Urbainx - Modern Directory Listing Script Theme WebShell Upload

ru QUIXSS (RU) ru
Risk: Low
Local: No
Remote: Yes

[*] :: Title: Urbainx - Modern Directory Listing Script Theme WebShell Upload [*] :: Author: QUIXSS [*] :: Date: 2019-04-28 [*] :: Software: Urbainx - Modern Directory Listing Script Theme [?] :: Technical Details & Description: # Weak security measures like no restriction for .PHP5/.PHP7 file upload has been discovered in the «Urbainx - Modern Directory Listing Script Theme». [?] :: Demo Website: # https://codecanyon.net/item/urbainx-modern-directory-listing-script-theme/23430909 # Frontend: http://theme.meteros.agency/urbainx # Backend: http://theme.meteros.agency/urbainx/login # Login: nurchan@gmail.com, Password: 123456 (or register a new profile) [!] :: Special Note: # One of the declared features of this web-application is «Totally secured system (SQL injection, XSS, CSRF)». Very funny, huh? [+] :: PoC [PHP Upload]: # http://theme.meteros.agency/urbainx/storage/users/April2019/ABYYGJhNbTwF4fh3X6AK.php # http://theme.meteros.agency/urbainx/storage/users/February2019/BPVx3ik0hHsfT9iuk8AZ.php # http://theme.meteros.agency/urbainx/storage/users/March2019/AvRx3iM1hHsfT9iZZ8AZ.php # http://theme.meteros.agency/urbainx/public/assets/images/clients-img/star-pull.php?cmd=ls -la [+] :: PoC [WebShell Upload]: # Authorize on the demo website for tests: http://theme.meteros.agency/urbainx/login (login mhndsabla@meteors.com, password 123456). Then go to the «Edit Profile» page: http://theme.meteros.agency/urbainx/Users/nurchan/edit (for user «nurchan»). # There is one and only vulnerable file upload field on this page. You can upload any .PHP file u want, just change file type from .PHP to .PHP5 or .PHP7. Submit the form and your file will be here: http://theme.meteros.agency/urbainx/storage/users/XXXXYYYY/ZZZZZ.phpV (or u can «inspect» broken image on this page http://theme.meteros.agency/urbainx/Users/[username] to get the link), where XXXX is month name like «April», YYYY is year like «2019» and ZZZZZ.phpV is your uploaded file name (V is for version of uploaded file: .PHP5 or .PHP7). Sample link: http://theme.meteros.agency/urbainx/storage/users/April2019/yourfile.php5 (check the «PoC Upload» for real working examples).



Vote for this issue:


Thanks for you vote!


Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com


Back to Top