Exploits / Vulnerability Discovered : 2019-04-30 |
Type : webapps |
Platform : php
This exploit / vulnerability Hyvikk fleet manager shell upload is for educational purposes only and if it is used you will do on your own risk!
[+] Code ...
========================================================================================
| Fleet Manager hyvikk Shell Upload
# Date: 29-04-2019
# Title : Fleet Manager by hyvikk All versions
| # Author : saxgy1331 - Kaieteur-Falls-1331
| # Vendor Homepage: https://codecanyon.net/item/fleet-manager/20051839
| # Tested on: Windows, Linux
| # Bug : Shell upload
====================== =================================
# Exploit :
You can upload a php shell file as a vehicle image
http://localhost/delivery/public/vehicles/create
After uploading the image you the shell will be saved in the /uploads/ folder with the id code
go http://localhost/delivery/public/vehicles/ right click on the recent "php shell photo" you have uploaded Boom!
Example
http://localhost/delivery/public/uploads/122030d1-ba55-4bfe-9533-44955d47b433.php
Fix
public function uploadPhoto(Request $request)
{
$this->validate($request, [
'photo' => 'mimes:jpeg,png,bmp,tiff |max:4096',
],
$messages = [
'required' => 'The :attribute field is required.',
'mimes' => 'Only jpeg, png, bmp,tiff are allowed.'
]
);
// Now save your file to the storage and file details at database.
}