Vulners
Lucene search
HanYazilim Paper Submission System .NET 1.0 Shell Upload
🗓️ 22 Feb 2019 00:00:00Reported by KingSkrupellosType 
packetstorm🔗 packetstormsecurity.com👁 593 Views
`#################################################################################
# Exploit Title : HanYazilim Paper Submission System .NET v1.0 Privilege
Escalation / Shell Upload
# Author [ Discovered By ] : KingSkrupellos
# Team : Cyberizm Digital Security Army
# Date : 22/02/2019
# Vendor Homepage : hanyazilim.com
# Software Information Link : hanyazilim.com/hakemlimakaletakipsistemi.pdf
videolar.hanyazilim.com
# CKEditor Simogeo Download :
github.com/simogeo/ckeditor-adv_link/archive/master.zip
# Software Version : 1.0
# Tested On : Windows and Linux
# Category : WebApps
# Exploit Risk : High
# Vulnerability Types :
CWE-266: Incorrect Privilege Assignment
CWE-269: Improper Privilege Management
CWE-284: Improper Access Control
CWE-250: Execution with Unnecessary Privileges
# PacketStormSecurity : packetstormsecurity.com/files/authors/13968
# CXSecurity : cxsecurity.com/author/KingSkrupellos/1/
# Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos
#################################################################################
# Description about Software :
***************************
HanYazilim Makale Takip Sistemi .NET v1.0 is a kind of Turkish Software
that can be tracked articles
and the journals is used for Turkish University Faculties.
#################################################################################
# Impact and Consequences :
****************************
* This Software [ Product ] HanYazilim Makale Takip Sistemi .NET v1.0
incorrectly assigns
a privilege to a particular actor, creating an unintended sphere of
control for that actor.
* The software does not restrict or incorrectly restricts access to a
resource from an unauthorized actor.
* The software performs an operation at a privilege level that is higher
than the minimum
level required, which creates new weaknesses or amplifies the consequences
of other weaknesses.
* The software does not properly assign, modify, track, or check privileges
for an actor, creating an unintended sphere of control for that actor.
#################################################################################
# Vulnerable Source Code : [ uyelikbilgilerim.aspx ]
*********************************************
<%@ Page Language="C#" MasterPageFile="~/Uye.master" AutoEventWireup="true"
CodeFile="UyelikBilgilerim.aspx.cs" Inherits="UyelikBilgilerim"
Title="Untitled Page" culture="auto" meta:resourcekey="PageResource1"
uiculture="auto" %>
<asp:Content ID="Content1" ContentPlaceHolderID="head" Runat="Server">
<style type="text/css">
.style1
{
width: 801px;
height: 70px;
}
.style7
{
width: 135px;
}
.style351
{
color: #FF0000;
}
.style357
{
width: 135px;
height: 28px;
}
.style358
{
width: 1200px;
height: 28px;
}
</style>
<link href="images/mainstyle.css" rel="stylesheet" type="text/css" />
</asp:Content>
<asp:Content ID="Content2" ContentPlaceHolderID="ContentPlaceHolder1"
Runat="Server">
<table class="tablosayfaadi">
<tr>
<td class="tablosayfayazi">
<asp:Label ID="Label1" runat="server" Text="Uye Detay/Member
Details"
meta:resourcekey="Label1Resource1"></asp:Label></td>
</tr>
</table>
<table class="style1">
<tr>
<td class="style7">
</td>
<td class="style6">
<asp:Label ID="Label4" runat="server" CssClass="style351"
