Open Journal Systems Arbitrary File Upload

2021.10.30

Emyounoone (TR)

Risk: Medium

Local: No

Remote: Yes

CVE: N/A

CWE: N/A

Dork: /index.php/journal

# Title: Open Journal Systems Arbitrary File Upload
# Author: Emyounoone
# Google Dork: /index.php/journal
# Date: 29/10/2021
# Vendor Homepage (Example): https://nur.hmu.edu.krd/index.php/journal
# Tested on: Kali Linux | Cyberfox
# Vulnerable Path: index.php/journal/
Exploit:
You can upload a webshell onn using this exploit
Firstly register as a writer on Open Journal Systems (OJS) and login it. After that you need to be a report a submission. While you are uploading a new submission you can upload a academical file on the web server. You can upload every file type on this part
After you upladed a webshell :
example: https://nur.hmu.edu.krd/index.php/journal/$$$call$$$/api/file/file-api/download-file?fileId=302&revision=1&submissionId=---114---&stageId=1
The result might be like this.
After copy this link and paste anywhere:
As we know submissionId=---114 is our file id : 114
(This is variable)
You can acces your shell part using this id:
https://nur.hmu.edu.krd/index.php/journal/files/journals/dir_number/articles/file_id(114)/submission/shell
Result Example:
https://nur.hmu.edu.krd/index.php/journal/files/journals/1/articles/114/submission/shell.php
If you succeeded you can acces your shell

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Open Journal Systems Arbitrary File Upload

Dork: /index.php/journal

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.