CSZ CMS 1.2.1 - Arbitrary File Upload

2019.03.17
Risk: Medium
Local: Yes
Remote: Yes
CVE: N/A
CWE: N/A

=========================================================================================== # Exploit Title: CSZ CMS 1.2.1 - Arbitrary File Upload # Dork: N/A # Date: 15-03-2019 # Exploit Author: Mehmet EMIROGLU # Vendor Homepage: https://www.cszcms.com/ # Software Link: https://sourceforge.net/projects/cszcms/ # Version: 1.2.1 # Category: Webapps # Tested on: Wamp64, Windows # CVE: N/A # Software Description: CSZ CMS is an open source web application that allows to manage all content and settings on the websites. CSZ CMS was built on the basis of Codeigniter and design the structure of Bootstrap, this should make your website fully responsive with ease. =========================================================================================== # POC - File Upload # Step by Step # 1-) Login with admin username and password # 2-) Click on the content menu then go to the file upload tab. https://i.hizliresim.com/y6WqaM.png # 3-) Open your php script file and add it to the top of the page (GIF89a;). https://i.hizliresim.com/V9ODWq.png # 4-) Change the file extension to .php.gif https://i.hizliresim.com/0RXzoD.png # 5-) Run the burp suite program. and do your proxy settings. # 6-) Click the Add Files button to select your file. https://i.hizliresim.com/RrAD5G.png # 7-) Press the upload button. and delete the .gif part from the file extension in the burp suite. # 8-) You may receive an error message. no problem. the file will be installed on the server. # 9-) You can see the name and path of the file in URL_Path: at the bottom of the screen. https://i.hizliresim.com/ADVzpX.png ===========================================================================================


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top