Exploit mktba 4.2 Arbitrary File Upload

2022.07.10

Dz MinD Injector (DZ)

Risk: Medium

Local: No

Remote: Yes

CVE: N/A

CWE: N/A

Dork: Powered by: mktba

###
# Title : Exploit mktba 4.2 Arbitrary File Upload
# Author : Dz MinD Injector
# Home : Algeria 23000 d^_^b
# FaCeb0ok : https://www.facebook.com/Dz.MinD.Injector
# Type : proof of concept
# Tested on : Windows 10
# Date : 09/07/2022
###

I'm Back : )

# Description:

An attacker can access the upload function of the application without authenticating to the application and also can upload files due the issues of unrestricted file uploads which can be bypassed by changing the content-type and name file too double extensions 

# PoC:

Easy linke :

http://127.0.0.1/upload.php

you can use Burpsuite or tamperdata to bypass jpg to php shell

Enjoy : )

# Proof and Exploit:
http://islami.eb2a.com/upload/aln3esa-1657397278.jpg
http://alajmh.com/mktba/quraan2/mp3/aln3esa-1657397316.jpg
http://ashry.freetzi.com/upload/aln3esa-1657397801.jpg

[+] FinD More Traget In google = )

See this note in RAW Version

Vote for this issue:

100%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Exploit mktba 4.2 Arbitrary File Upload

Dork: Powered by: mktba

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.