-Data leak-
http://kutuphane.tuik.gov.tr/yordambt/liste.php?-skip=0&-atla=0&-sayfa=01&Alan3=&Alan5=&anatur=&bolum=&alttur=&sekil=&ortam=&dil=&yayintarihi=&kgt=&gorsel=&kurumyayini=&cAlanlar=pollo&aa=eseradi&-max=16&universite=&enstitu=&anabilimdali=&bilimdali=&sureliilkharf=&sure=&biryil=&birdergitrh=&birsayi=&biricindekiler=
we can see the full path within the errors
-> C:\Inetpub\wwwroot\yordambt
ex file: _dil.php | index.php | liste.php | _yardim.php | arama.php | anasayfa.php | url.php
After getting access through a lfi it's possible to see that we are on a (windows) box with the default configuration, with the permissions for -everybody- in some important folders. It's possible to operate quite like an administrator with a simple -webshell- script
There are some shared folders without password on other boxes
------
The scripts available from the website are (also) interacting with other webservers on the local network where are located other documents
ex.: http://10.1.2.49/pdf/0016384.pdf
this information can be taken from a simple search
sample url:
http://kutuphane.tuik.gov.tr/yordambt/url.php?-action=new&-url=aHR0cDovLzEwLjEuMi40OS9wZGYvMDAxNjM4NC5wZGY=&demirbas=0016384
where we can clearly see a base64 encoded string ( aHR0cDovLzEwLjEuMi40OS9wZGYvMDAxNjM4NC5wZGY -> http://10.1.2.49/pdf/0016384.pdf ).
and we can easily change the redirect to any other website (the location header)
this example redirects to this website/blog ( http://trueliarx.blogspot.com )
http://kutuphane.tuik.gov.tr/yordambt/url.php?-action=new&-url=aHR0cDovL3RydWVsaWFyeC5ibG9nc3BvdC5jb20v&demirbas=0016384
obviously we are facing an HTTP Splitting problem and we can add other malicious stuff instead of redirecting.
-------------------------------------------------------------------------------------
I suppose that the website have something to do with a -library- (?). I cannot understand turkish.
http://kutuphane.tuik.gov.tr/yordambt/liste.php?-skip=0&-atla=0&-sayfa=01&Alan3=&Alan5=&anatur=&bolum=&alttur=&sekil=&ortam=&dil=&yayintarihi=&kgt=&gorsel=&kurumyayini=&cAlanlar=pollo&aa=eseradi&-max=16&universite=&enstitu=&anabilimdali=&bilimdali=&sureliilkharf=&sure=&biryil=&birdergitrh=&birsayi=&biricindekiler=
we can see the full path within the errors
-> C:\Inetpub\wwwroot\yordambt
ex file: _dil.php | index.php | liste.php | _yardim.php | arama.php | anasayfa.php | url.php
After getting access through a lfi it's possible to see that we are on a (windows) box with the default configuration, with the permissions for -everybody- in some important folders. It's possible to operate quite like an administrator with a simple -webshell- script
There are some shared folders without password on other boxes
------
The scripts available from the website are (also) interacting with other webservers on the local network where are located other documents
ex.: http://10.1.2.49/pdf/0016384.pdf
this information can be taken from a simple search
sample url:
http://kutuphane.tuik.gov.tr/yordambt/url.php?-action=new&-url=aHR0cDovLzEwLjEuMi40OS9wZGYvMDAxNjM4NC5wZGY=&demirbas=0016384
where we can clearly see a base64 encoded string ( aHR0cDovLzEwLjEuMi40OS9wZGYvMDAxNjM4NC5wZGY -> http://10.1.2.49/pdf/0016384.pdf ).
and we can easily change the redirect to any other website (the location header)
this example redirects to this website/blog ( http://trueliarx.blogspot.com )
http://kutuphane.tuik.gov.tr/yordambt/url.php?-action=new&-url=aHR0cDovL3RydWVsaWFyeC5ibG9nc3BvdC5jb20v&demirbas=0016384
obviously we are facing an HTTP Splitting problem and we can add other malicious stuff instead of redirecting.
-------------------------------------------------------------------------------------
I suppose that the website have something to do with a -library- (?). I cannot understand turkish.
Comments
Post a Comment