WEBIGniter v28.7.23 File Upload - Remote Code Execution

vendor:

WEBIGniter

by:

nu11secur1ty

8.1

CVSS

CRITICAL

File Upload - Remote Code Execution

CWE

Product Name: WEBIGniter

Affected Version From: 28.7.23

Affected Version To: Unknown

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested:

2023

WEBIGniter v28.7.23 File Upload – Remote Code Execution

The media function suffers from file upload vulnerability. The attacker can upload and execute PHP files remotely, potentially leading to malicious activities on the server.

Mitigation:

Unknown

Source

Exploit-DB raw data:

## Title: WEBIGniter v28.7.23 File Upload - Remote Code Execution
## Author: nu11secur1ty
## Date: 09/04/2023
## Vendor: https://webigniter.net/
## Software: https://webigniter.net/demo
## Reference: https://portswigger.net/web-security/file-upload


## Description:
The media function suffers from file upload vulnerability.
The attacker can upload and he can execute remotely very dangerous PHP
files, by using any created account before this on this system.
Then he can do very malicious stuff with the server of this application.

## Staus: HIGH-CRITICAL Vulnerability

[+]Simple Exploit:
```PHP
<?php
	phpinfo();
?>

```

## Reproduce:
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/WEBIGniter/2023/WEBIGniter-28.7.23-File-Upload-RCE)

## Proof and Exploit
[href](https://www.nu11secur1ty.com/2023/09/webigniter-28723-file-upload-rce.html)

## Time spent:
00:15:00


-- 
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstormsecurity.com/
https://cve.mitre.org/index.htmlhttps://cxsecurity.com/ and
https://www.exploit-db.com/
0day Exploit DataBase https://0day.today/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
                          nu11secur1ty <http://nu11secur1ty.com/>