Websnake

Turnitin.com Exploit

16 posts in this topic

I was snooping around on their website and found a tiny little bug/exploit that some of you may find of interest. If you go to create a new user it in bold specifies that to make an instructor you need a code and password given to you by your 'system admin' because they purchased the software. I messed around a bit and here's what I basically did. The newuser.asp links go in this order.

Edit: Sorry, wrong order =-\

newuser_type.asp

newuser_join.asp

newuser_email.asp

newuser_password.asp

newuser_secret.asp

newuser_profile.asp

newuser_agreement.asp

newuser_complete.asp

I set my type, then in the URL I set join to email, completely bypassing the need to enter a valid key and password, i went through it with fake information up to agreement, where instead of clicking 'I accept', I set my URL straight to complete. This created an instructor account for me without even validating the ID and password, I tried logging in and it worked.

Just something interesting I found yesterday, hope someone finds a use for it.

Edited by Websnake
0

Share this post


Link to post
Share on other sites

Good observation. ^_^

By the way, is it just me or is that site running really slowly?

0

Share this post


Link to post
Share on other sites

Good observation. ^_^

By the way, is it just me or is that site running really slowly?

I think it's just you buddy. It runs pretty fast for me. but nice first post websnake. :morpheus:

Edited by secholev2
0

Share this post


Link to post
Share on other sites

Good observation. ^_^

By the way, is it just me or is that site running really slowly?

I think it's just you buddy. It runs pretty fast for me. but nice first post websnake. :morpheus:

Ahh... it was just someone using the phone... damned QoS on teh router!

0

Share this post


Link to post
Share on other sites

I hope you know that turnitin.com is NOT for online grading. We implemented it at my last job (at a University) and it's to help guard against plagarism.

Although, this is interesting and I'm sure the admins of turnitin.com will be hearing about it shortly.

0

Share this post


Link to post
Share on other sites

I kind of over exaggerated my hatred for the site, but I just find it annoying when schools like mine start to post grades on one site and now they want to have people turn in papers and assignments on another, it may sound like a good idea but most people just don't know how to properly use computers, so it makes life difficult for the people that do. But that is besides the point, I am glad you find my first post to be a good one. I will continue to try to find problems with their site when I have the time, thank you for hosting a nice site such as this where I can further learn about the parts of the internet not easily available to people (thank god for that).

0

Share this post


Link to post
Share on other sites

I just tried it, seems patched?

EDIT: I can go through the pages etc. just logging in won't work

Edited by Trikk
0

Share this post


Link to post
Share on other sites

I'm trying to repeat it again, to remember what exactly I did, I remember messing with the link, deleting the information from it, so at one point in the registration process I must have and it worked.

This is what the registration link looks like basically.

http://turnitin.com/newuser_join.asp?svr=6...601917b14fea713

If you delete everything after newuser_join.asp you get a blank window with a prev and next button, next just goes back to the beginning however.

Play around with it, i'll try to get the exact process down to a tutorial. Sorry for the inconvenience...

EDIT: I just did it again, this is basically exactly what I did:

1) Went to newuser_type.asp from the Main Page, set type to Instructor, hit Next

2) Do not enter anything into ID or password, go to the URL with is newuser_join.asp?svr=#&r=#&session-id=#andletters and change newuser_join.asp to newuser_email.asp, keeping the stuff after the ?, press Enter

3) Enter in an email for login, doesn't have to exist, Next button

4) Enter a password for login, has to include number, Next button

5) Select a secret question and input any secret answer, Next button

6) Enter a first and last name, I used something like Cool Dude, Next button

7) You will reach the agreement page, I did two different things here in an attempt to see which did it

7a) I either just went directly to the URL, newuser_agreement.aspblahblah and changed it to newuser_complete.asp and hit enter

7b) Or, I hit I agree, it brings up a page saying there was an error, hit the browser Back button, then did 7a).

8) It should work, if not, wait a while, they may just take a bit to actually create the account. If this STILL doesn't work, I will keep trying

Update: I have confirmed it takes a few minutes to create the account, so if you get a login failed message don't give up!

If you would like proof this works, try logging in with this account:

lamer[-at-]noob.com

lmfao1

(yes, I know, dumb email, I was in a hurry =-P)

Edited by Websnake
0

Share this post


Link to post
Share on other sites

welcome, and nice first post :lol: one of the best i've seen

0

Share this post


Link to post
Share on other sites

wow good job! now if we only had an account ID and password so we can actually use it :)

or that's the impossible part ? :)

0

Share this post


Link to post
Share on other sites

wow good job! now if we only had an account ID and password so we can actually use it :)

or that's the impossible part ? :)

I think you missed the point.

0

Share this post


Link to post
Share on other sites

wow good job! now if we only had an account ID and password so we can actually use it :)

or that's the impossible part ? :)

I think you missed the point.

thebaboon is right though.

in order to use this at all, you need to join an account with a school.

if you just make an instructors account, its about as worthless as a students.

0

Share this post


Link to post
Share on other sites

This 1 is not working for me....

any 1 plz help 2 day is the last date and i have to submit my report...

make any account and thn give me user name and password...

i`ll be gratefull to you.

regards

0

Share this post


Link to post
Share on other sites

Sorry bud, this post is almost 7 years old. Any chance you had at doing this is long since gone. This topic will probably also be closed soon. Good luck with your report.

0

Share this post


Link to post
Share on other sites

oh...wow... I need to find that thread diggers award for this one.

1

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now