Dren's PHP Uploader Remote File Upload Vulnerability

vendor:

Dren's PHP Uploader

by:

Cyb3r IntRue

7.5

CVSS

HIGH

Remote File Upload

434

CWE

Product Name: Dren's PHP Uploader

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: N/A

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2009

Dren’s PHP Uploader Remote File Upload Vulnerability

A vulnerability exists in Dren's PHP Uploader which allows an attacker to upload a malicious file to the server. The attacker can then access the uploaded file by accessing the URL http://localhost/path/files/shell.php

Mitigation:

Ensure that the application is configured to only allow the upload of files with the appropriate MIME type and that the application validates the content of the uploaded file.

Source

Exploit-DB raw data:

Dren's PHP Uploader Remote File Upload Vulnerability

####################################################################################
# [+] Author : Cyb3r IntRue #
# [+]Email : r0ot@live.ru<mailto:r0ot@live.ru> & v7a@hotmail.fr<mailto:v7a@hotmail.fr> #
# [+] Date : 29/12/2009 #
# [+] Software Link : http://freewebtown.com/thanigga/Dren's%20PHP%20Uploader.rar #
# [+] Team : Avengers Team #
# [+] Dork : n/a #
####################################################################################

The exploit :

http://localhost/path/index.php


Upload shell.php ^^



Get now shell :

http://localhost/path/files/shell.php



Thanks to : HAQIQ20

#####################################################