header-logo
Suggest Exploit
vendor:
PhotoPost vBGallery
by:
Cold z3ro
7.5
CVSS
HIGH
Remote File Upload
434
CWE
Product Name: PhotoPost vBGallery
Affected Version From: v2.x
Affected Version To: v2.x
Patch Exists: NO
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2008

vBulletin PhotoPost vBGallery v2.x Remote File Upload

The exploiter can upload a PHP shell via the upload.php script by renaming it to $name.php.wmv. The uploaded file will be in the user's account number folder. For example, if the user's account number is 4, the file path will be http://localhost/Forum/$gallery_path/files/4/$name.php.wmv. If the user's account number is 12345, the file path will be http://localhost/Forum/$gallery_path/files/1/2/3/4/5/$name.php.wmv.

Mitigation:

Ensure that the upload.php script is not accessible to unauthorized users and that the file uploads are properly validated.
Source

Exploit-DB raw data:

vBulletin PhotoPost vBGallery v2.x Remote File Upload

Found by : Cold z3ro

e-mail : exploiter@hackteach.org

Home page : www.Hack.ps

==============================

exploit usage : 

http://localhost/Forum/$gallery_path/upload.php

here the exploiter can upload php shell via this script

by renamed it's name to $name.php.wmv

but first he should be a user in the forum

thats so important to him cus the uploaded file will be

in his account nomber folder .

example :

user : Cold z3ro
http://www.hackteach.org/cc/member.php?u=4

his account nomber is 4 as shown in link ,

the uploaded file ( shell ) will be in

http://localhost/Forum/$gallery_path/files/4/$name.php.wmv

id the user Cold z3ro have acconut nomber as example ( 12345 )

the file path is 

http://localhost/Forum/$gallery_path/files/1/2/3/4/5/$name.php.wmv

===================

i want tho thank all members in www.hackteach.org forums , best work u are done.

thank u .

# hackteach.org

# milw0rm.com [2008-07-15]

Navigation

Suggest Exploit

Services By CQR