Text="Label"
Visible="False"
meta:resourcekey="Label4Resource1"></asp:Label>
</td>
</tr>
<tr>
<td class="style7">
<asp:Label ID="Label2" runat="server" Text="AdA+- SoyadA+-"
meta:resourcekey="Label2Resource1"></asp:Label>
</td>
<td class="style6">
<asp:TextBox ID="TextBox1" runat="server" Width="290px"
meta:resourcekey="TextBox1Resource1"></asp:TextBox>
<asp:RequiredFieldValidator ID="RequiredFieldValidator1"
runat="server"
ControlToValidate="TextBox1" ErrorMessage="*"
meta:resourcekey="RequiredFieldValidator1Resource1"></asp:RequiredFieldValidator>
</td>
</tr>
<tr>
<td class="style7">
<asp:Label ID="Label5" runat="server" Text="Unvan /Title"
meta:resourcekey="Label5Resource1"></asp:Label></td>
<td class="style8">
<asp:DropDownList ID="DropDownList2" runat="server"
meta:resourcekey="DropDownList2Resource1">
<asp:ListItem Value="1"
meta:resourcekey="ListItemResource1">AraAtA+-rma GAPrevlisi</asp:ListItem>
<asp:ListItem Value="2"
meta:resourcekey="ListItemResource2">Doktor</asp:ListItem>
<asp:ListItem Value="3"
meta:resourcekey="ListItemResource3">Yrd.DoASSent</asp:ListItem>
<asp:ListItem Value="4"
meta:resourcekey="ListItemResource4">DoASS. Dr.</asp:ListItem>
<asp:ListItem Value="5"
meta:resourcekey="ListItemResource5">Prof. Dr.</asp:ListItem>
<asp:ListItem Value="6"
meta:resourcekey="ListItemResource6">DiAer</asp:ListItem>
</asp:DropDownList>
<asp:RequiredFieldValidator ID="RequiredFieldValidator10"
runat="server"
ControlToValidate="DropDownList2" ErrorMessage="*"
InitialValue="0"
meta:resourcekey="RequiredFieldValidator10Resource1"></asp:RequiredFieldValidator>
</td>
</tr>
<tr>
<td class="style7">
<asp:Label ID="Label6" runat="server"
Text="E-Posta /Email"
meta:resourcekey="Label6Resource1"></asp:Label>
</td>
<td class="style6">
<asp:TextBox ID="TextBox3" runat="server" Width="290px"
ReadOnly="True"
meta:resourcekey="TextBox3Resource1"></asp:TextBox>
<asp:RequiredFieldValidator ID="RequiredFieldValidator3"
runat="server"
ControlToValidate="TextBox3" ErrorMessage="*"
meta:resourcekey="RequiredFieldValidator3Resource1"></asp:RequiredFieldValidator>
</td>
</tr>
<tr>
<td class="style357">
<asp:Label ID="Label7" runat="server"
Text="Parola /Password"
meta:resourcekey="Label7Resource1"></asp:Label>
</td>
<td class="style358">
<asp:TextBox ID="TextBox4" runat="server" Width="290px"
meta:resourcekey="TextBox4Resource1"></asp:TextBox>
<asp:RequiredFieldValidator ID="RequiredFieldValidator4"
runat="server"
ControlToValidate="TextBox4" ErrorMessage="*"
meta:resourcekey="RequiredFieldValidator4Resource1"></asp:RequiredFieldValidator>
</td>
</tr>
<tr>
<td class="style7">
<asp:Label ID="Label8" runat="server"
Text="AdegA Telefonu /Office Telephone"
meta:resourcekey="Label8Resource1"></asp:Label>
</td>
<td class="style6">
<asp:TextBox ID="TextBox5" runat="server" Width="290px"
meta:resourcekey="TextBox5Resource1"></asp:TextBox>
</td>
</tr>
<tr>
<td class="style7">
<asp:Label ID="Label9" runat="server"
Text="Cep Telefonu /GSM"
meta:resourcekey="Label9Resource1"></asp:Label>
</td>
<td class="style6">
<asp:TextBox ID="TextBox6" runat="server" Width="290px"
meta:resourcekey="TextBox6Resource1"></asp:TextBox>
<asp:RequiredFieldValidator ID="RequiredFieldValidator12"
runat="server"
ControlToValidate="TextBox6" ErrorMessage="*"
meta:resourcekey="RequiredFieldValidator12Resource1"></asp:RequiredFieldValidator>
</td>
</tr>
