MktbaGold 6.4 Arbitrary File Upload

2022.07.13

Dz MinD Injector (DZ)

Risk: Low

Local: No

Remote: Yes

CVE: N/A

CWE: N/A

Dork: Powered by: MktbaGold 6.4

###
# Title : Exploit Powered by: MktbaGold 6.4 Arbitrary File Upload
# Author : Dz MinD Injector
# Home : Algeria 23000 d^_^b
# FaCeb0ok : https://www.facebook.com/Dz.MinD.Injector
# Type : proof of concept
# Tested on : Windows 10
# Date : 09/07/2022
###

I'm Back : )

# Description:
In this Case you juste need to singup first and then follow this link

An attacker can access the upload function of the application without authenticating to the application and also can upload files due the issues of unrestricted file uploads which can be bypassed by changing the content-type and name file too double extensions 

# PoC:

Easy linke :
In this Case you juste need to singup first and then follow this link :

http://127.0.0.1/upload.php

you can use Burpsuite or tamperdata to bypass jpg to php shell

Enjoy : )

# Proof and Exploit:
http://danya.dreamscity.net/upload.php?file=jVSm7DNpagGEu9k

[+] FinD More Traget In google = )

See this note in RAW Version

Vote for this issue:

100%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

MktbaGold 6.4 Arbitrary File Upload

Dork: Powered by: MktbaGold 6.4

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.