredFieldValidator6Resource1"></asp:RequiredFieldValidator> </td> </tr> <tr> <td class="style7"> <asp:Label ID="Label12" runat="server" Text="GAPrevi /Task" meta:resourcekey="Label12Resource1"></asp:Label></td> <td class="style6"> <asp:TextBox ID="Gorevi" runat="server" Width="290px" meta:resourcekey="GoreviResource1"></asp:TextBox> <asp:RequiredFieldValidator ID="RequiredFieldValidator13" runat="server" ControlToValidate="Gorevi" ErrorMessage="*" meta:resourcekey="RequiredFieldValidator13Resource1"></asp:RequiredFieldValidator> </td> </tr> <tr> <td class="style7"> <asp:Label ID="Label13" runat="server" Text="AlanA+- /Field" meta:resourcekey="Label13Resource1"></asp:Label></td> <td class="style6"> <asp:TextBox ID="Alani" runat="server" Width="290px" meta:resourcekey="AlaniResource1"></asp:TextBox> <asp:RequiredFieldValidator ID="RequiredFieldValidator7" runat="server" ControlToValidate="Alani" ErrorMessage="*" meta:resourcekey="RequiredFieldValidator7Resource1"></asp:RequiredFieldValidator> </td> </tr> <tr> <td class="style7"> <asp:Label ID="Label14" runat="server" Text="KA+-sa AzgeASSmiA /Short Biography" meta:resourcekey="Label14Resource1"></asp:Label></td> <td class="style6"> <asp:TextBox ID="TextBox10" runat="server" Height="69px" TextMode="MultiLine" Width="290px" meta:resourcekey="TextBox10Resource1"></asp:TextBox> <asp:RequiredFieldValidator ID="RequiredFieldValidator8" runat="server" ControlToValidate="TextBox10" ErrorMessage="*" meta:resourcekey="RequiredFieldValidator8Resource1"></asp:RequiredFieldValidator> </td> </tr> <tr> <td class="style7"> <asp:Label ID="Label15" runat="server" Text="Profil FotografA+- /Profile Photo" meta:resourcekey="Label15Resource1"></asp:Label> </td> <td class="style6" valign="middle"> <asp:Image ID="Image1" runat="server" Height="75px" Width="75px" meta:resourcekey="Image1Resource1" /> </td> </tr> <tr> <td class="style7"> &nbsp;</td> <td class="style6"> <asp:CheckBox ID="CheckBox2" runat="server" AutoPostBack="True" oncheckedchanged="CheckBox2_CheckedChanged" Text="Ayelik Resmini DeAiAtir /Change Profile Photo" meta:resourcekey="CheckBox2Resource1" /> <asp:FileUpload ID="FileUpload1" runat="server" Visible="False" meta:resourcekey="FileUpload1Resource1" /> <asp:RequiredFieldValidator ID="RequiredFieldValidator11" runat="server" ControlToValidate="FileUpload1" ErrorMessage="*" Visible="False" meta:resourcekey="RequiredFieldValidator11Resource1"></asp:RequiredFieldValidator> </td> </tr> <tr> <td class="style7"> <asp:Label ID="Label16" runat="server" Text="Ayelik Tipi /Membership Type" meta:resourcekey="Label16Resource1"></asp:Label> </td> <td class="style6"> <asp:DropDownList ID="DropDownList1" runat="server" meta:resourcekey="DropDownList1Resource1"> <asp:ListItem Value="1" meta:resourcekey="ListItemResource7">Yazar</asp:ListItem> <asp:ListItem Value="2" meta:resourcekey="ListItemResource8">Hakem</asp:ListItem> <asp:ListItem Value="3" meta:resourcekey="ListItemResource9">EditAPr</asp:ListItem> </asp:DropDownList> </td> </tr> <tr> <td class="style7"> <asp:Label ID="Label17" runat="server" Text="Ayelik Durumu /Membership Status" meta:resourcekey="Label17Resource1"></asp:Label></td> <td class="style6"> <asp:CheckBox ID="CheckBox1" runat="server" meta:resourcekey="CheckBox1Resource1" /> </td> </tr> <tr> <td class="style7"> &nbsp;<asp:Label ID="Label18" runat="server" Text="GA1/4venlik Kodu" meta:resourcekey="Label18Resource1"></asp:Label></td> <td class="style6"> <asp:TextBox ID="TextBox11" runat="server" meta:resourcekey="TextBox11Resource1"></asp:TextBox> </td> </tr> <tr> <td class="style7"> &nbsp;</td> <td class="style6"> <img src="GuvenlikKodu.aspx">&nbsp;<asp:Label ID="lblDusunceler" runat="server" Visible="False" meta:resourcekey="lblDusuncelerResource1"></asp:Label> </td> </tr> <tr> <td class="style7"> &nbsp;</td> <td class="style6"> <asp:Button ID="Button1" runat="server" Text="DeAiAtir /Change" Height="26px" onclick="Button1_Click1" meta:resourcekey="Button1Resource1" /> </td> </tr> <tr> <td class="style7"> &nbsp;</td> <td class="style6"> <asp:Label ID="Label3" runat="server" Text="Label" Visible="False" meta:resourcekey="Label3Resource1"></asp:Label> </td> </tr> <tr> <td class="style7"> &nbsp;</td> <td class="style6"> &nbsp;</td> </tr> </table> <table class="tablosayfaadi"> <tr> <td class="tablosayfayazi"> &nbsp;</td> </tr> </table> </asp:Content> ################################################################################# # Privelege Escalation Exploit : *************************** # Usage : ********* # Register yourself as Author => [ Yazar ] account. [ New Admin ] # Registeration with random e-mail address and choose Professor Doctor. # Put password for your account. # Fill All the Blanks. Enter Captchas. /YeniUyelik.aspx # After Successfull Registeration => it says => Your registration has been completed successfully. Now you can login to the web site with your username and password.. # Admin Panel Login Path : ************************ /Hata.aspx?Mesaj=3 # Usable Author Control Links : **************************** /UyeTumMakaleler.aspx?Mesaj=2 /UyeTumMakaleler.aspx?Goster=0 /UyeYayinlanacaklarDefault.aspx?Goster=4 /Arama.aspx /MakaleGonder.aspx /Mesajlar.aspx /GonderilenMesajlar.aspx /MesajGonder.aspx Exploitation => ************** /ckeditor/plugins/simogeo/Browser.aspx /UyelikBilgilerim.aspx It says in Turkish Language : Ayelik Resmini DeAiAtir. [ Change your Membership picture ] Choose your .php file to upload from My Profile Photo. Shell Uploaded Successfully. Directory File Path : ****************** /UyeResimleri/[RANDOM-NUMBER]_[yourshellnamehere].php ################################################################################# # Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team ####################################################################


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top