<tr>
<td class="style7">
<asp:Label ID="Label10" runat="server"
Text="Adresi /Address"
meta:resourcekey="Label10Resource1"></asp:Label>
</td>
<td class="style6">
<asp:TextBox ID="TextBox7" runat="server" Width="290px"
meta:resourcekey="TextBox7Resource1"></asp:TextBox>
<asp:RequiredFieldValidator ID="RequiredFieldValidator9"
runat="server"
ControlToValidate="TextBox7" ErrorMessage="*"
meta:resourcekey="RequiredFieldValidator9Resource1"></asp:RequiredFieldValidator>
</td>
</tr>
<tr>
<td class="style7">
<asp:Label ID="Label11" runat="server"
Text="Kurumu /Institution"
meta:resourcekey="Label11Resource1"></asp:Label></td>
<td class="style6">
<asp:TextBox ID="TextBox8" runat="server" Width="290px"
meta:resourcekey="TextBox8Resource1"></asp:TextBox>
<asp:RequiredFieldValidator ID="RequiredFieldValidator6"
runat="server"
ControlToValidate="TextBox8" ErrorMessage="*"
meta:resourcekey="RequiredFieldValidator6Resource1"></asp:RequiredFieldValidator>
</td>
</tr>
<tr>
<td class="style7">
<asp:Label ID="Label12" runat="server"
Text="GAPrevi /Task"
meta:resourcekey="Label12Resource1"></asp:Label></td>
<td class="style6">
<asp:TextBox ID="Gorevi" runat="server" Width="290px"
meta:resourcekey="GoreviResource1"></asp:TextBox>
<asp:RequiredFieldValidator ID="RequiredFieldValidator13"
runat="server"
ControlToValidate="Gorevi" ErrorMessage="*"
meta:resourcekey="RequiredFieldValidator13Resource1"></asp:RequiredFieldValidator>
</td>
</tr>
<tr>
<td class="style7">
<asp:Label ID="Label13" runat="server"
Text="AlanA+- /Field"
meta:resourcekey="Label13Resource1"></asp:Label></td>
<td class="style6">
<asp:TextBox ID="Alani" runat="server" Width="290px"
meta:resourcekey="AlaniResource1"></asp:TextBox>
<asp:RequiredFieldValidator ID="RequiredFieldValidator7"
runat="server"
ControlToValidate="Alani" ErrorMessage="*"
meta:resourcekey="RequiredFieldValidator7Resource1"></asp:RequiredFieldValidator>
</td>
</tr>
<tr>
<td class="style7">
<asp:Label ID="Label14" runat="server"
Text="KA+-sa AzgeASSmiA /Short Biography"
meta:resourcekey="Label14Resource1"></asp:Label></td>
<td class="style6">
<asp:TextBox ID="TextBox10" runat="server" Height="69px"
TextMode="MultiLine"
Width="290px"
meta:resourcekey="TextBox10Resource1"></asp:TextBox>
<asp:RequiredFieldValidator ID="RequiredFieldValidator8"
runat="server"
ControlToValidate="TextBox10" ErrorMessage="*"
meta:resourcekey="RequiredFieldValidator8Resource1"></asp:RequiredFieldValidator>
</td>
</tr>
<tr>
<td class="style7">
<asp:Label ID="Label15" runat="server"
Text="Profil FotografA+- /Profile Photo"
meta:resourcekey="Label15Resource1"></asp:Label>
</td>
<td class="style6" valign="middle">
<asp:Image ID="Image1" runat="server" Height="75px"
Width="75px"
meta:resourcekey="Image1Resource1" />
</td>
</tr>
<tr>
<td class="style7">
</td>
<td class="style6">
<asp:CheckBox ID="CheckBox2" runat="server"
AutoPostBack="True"
oncheckedchanged="CheckBox2_CheckedChanged"
Text="Ayelik Resmini DeAiAtir /Change Profile Photo"
meta:resourcekey="CheckBox2Resource1" />
<asp:FileUpload ID="FileUpload1" runat="server"
Visible="False"
meta:resourcekey="FileUpload1Resource1" />
<asp:RequiredFieldValidator ID="RequiredFieldValidator11"
runat="server"
ControlToValidate="FileUpload1" ErrorMessage="*"
Visible="False"
meta:resourcekey="RequiredFieldValidator11Resource1"></asp:RequiredFieldValidator>
</td>
</tr>
<tr>
<td class="style7">
