0ffa4d35c4
32 changes to exploits/shellcodes aSc TimeTables 2021.6.2 - Denial of Service (PoC) IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path Microsoft Windows - Win32k Elevation of Privilege Ksix Zigbee Devices - Playback Protection Bypass (PoC) Mitel mitel-cs018 - Call Data Information Disclosure Expense Management System - 'description' Stored Cross Site Scripting ILIAS Learning Management System 4.3 - SSRF Pharmacy Store Management System 1.0 - 'id' SQL Injection Under Construction Page with CPanel 1.0 - SQL injection EgavilanMedia User Registration & Login System with Admin Panel 1.0 - CSRF Student Result Management System 1.0 - Authentication Bypass SQL Injection EgavilanMedia User Registration & Login System with Admin Panel 1.0 - Stored Cross Site Scripting WonderCMS 3.1.3 - Authenticated SSRF to Remote Remote Code Execution WonderCMS 3.1.3 - Authenticated Remote Code Execution PRTG Network Monitor 20.4.63.1412 - 'maps' Stored XSS Online Voting System Project in PHP - 'username' Persistent Cross-Site Scripting NewsLister - Authenticated Persistent Cross-Site Scripting Bakeshop Online Ordering System 1.0 - 'Owner' Persistent Cross-site scripting Online News Portal System 1.0 - 'Title' Stored Cross Site Scripting Local Service Search Engine Management System 1.0 - SQLi Authentication Bypass WonderCMS 3.1.3 - 'Menu' Persistent Cross-Site Scripting Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Add Artwork Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile DotCMS 20.11 - Stored Cross-Site Scripting WebDamn User Registration & Login System with User Panel - SQLi Auth Bypass ChurchCRM 4.2.0 - CSV/Formula Injection ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS) Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality Anuko Time Tracker 1.19.23.5311 - Password Reset leading to Account Takeover Simple College Website 1.0 - 'page' Local File Inclusion Car Rental Management System 1.0 - SQL Injection / Local File include WordPress Plugin Wp-FileManager 6.8 - RCE
16 lines
No EOL
864 B
Text
16 lines
No EOL
864 B
Text
# Exploit Title: Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated)
|
|
# Date: November 17th, 2020
|
|
# Exploit Author: Shahrukh Iqbal Mirza (@shahrukhiqbal24)
|
|
# Vendor Homepage: Source Code & Projects (https://code-projects.org)
|
|
# Software Link: https://download.code-projects.org/details/9dfede24-03cc-42a8-b319-f666757ac7cf
|
|
# Version: 1.0
|
|
# Tested On: Windows 10 (XAMPP Server)
|
|
# CVE: CVE-2020-28688
|
|
---------------------
|
|
Proof of Concept:
|
|
---------------------
|
|
1. Authenticate as a user (or signup as an artist)
|
|
2. Click the drop down for your username and go to My ART+BAY
|
|
3. Click on My Artworks > My Available Artworks > Add an Artwork
|
|
4. Click on any type of artwork and instead of the picture, upload your php-shell > click on upload
|
|
5. Find your shell at 'http://<ip>/<base_url>/pictures/arts/<shell.php>' and get command execution |