Cara Deface Productpageadverts Arbitrary File Upload

Adm0n. Cara Deface Productpageadverts Upload Shell. Productpageadverts merupakan modules yang mempunyai celah arbitrary file upload via CSRF. nah disini kalian bisa pakek CSRF Online ataupun Offline.

Dork: inurl:/modules/productpageadverts/uploadimage.php site:
inurl:/es/modules/productpageadverts/uploadimage.php

CSRF bisa pake yang online aja, disini admin pake csrf online punya si https://tools.garudatersakti72.id/tools/csrf/

Next kalian ngedork dolo, disini mimin asumsiin kalian udah dapet target contoh kaya gambar dibawah kemungkinan web vuln.

Alert = error. nah kalian copy paste url berserta pathnya ke csrf online diatas. post data isi userfile, inget userfile

kira kira kaya gini

langsung kalian pijit simpan aja, nanti bakal redirect ke halaman dimana kalian suruh upload shell

Shell extensi .php .PhP.jpg .PhP.j .PhP.xxxjpg tergantung web ya.

kalo kalian berhasil upload kira kira alert kaya gambar dibawah ini.

Alertnya success:namashellkalian.php nah kalo udah kaya gini tinggal kalian akses aja,

Shell location: http://site.com/path//modules/productpageadverts/slides/shellkalian.php
http://site.com//modules/productpageadverts/slides/shell.php

GoodLuck!