Artworks Gallery 1.0 – Arbitrary File Upload RCE (Authenticated) via Edit Profile

Exploit Database
11 阅读

作者： Shahrukh Iqbal Mirza

日期： 2020-12-02
类别：
- webapps
平台：
- multiple
来源：https://www.exploit-db.com/exploits/49167/

# Exploit Title: Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile
# Date: November 17th, 2020
# Exploit Author: Shahrukh Iqbal Mirza (@shahrukhiqbal24)
# Vendor Homepage: Source Code & Projects (https://code-projects.org)
# Software Link:https://download.code-projects.org/details/9dfede24-03cc-42a8-b319-f666757ac7cf
# Version: 1.0
# Tested On: Windows 10 (XAMPP Server)
# CVE: CVE-2020-28687
--------------------
Proof of Concept:
--------------------
1. Authenticate as a user (or signup as an artist)
2. Go to edit profile
3. Upload a php-shell as profile picture and click update/save
4. Find your shell at 'http://<ip>/<base_url>/pictures/profile/<shell.php>' and get command execution

last Exploits
Artworks Gallery 1.0 – Arbitrary File Upload RCE (Authenticated) via Edit Profile的更多信息

vTiger CRM 6.3.0 – (Authenticated) Remote Code Execution：
Verodin Director Web Console 3.5.4.0 – Remote Authenticated Password Disclosure (PoC)：
JCMS 2010 – File Download：
QNAP Photo Station 5.7.0 – Cross-Site Scripting：
TestLink 1.8.5 – ‘order_by_login_dir’ Cross-Site Scripting：
WebHMI 4.0 – Remote Code Execution (RCE) (Authenticated)：
ManageEngine ServiceDesk Plus 9.1 build 9110 – Directory Traversal：
Webthaiapp – ‘detail.php?cat’ Blind SQL Injection：