Justboil.ME Plugins Image Upload Vulnerability New Method - CXSecurity.com

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1602537 漏洞类型
发布时间 2019-05-10 更新时间 2019-05-10
CVE编号 N/A CNNVD-ID N/A
漏洞平台 N/A CVSS评分 N/A
|漏洞来源
https://cxsecurity.com/issue/WLB-2019050108
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
#######################################################################
Exploit Title	: Justboil.ME Plugins Image Upload Vulnerability New Method
Author		: L4663r666h05t
Tested On		: Windows 10 x64
Vendor		: http://justboil.me/
Dork			: inurl:/plugins/justboil.me/ site:
Date			: 9 May 2019
#######################################################################

Exploit File: dialog-v4.htm
Dorking in google or another search engine (Bing,Yahoo,DuckDuckGO )

YOU NEED TO REGISTER FIRST

Demo:
https://jurnal.stmik.banisaleh.ac.id/plugins/generic/tinymce/plugins/justboil.me/dialog-v4.htm
http://journal.gunabangsa.ac.id/plugins/generic/tinymce/plugins/justboil.me/dialog-v4.htm

Path Images/Shell:
http://localhost/public/site/images/[user name]/shell.png ( IF YOU NEED TO REGISTER FIRST )

Note:
This proof of concept same with JBImages only the different plugin name but need to register first, sometimes no need register.

Impact:
An attacker allow to upload an image.

Thanks To: All Indonesian Hackers