Jump to content


Photo
- - - - -

Turnitin.com Exploit


  • Please log in to reply
15 replies to this topic

#1 Websnake

Websnake

    I broke 10 posts and all I got was this lousy title!

  • Members
  • 13 posts

Posted 26 September 2006 - 08:46 AM

I was snooping around on their website and found a tiny little bug/exploit that some of you may find of interest. If you go to create a new user it in bold specifies that to make an instructor you need a code and password given to you by your 'system admin' because they purchased the software. I messed around a bit and here's what I basically did. The newuser.asp links go in this order.

Edit: Sorry, wrong order =-\

newuser_type.asp
newuser_join.asp
newuser_email.asp
newuser_password.asp
newuser_secret.asp
newuser_profile.asp
newuser_agreement.asp
newuser_complete.asp

I set my type, then in the URL I set join to email, completely bypassing the need to enter a valid key and password, i went through it with fake information up to agreement, where instead of clicking 'I accept', I set my URL straight to complete. This created an instructor account for me without even validating the ID and password, I tried logging in and it worked.

Just something interesting I found yesterday, hope someone finds a use for it.

Edited by Websnake, 27 September 2006 - 09:11 PM.


#2 Zeph

Zeph

    OMG, so close to "1337"!

  • Agents of the Revolution
  • 1,319 posts

Posted 26 September 2006 - 03:34 PM

Nice first post.

#3 anubis26

anubis26

    SUPR3M3 31337 Mack Daddy P1MP

  • Members
  • 378 posts
  • Location:Chicago

Posted 26 September 2006 - 04:50 PM

Good observation. ^_^
By the way, is it just me or is that site running really slowly?

#4 secholev2

secholev2

    SCRiPT KiDDie

  • Members
  • 20 posts

Posted 26 September 2006 - 05:05 PM

Good observation. ^_^
By the way, is it just me or is that site running really slowly?

I think it's just you buddy. It runs pretty fast for me. but nice first post websnake. :morpheus:

Edited by secholev2, 26 September 2006 - 05:06 PM.


#5 anubis26

anubis26

    SUPR3M3 31337 Mack Daddy P1MP

  • Members
  • 378 posts
  • Location:Chicago

Posted 26 September 2006 - 05:20 PM


Good observation. ^_^
By the way, is it just me or is that site running really slowly?

I think it's just you buddy. It runs pretty fast for me. but nice first post websnake. :morpheus:

Ahh... it was just someone using the phone... damned QoS on teh router!

#6 tehbizz

tehbizz

    Progenitor of noob slaying

  • Members
  • 2,039 posts
  • Gender:Male

Posted 26 September 2006 - 05:54 PM

I hope you know that turnitin.com is NOT for online grading. We implemented it at my last job (at a University) and it's to help guard against plagarism.

Although, this is interesting and I'm sure the admins of turnitin.com will be hearing about it shortly.

#7 Websnake

Websnake

    I broke 10 posts and all I got was this lousy title!

  • Members
  • 13 posts

Posted 27 September 2006 - 08:51 AM

I kind of over exaggerated my hatred for the site, but I just find it annoying when schools like mine start to post grades on one site and now they want to have people turn in papers and assignments on another, it may sound like a good idea but most people just don't know how to properly use computers, so it makes life difficult for the people that do. But that is besides the point, I am glad you find my first post to be a good one. I will continue to try to find problems with their site when I have the time, thank you for hosting a nice site such as this where I can further learn about the parts of the internet not easily available to people (thank god for that).

#8 Trikk

Trikk

    SUPR3M3 31337 Mack Daddy P1MP

  • Members
  • 348 posts
  • Country:
  • Gender:Male
  • Location:Portland, OR

Posted 27 September 2006 - 04:50 PM

I just tried it, seems patched?

EDIT: I can go through the pages etc. just logging in won't work

Edited by Trikk, 27 September 2006 - 04:51 PM.


#9 Websnake

Websnake

    I broke 10 posts and all I got was this lousy title!

