Headline
Amazon S3 Droppy 1.4.6 Shell Upload
Amazon S3 Droppy version 1.4.6 suffers from a remote shell upload vulnerability.
============================================================================================================================
| # Title : Amazon S3 Droppy v 1.4.6 File Upload Vulnerability |
| # Author : indoushka |
| # email : [email protected] |
| # Tested on : windows 10 Français V.(Pro) |
| # Vendor : https://codecanyon.net/item/droppy-online-file-sharing/10575317 |
| # Dork : n/a |
============================================================================================================================
poc :
[+] Droppy is an online file sharing platform that can be used to share multiple files among friends,
family and colleagues. The files can be sent by email or an url that can be shared with everyone you would like to.
[+] Dorking İn Google Or Other Search Enggine
[+] Select file Ev!l.php and send it to your e-mail or to direct link.
[+] it can be accessed remotely and run code execution.
[+] script save a copy of your file in the web server in dir " uploads/" with a secret code
[+] when you click in link to download your file right click and choose view source of download link not the page of your email:
[+] Exampel : view-source:http://droppy.proxibolt.com/PrHEtFg
[+] The script stores the attached files sent inside the hosting server of the website
It does not give you the storage path, but when you open the source code of the sending page,
you will find the path of the attached file, and it can be accessed remotely and run
Means line 100 It contains the secret code generated randomly by the script that
renames the file attached to it and stores it inside the folder
And when you enter the storage path and combine the secret code with the file name,
the file opens for you inside the server,
[+] Line 99 , 100 , 101
<input type="hidden" name="action" id="action" value="download"> <input type="hidden" name="secret_code" id="secret_code" value="c40c11023e25cb7cfcba1345c4e26f72"> <input type="hidden" name="download_id" id="download_id" value="PrHEtFg">
[+] add the secret code with name of your file that give you access .
[+] http://127.0.0.1/Droppy/uploads/c40c11023e25cb7cfcba1345c4e26f72-x.php
====Greetings to :=========================================================================================================================
| jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * djroot.dz * LiquidWorm* Hussin-X *D4NB4R * shadow_00715 * yasMouh |
===========================================================================================================================================