JulioFileManager - Arbitrary File Upload

2018.06.20
id Zaenal Arifin - Kaizen (ID) id
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

# Title: JulioFileManager - Arbitrary File Upload # Author: Zaenal Arifin - Kaizen # Vendor Homepage: - # Software Link: - # Version: 1.0 # Tested on: Windows 7,10 64-bit Proof of Concept: Google Dork : N/A 0x0 : Exploit : localhost/Patch/tinymce/js/tinymce/plugins/JulioFileManager/JFileManager.aspx If target vuln then you will go to filemanager 0x1 : you can upload file extension .html, php, jpg, png and any to bypass shell u can using tamper, or burp suit if file success upload , Then a message will appear : SUCCESS: New file has been uploaded successfully 0x2 : Patch File : localhost/Patch/tinymce/js/tinymce/plugins/JulioFileManager/UploadedFiles/[dd/mm/yy]_yourfilename.html u can find your file using ctrl+f and write your file name Special Thanks to : God , Team_CC , Error Squad , any my friend PoC Video : https://youtu.be/eZl5Rk5CJq0 ################################################ Contact : Facebook : https://www.facebook.com/darkvenom.gov Email : zaenalarifin.net@gmail.com ################################################

References:

https://youtu.be/eZl5Rk5CJq0


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top