PHP Uploader Downloader Upload Shell Vulnerability

vendor:

PHP Uploader Downloader

by:

indoushka

7.5

CVSS

HIGH

Upload Shell

434

CWE

Product Name: PHP Uploader Downloader

Affected Version From: 2

Affected Version To: 2

Patch Exists: NO

Related CWE:

CPE: a:zachwhite:php_uploader_downloader

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows, Linux

2009

PHP Uploader Downloader Upload Shell Vulnerability

A vulnerability in PHP Uploader Downloader Version 2.0 allows an attacker to upload a malicious shell to the server. The attacker can then use the shell to execute arbitrary code on the server.

Mitigation:

Ensure that the application is configured to only allow the upload of files with the appropriate MIME type and that the application is configured to only allow the upload of files with the appropriate file extension.

Source

Exploit-DB raw data:

========================================================================================
| # Title    : PHP Uploader Downloader Upload Shell Vulnerability                      |
| # Author   : indoushka                                                               |
| # email    : indoushka@hotmail.com                                                   |
| # Home     : Souk Naamane - 04325 - Oum El Bouaghi - Algeria -(00213771818860)       |
| # EDB-ID   :                                                                         |
| # CVE-ID   : ()                                                                      |
| # OSVDB-ID : ()                                                                      |
| # DAte     :16/12/2009                                                               |
| # Verified :                                                                         |
| # Web Site : www.iq-ty.com                                                           |
| # Published:                                                                         |
| # Script   : Powered by PHP Uploader Downloader Version 2.0 (http://www.zachwhite.com|
| # Tested on: windows SP2 Fran&#65533;ais V.(Pnx2 2.0) + Lunix Fran&#65533;ais v.(9.4 Ubuntu)       |
| # Bug      : Upload Shell                                                            |
======================      Exploit By indoushka       =================================
| # Exploit  :
|1- http://127.0.0.1/script_3163/updown.php
|
|2- http://127.0.0.1/script_3163/up/
|
================================   Dz-Ghost Team   ========================================
Greetz : all my friend * Dos-Dz * Snakespc * His0k4 * Hussin-X * Str0ke * Saoucha * Star08 |
-------------------------------------------------------------------------------------------