Warkers PHP Search Script WebShell Upload

2019.04.23
ru QUIXSS (RU) ru
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

[*] :: Title: Warkers PHP Search Script WebShell Upload [*] :: Author: QUIXSS [*] :: Date: 2019-04-23 [*] :: Software: Warkers PHP Search Script [?] :: Technical Details & Description: # Weak security measures like no restriction for .PHP5/.PHP7 file upload has been discovered in the «Warkers PHP Search Script». [?] :: Demo Website: # https://codecanyon.net/item/warkers-php-search-script/22659711 # Frontend: http://theme.meteros.agency/warker # Backend: http://theme.meteros.agency/warker/login # Login: demo@user.user, Password: demodemo (or register a new profile) [!] :: Special Note: # One of the declared features of this web-application is «Totally secured system (SQL injection, XSS, CSRF)». Very funny, huh? [!] :: PoC Upload: # http://theme.meteros.agency/warker/storage/identificationes/April2019/eC8dkHs3gC5V6fzjxP9A.php # http://theme.meteros.agency/warker/storage/identificationes/September2018/shutterstock-622178180.php # http://theme.meteros.agency/warker/storage/identificationes/December2018/rRwQdGjFhPIRTl0Gb4dq.php # http://theme.meteros.agency/warker/public/assets/images/en.php?cmd=ls -la [+] :: PoC [WebShell Upload]: # Authorize on the demo website for tests: http://theme.meteros.agency/warker/login (login demo@user.user, password demodemo). Then go to the «Edit Profile» page: http://theme.meteros.agency/warker/Users/Demouser/edit (for user «Demouser»). # There is one and only vulnerable file upload field on this page - «Update your avatar». You can upload any .PHP file u want, just change file type from .PHP to .PHP5 or .PHP7. Submit the form and your file will be here: http://theme.meteros.agency/warker/storage/identificationes/XXXXYYYY/ZZZZZ.phpV (or u can «inspect» broken image to get the link), where XXXX is month name like «April», YYYY is year like «2019» and ZZZZZ.phpV is your uploaded file name (V is for version of uploaded file: .PHP5 or .PHP7). Sample link: http://theme.meteros.agency/warker/storage/identificationes/April2019/yourfile.php5 (check the «PoC Upload» for real working examples). [+] :: BONUS: # You can «broke» any profile by adding <img src=x> in the «Username» field. Save the result and then try to logout, probably you'll see a fatal error with database connection details like host, username and password. You can upload webshell with DB access and use this credentials for some fun.

References:

https://codecanyon.net/item/warkers-php-search-script/22659711


Vote for this issue:
100%
0%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top