AMC Master Arbitrary File Upload

2017-09-28T00:00:00
ID PACKETSTORM:144381
Type packetstorm
Reporter Ihsan Sencan
Modified 2017-09-28T00:00:00

Description

                                        
                                            `# # # # #   
# Exploit Title: Annual Maintenance Contract Management System - Arbitrary File Upload  
# Dork: N/A  
# Date: 26.09.2017  
# Vendor Homepage: http://mojoomla.com/  
# Software Link: https://codecanyon.net/item/amc-master-annual-maintenance-contract-management-system/20667703  
# Demo: http://dasinfomedia.com.au/php/amc/  
# Version: N/A  
# Category: Webapps  
# Tested on: WiN7_x64/KaLiLinuX_x64  
# CVE: N/A  
# # # # #  
# Exploit Author: Ihsan Sencan  
# Author Web: http://ihsan.net  
# Author Social: @ihsansencan  
# # # # #  
# Description:  
#   
# The vulnerability allows an users upload arbitrary file....  
#   
# Vulnerable Source:  
#   
# if(isset($id)){  
# $user_d=$this->request->data;  
# $this->row_update=$this->table_user->get($id);  
# $this->set('emp_update_row',$this->row_update);  
#   
# if($this->request->is(['post','put'])){  
#   
# $get_output=$this->check_update_email($this->row_update,$this->request->data('email'));  
#   
# if($get_output == true){  
#   
# if(isset($_FILES['image']['name']) && !empty($_FILES['image']['name'])){  
# move_uploaded_file($_FILES['image']['tmp_name'],$this->user_image.$_FILES['image']['name']);  
# $this->store_image=$_FILES['image']['name'];  
# }else{  
# $this->store_image=$this->request->data('old_image');  
# }  
#   
# Proof of Concept:   
#   
# http://localhost/[PATH]/account/profilesetting/[ID]  
# http://localhost/[PATH]/img/user/[FILE]  
#   
# Etc..  
# # # # #  
  
`