<asp:Label ID="Label16" runat="server"
Text="Ayelik Tipi /Membership Type"
meta:resourcekey="Label16Resource1"></asp:Label>
</td>
<td class="style6">
<asp:DropDownList ID="DropDownList1" runat="server"
meta:resourcekey="DropDownList1Resource1">
<asp:ListItem Value="1"
meta:resourcekey="ListItemResource7">Yazar</asp:ListItem>
<asp:ListItem Value="2"
meta:resourcekey="ListItemResource8">Hakem</asp:ListItem>
<asp:ListItem Value="3"
meta:resourcekey="ListItemResource9">EditAPr</asp:ListItem>
</asp:DropDownList>
</td>
</tr>
<tr>
<td class="style7">
<asp:Label ID="Label17" runat="server" Text="Ayelik Durumu
/Membership Status"
meta:resourcekey="Label17Resource1"></asp:Label></td>
<td class="style6">
<asp:CheckBox ID="CheckBox1" runat="server"
meta:resourcekey="CheckBox1Resource1" />
</td>
</tr>
<tr>
<td class="style7">
<asp:Label ID="Label18" runat="server" Text="GA1/4venlik
Kodu"
meta:resourcekey="Label18Resource1"></asp:Label></td>
<td class="style6">
<asp:TextBox ID="TextBox11" runat="server"
meta:resourcekey="TextBox11Resource1"></asp:TextBox>
</td>
</tr>
<tr>
<td class="style7">
</td>
<td class="style6">
<img src="GuvenlikKodu.aspx"> <asp:Label
ID="lblDusunceler" runat="server"
Visible="False"
meta:resourcekey="lblDusuncelerResource1"></asp:Label>
</td>
</tr>
<tr>
<td class="style7">
</td>
<td class="style6">
<asp:Button ID="Button1" runat="server" Text="DeAiAtir
/Change" Height="26px"
onclick="Button1_Click1"
meta:resourcekey="Button1Resource1" />
</td>
</tr>
<tr>
<td class="style7">
</td>
<td class="style6">
<asp:Label ID="Label3" runat="server" Text="Label"
Visible="False"
meta:resourcekey="Label3Resource1"></asp:Label>
</td>
</tr>
<tr>
<td class="style7">
</td>
<td class="style6">
</td>
</tr>
</table>
<table class="tablosayfaadi">
<tr>
<td class="tablosayfayazi">
</td>
</tr>
</table>
</asp:Content>
#################################################################################
# Privelege Escalation Exploit :
***************************
# Usage :
*********
# Register yourself as Author => [ Yazar ] account. [ New Admin ]
# Registeration with random e-mail address and choose Professor Doctor.
# Put password for your account.
# Fill All the Blanks. Enter Captchas.
/YeniUyelik.aspx
# After Successfull Registeration => it says =>
Your registration has been completed successfully.
Now you can login to the web site with your username and password..
# Admin Panel Login Path :
************************
/Hata.aspx?Mesaj=3
# Usable Author Control Links :
****************************
/UyeTumMakaleler.aspx?Mesaj=2
/UyeTumMakaleler.aspx?Goster=0
/UyeYayinlanacaklarDefault.aspx?Goster=4
/Arama.aspx
/MakaleGonder.aspx
/Mesajlar.aspx
/GonderilenMesajlar.aspx
/MesajGonder.aspx
Exploitation =>
**************
/ckeditor/plugins/simogeo/Browser.aspx
/UyelikBilgilerim.aspx
It says in Turkish Language :
Ayelik Resmini DeAiAtir. [ Change your Membership picture ]
Choose your .php file to upload from My Profile Photo.
Shell Uploaded Successfully.
Directory File Path :
******************
/UyeResimleri/[RANDOM-NUMBER]_[yourshellnamehere].php
#################################################################################
# Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team
####################################################################
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
22 Feb 2019 00:00Current
7.4High risk
Vulners AI Score7.4