phpMyFAQ 2.8.x Arbitrary File Upload Vulnerabillity

1. #Title : phpMyFAQ 2.8.x Arbitrary File Upload Vulnerabillity
2.  
3. #Author : DevilScreaM
4.  
5. #Date : 10/26/2013
6.  
7. #Category : Web Applications
8.  
9. #Type : PHP
10.  
11. #Vendor : http://phpmyfaq.de/
12.  
13. #Version : 2.8.x
14.  
15. #Greetz : 0day-id.com | newbie-security.or.id | Borneo Security | Indonesian Security
16. Indonesian Hacker | Indonesian Exploiter | Indonesian Cyber
17.  
18. #Thanks : ShadoWNamE | gruberr0r | Win32Conficker | Rec0ded |
19.  
20. #Vulnerabillity : Arbitrary File Upload
21.  
22. #Dork : intext:powered by phpMyFAQ
23.  
24.  
25. Exploit & POC
26.  
27. 1. Login to Page Admin
28.  
29. Go to
30.  
31. http://site-target/admin/editor/plugins/ajaxfilemanager/ajaxfilemanager.php
32.  
33. 2. Browse Your File, and Click Upload
34.  
35. Result Upload
36.  
37. http://site-target/images/[YOUR_FILE].txt
38.  
39.  
40. Example :
41.  
42. http://jen.demo.phpmyfaq.de/images/devilscream.txt
43. http://roy.demo.phpmyfaq.de/images/devilscream.txt