Claydip Airbnb Clone 1.0 Arbitrary File Upload

2017.09.25
Credit: Ihsan Sencan
Risk: High
Local: No
Remote: Yes
CWE: CWE-264


CVSS Base Score: 6.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 8/10
Exploit range: Remote
Attack complexity: Low
Authentication: Single time
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

# # # # # # Exploit Title: Claydip Laravel Airbnb Clone 1.0 - Arbitrary File Upload # Dork: N/A # Date: 22.09.2017 # Vendor Homepage: https://www.claydip.com/ # Software Link: https://www.claydip.com/airbnb-clone.html # Demo: https://www.claydip.com/airbnb_demo.html # Version: N/A # Category: Webapps # Tested on: WiN7_x64/KaLiLinuX_x64 # CVE: CVE-2017-14704 # # # # # # Exploit Author: Ihsan Sencan # Author Web: http://ihsan.net # Author Social: @ihsansencan # # # # # # Description: # # The vulnerability allows an users upload arbitrary file.... # # Vulnerable Source: # # .............1 # public function imageSubmit(Request $request) # { $this->validate($request, [ 'image' => 'image|mimes:jpeg,png,jpg,gif,svg|max:2048', ]); # if ($request->hasFile('profile_img_name')) { # $file = $request->file('profile_img_name'); # //getting timestamp # $timestamp = str_replace([' ', ':'], '-', Carbon::now()->toDateTimeString()); # $img_name = $timestamp. '-' .$file->getClientOriginalName(); # //$image->filePath = $img_name; # $file->move(public_path().'/images/profile', $img_name); # $postData = array('profile_img_name' => $img_name, 'profile_photo_approve' => 0); # $user = $this->userRepository->updateUser($postData); # flash('Profile Image Updated Successfully', 'success'); # if($request->get('uploadpage') == 2) { # return \Redirect::to('user/edit/uploadphoto'); # } # return \Redirect::to('user/dashboard'); # } # # } # .............2 # public function proof_submit(Request $request) # { # if ($request->hasFile('profile_img_name')) { # $file = $request->file('profile_img_name'); # //getting timestamp # $timestamp = str_replace([' ', ':'], '-', Carbon::now()->toDateTimeString()); # $img_name = $timestamp. '-' .$file->getClientOriginalName(); # //$image->filePath = $img_name; # $file->move(public_path().'/images/proof', $img_name); # $postData = array('idproof_img_src' => $img_name, 'id_proof_approved' => 0); # $user = $this->userRepository->updateUser($postData); # flash('Proof Updated Successfully', 'success'); # return \Redirect::to('user/edit/uploadproof'); # } # # } # ............. # # Proof of Concept: # # http://localhost/[PATH]/user/edit/uploadphoto # http://localhost/[PATH]/user/edit/uploadproof # # http://localhost/[PATH]/images/profile/[$timestamp].Php # # Etc.. # # # # #


Vote for this issue:
100%
0%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top