Pendaftaran Kontributor Indonesian sites BUG File Upload Vulnerability + Add Berita

2019.06.10
Risk: Medium
Local: Yes
Remote: Yes
CVE: N/A
CWE: N/A

[+]Exploit Title: Pendaftaran Kontributor Indonesian sites BUG File Upload Vulnerability + Add Berita Vulnerability [+]Author: Negat1ve - negat1ve137.root@gmail.com [+]Team: -1 and Electronic Thunderbolt Team [+]Goolge Dork: inurl:kontributor Allowed File : gif, jpg, png, jpeg [+]Tested on: Windows 10 x64 ======================================= [+]Proof Of Concept: Find website with the dork The vulnerability will shown at "Foto" with Allowed File : gif, jpg, png, jpeg You can Register with any data, no need to use a life email because no need to verification, you can bypass extension on the "Upload Form" on the "Foto" Upload file Once you are success for registering, you will redirected to https://site.com/administrator/home And youll find any menu and just be visible "Berita" menu there, you can add Berita or you can Upload your files in Edit Profile Proof: 1. example site http://kaltara.bawaslu.go.id/kontributor 2. fill all form, and i put lover.jpg on the "Foto" form 3. your file going through here http://kaltara.bawaslu.go.id/asset/foto_user/loser.jpg 4. and you redirect to http://kaltara.bawaslu.go.id/administrator/home 5. You can add a news/berita in http://kaltara.bawaslu.go.id/administrator/listberita 6. and you can upload your files in http://kaltara.bawaslu.go.id/administrator/edit_manajemenuser/Dashaaaa NB: Bypassing file extension is possible because i tried for upload php mini shell and its working Demo sites: http://kaltara.bawaslu.go.id/kontributor http://dikpora.jogjaprov.go.id/web/kontributor https://zeroninesaranamedia.com/kontributor http://uptb.bkpsdm.lubuklinggaukota.go.id/kontributor http://www.apaot-polresttu.com/kontributor Ton off websites is available by dorks


Vote for this issue:
100%
0%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top