b2evolution version 6.8.8 Stable suffers from a remote shell upload vulnerability.
# Exploit Title: Remote File Upload Vulnerability in b2evolution 6.8.8 # Google Dork: no # Date: 14-03-2017 # Exploit Author: @rungga_reksya, @dvnrcy, @yokoacc # Vendor Homepage: http://b2evolution.net # Software Link: http://b2evolution.net/downloads/6-8-8?download=6883 # Version: 6.8.8 Stable # Tested on: Windows Server 2012 Datacenter Evaluation # CVE : no I. Background: b2evolution is a tool that allows you to build your own website. This ranges from just a home page to a full featured site with multiple blogs, forums for your user community and structured content such as manuals or knowledge bases. Additionally, b2evolution allows you to send newsletters to your user community and members can send private messages to each other. II. Description: Unrestricted file upload vulnerability in afile uploada modules in B2evolution CMS 6.8.8 allows authenticated user to upload malicious code (shell), even though in the system has restricted extension (php). III. Exploit: In this case, we have privilege as administrators and then access to afiles menua (http://HOST/b2evolution/admin.php?ctrl=files). Choose your directory and upload your shell with php extension. e.g you choose aadmina folder, so access your shell such as: http://HOST/b2evolution/media/users/admin/[YOUR_SHELL] IV. Thanks to: - Alloh SWT - MyBoboboy - @yokoacc, @dvnrcy - Komunitas IT Auditor & IT Security Kaskus Refer to:Remote File Upload Vulnerability in b2evolution 6.8.8 # 0day.today [2018-04-11] #