#################################################################################
# Exploit Title : HanYazilim Paper Submission System .NET v1.0 Privilege
Escalation / Shell Upload
# Author [ Discovered By ] : KingSkrupellos
# Team : Cyberizm Digital Security Army
# Date : 22/02/2019
# Vendor Homepage : hanyazilim.com
# Software Information Link : hanyazilim.com/hakemlimakaletakipsistemi.pdf
videolar.hanyazilim.com
# CKEditor Simogeo Download :
github.com/simogeo/ckeditor-adv_link/archive/master.zip
# Software Version : 1.0
# Tested On : Windows and Linux
# Category : WebApps
# Exploit Risk : High
# Vulnerability Types :
CWE-266: Incorrect Privilege Assignment
CWE-269: Improper Privilege Management
CWE-284: Improper Access Control
CWE-250: Execution with Unnecessary Privileges
# PacketStormSecurity : packetstormsecurity.com/files/authors/13968
# CXSecurity : cxsecurity.com/author/KingSkrupellos/1/
# Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos
#################################################################################
# Description about Software :
***************************
HanYazilim Makale Takip Sistemi .NET v1.0 is a kind of Turkish Software
that can be tracked articles
and the journals is used for Turkish University Faculties.
#################################################################################
# Impact and Consequences :
****************************
* This Software [ Product ] HanYazilim Makale Takip Sistemi .NET v1.0
incorrectly assigns
a privilege to a particular actor, creating an unintended sphere of
control for that actor.
* The software does not restrict or incorrectly restricts access to a
resource from an unauthorized actor.
* The software performs an operation at a privilege level that is higher
than the minimum
level required, which creates new weaknesses or amplifies the consequences
of other weaknesses.
* The software does not properly assign, modify, track, or check privileges
for an actor, creating an unintended sphere of control for that actor.
#################################################################################
# Vulnerable Source Code : [ uyelikbilgilerim.aspx ]
*********************************************
<%@ Page Language="C#" MasterPageFile="~/Uye.master" AutoEventWireup="true"
CodeFile="UyelikBilgilerim.aspx.cs" Inherits="UyelikBilgilerim"
Title="Untitled Page" culture="auto" meta:resourcekey="PageResource1"
uiculture="auto" %>
#################################################################################
# Privelege Escalation Exploit :
***************************
# Usage :
*********
# Register yourself as Author => [ Yazar ] account. [ New Admin ]
# Registeration with random e-mail address and choose Professor Doctor.
# Put password for your account.
# Fill All the Blanks. Enter Captchas.
/YeniUyelik.aspx
# After Successfull Registeration => it says =>
Your registration has been completed successfully.
Now you can login to the web site with your username and password..
# Admin Panel Login Path :
************************
/Hata.aspx?Mesaj=3
# Usable Author Control Links :
****************************
/UyeTumMakaleler.aspx?Mesaj=2
/UyeTumMakaleler.aspx?Goster=0
/UyeYayinlanacaklarDefault.aspx?Goster=4
/Arama.aspx
/MakaleGonder.aspx
/Mesajlar.aspx
/GonderilenMesajlar.aspx
/MesajGonder.aspx
Exploitation =>
**************
/ckeditor/plugins/simogeo/Browser.aspx
/UyelikBilgilerim.aspx
It says in Turkish Language :
Ayelik Resmini DeAiAtir. [ Change your Membership picture ]
Choose your .php file to upload from My Profile Photo.
Shell Uploaded Successfully.
Directory File Path :
******************
/UyeResimleri/[RANDOM-NUMBER]_[yourshellnamehere].php
#################################################################################
# Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team
####################################################################