Remote File Inclusion/Upload Vulnerability on phUploader

Friday, 8 June 2012

Remote File Inclusion/Upload Vulnerability on phUploader

phUploader is a very simple script for uploading one or many files or images to your website. You can specify the file types accepted, file size and even control the file name. This script was build with PHP5 in mind and is not platform dependant. This script is very useful for temporary file storage or simple forum signature and avatar hosting.

We already discussed about Google Dork For "Remote File Inclusion" in previous post, Now let we see Remote File Inclusion/Upload Vulnerability on phUploader

Steps :
  • Go to Google and Enter this dork " intitle:Powered By phUploader "            
  • Select any website from search result, Exploit site looks like below link
                         http://{site.com}/ path/upload.php
                         http://site.com/upload.php
  • Now you will see a screen like above image,In that you can upload your file
  • You can see your file link after upload link.
  • Done!! "

Example:

Home