2815f48e25
12 new exploits
Linux x86_64 - Reverse Shell Shellcode
Gemalto Sentinel License Manager 18.0.1.55505 - Directory Traversal
Solarwinds Virtualization Manager - Privilege Escalation
Blat 3.2.14 - Stack Overflow
Linux/x86 - Bindshell with Configurable Port - 87 bytes
Linux x86_64 Shellcode Null-Free Reverse TCP Shell
Linux x86 TCP Bind Shell Port 4444 (656 bytes)
Tiki-Wiki CMS Calendar 14.2_ 12.5 LTS_ 9.11 LTS_ and 6.15 - Remote Code Execution
Linux/Windows/BSD x86_64 execve(_/bin//sh__ {_//bin/sh__ _-c__ _cmd_}_ NULL) Execute Command Shellcode
ATCOM PBX IP01_ IP08 _ IP4G_ IP2G4A - Authentication Bypass
Roxy Fileman 1.4.4 - Arbitrary File Upload
SlimCMS 0.1 - CSRF (Change Admin Password)
27 lines
979 B
Text
Executable file
27 lines
979 B
Text
Executable file
# Exploit Title: Roxy Fileman <= 1.4.4 Forbidden File Upload Vulnerability
|
|
# Google Dork: intitle:"Roxy file manager"
|
|
# Date: 15-06-2016
|
|
# Exploit Author: Tyrell Sassen
|
|
# Vendor Homepage: http://www.roxyfileman.com/
|
|
# Software Link: http://www.roxyfileman.com/download.php?f=1.4.4-php
|
|
# Version: 1.4.4
|
|
# Tested on: PHP
|
|
|
|
1. Description
|
|
|
|
The Roxy File Manager has a configuration setting named FORBIDDEN_UPLOADS,
|
|
which keeps a list of forbidden file extensions that the application will
|
|
not allow to be uploaded. This configuration setting is also checked when
|
|
renaming an existing file to a new file extension.
|
|
|
|
It is possible to bypass this check and rename already uploaded files to
|
|
any extension, using the move function as this function does not perform
|
|
any checks.
|
|
|
|
|
|
2. Proof of Concept
|
|
|
|
http://host/fileman/php/movefile.php?f=/Upload/backdoor.jpg&n=/Upload/backdoor.php
|
|
|
|
|
|
The renamed file will now be accessible at http://host/Upload/backdoor.php
|