Data center: Ashburn, VA

Telegram Chat : MBHH_x86

Email Us: Help@mobilehackerforhire.com

Atrocore 1.5.25 Shell Upload ≈ Mobile Hacker For Hire

Table of Contents

## Title: atrocore-1.5.25 User interaction – Unauthenticated File upload – RCE
## Author: nu11secur1ty
## Date: 02.16.2023
## Vendor: https://atropim.com/
## Software: https://github.com/atrocore/atrocore/releases/tag/1.5.25
## Reference: https://portswigger.net/web-security/file-upload

## Description:
The `Create Import Feed` option with `glyphicon-glyphicon-paperclip`
function appears to be vulnerable to User interaction –
Unauthenticated File upload – RCE attacks.
The attacker can easily upload a malicious then can execute the file
and can get VERY sensitive information about the configuration of this
system, after this he can perform a very nasty attack.

STATUS: HIGH Vulnerability CRITICAL

[+]Payload:

“`PHP
<?php
phpinfo();
?>
“`

## Reproduce:
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/atrocore/atrocore-1.5.25)

## Reference:
[href](https://portswigger.net/web-security/file-upload)

## Proof and Exploit:
[href](https://streamable.com/g8998d)

## Time spend:
00:45:00


System Administrator – Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstormsecurity.com/
https://cve.mitre.org/index.html
https://cxsecurity.com/ and https://www.exploit-db.com/
0day Exploit DataBase https://0day.today/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
nu11secur1ty <http://nu11secur1ty.com/>

Leave a Reply

Your email address will not be published. Required fields are marked *

error: Content is protected !!