  • Members
  • 13 posts

Posted 27 September 2006 - 05:30 PM

I'm trying to repeat it again, to remember what exactly I did, I remember messing with the link, deleting the information from it, so at one point in the registration process I must have and it worked.

This is what the registration link looks like basically.

http://turnitin.com/...601917b14fea713

If you delete everything after newuser_join.asp you get a blank window with a prev and next button, next just goes back to the beginning however.

Play around with it, i'll try to get the exact process down to a tutorial. Sorry for the inconvenience...

EDIT: I just did it again, this is basically exactly what I did:

1) Went to newuser_type.asp from the Main Page, set type to Instructor, hit Next
2) Do not enter anything into ID or password, go to the URL with is newuser_join.asp?svr=#&r=#&session-id=#andletters and change newuser_join.asp to newuser_email.asp, keeping the stuff after the ?, press Enter
3) Enter in an email for login, doesn't have to exist, Next button
4) Enter a password for login, has to include number, Next button
5) Select a secret question and input any secret answer, Next button
6) Enter a first and last name, I used something like Cool Dude, Next button
7) You will reach the agreement page, I did two different things here in an attempt to see which did it
7a) I either just went directly to the URL, newuser_agreement.aspblahblah and changed it to newuser_complete.asp and hit enter
7b) Or, I hit I agree, it brings up a page saying there was an error, hit the browser Back button, then did 7a).
8) It should work, if not, wait a while, they may just take a bit to actually create the account. If this STILL doesn't work, I will keep trying

Update: I have confirmed it takes a few minutes to create the account, so if you get a login failed message don't give up!

If you would like proof this works, try logging in with this account:

lamer[-at-]noob.com
lmfao1

(yes, I know, dumb email, I was in a hurry =-P)

Edited by Websnake, 27 September 2006 - 05:46 PM.


#10 n3xg3n

n3xg3n

    "I Hack, therefore, I am"

  • Members
  • 960 posts
  • Country:
  • Gender:Male
  • Location:(703)

Posted 27 September 2006 - 06:37 PM

welcome, and nice first post :lol: one of the best i've seen

#11 killer-a

killer-a

    the 0ne

  • Members
  • 1 posts

Posted 18 November 2006 - 03:40 PM

wow good job! now if we only had an account ID and password so we can actually use it :)

or that's the impossible part ? :)

#12 thebaboon

thebaboon

    H4x0r

  • Members
  • 36 posts
  • Location:404 Not Found

Posted 18 November 2006 - 11:26 PM

wow good job! now if we only had an account ID and password so we can actually use it :)

or that's the impossible part ? :)

I think you missed the point.

#13 Jon

Jon

    Will I break 10 posts?

  • Members
  • 7 posts

Posted 30 November 2006 - 01:33 AM


wow good job! now if we only had an account ID and password so we can actually use it :)

or that's the impossible part ? :)

I think you missed the point.


thebaboon is right though.
in order to use this at all, you need to join an account with a school.

if you just make an instructors account, its about as worthless as a students.

#14 ranjha_1

ranjha_1

    the 0ne

  • Members
  • 1 posts
  • Country:
  • Gender:Male
  • Location:Islamabad

Posted 25 December 2012 - 12:38 AM

This 1 is not working for me....
any 1 plz help 2 day is the last date and i have to submit my report...

make any account and thn give me user name and password...

i`ll be gratefull to you.

regards

#15 TheFunk

TheFunk

    SUP3R 31337

  • Binrev Financier
  • 186 posts
  • Country:
  • Gender:Male

Posted 25 December 2012 - 08:48 PM

Sorry bud, this post is almost 7 years old. Any chance you had at doing this is long since gone. This topic will probably also be closed soon. Good luck with your report.

#16 StankDawg

StankDawg

    same old Dawg, no new tricks

  • Moderating Team
  • 8,073 posts
  • Country:
  • Gender:Male

Posted 02 January 2013 - 11:04 AM

oh...wow... I need to find that thread diggers award for this one.




BinRev is hosted by the great people at Lunarpages!