# Exploit Title: Laravel Media Library Pro <=2.1.6 – Arbitrary File Upload (Unauthenticated)
\n# Google Dork: –
\n# Date: Mar 13, 2022
\n# Exploit Author: Kelvin Yip <kelvin@cybersecthreat.com>
\n# Vendor Homepage: https:\/\/spatie.be\/
\n# Software Link: https:\/\/spatie.be\/products\/media-library-pro
\n# Version: <=1.17.10 & <=2.1.6
\n# Tested on: Laradock (PHP 8.0) inside Ubuntu 20.04
\n# CVE : CVE-2021-45040<\/p>\n
#######################################################################################################
\nDescription:<\/p>\n
The Spatie media-library-pro library through 1.17.10 & 2.1.6 for Laravel allows remote attackers to upload executable files via the uploads route.<\/p>\n
#######################################################################################################
\nXploit : Arbitrary File Upload (Unauthenticated)<\/p>\n
Default URL: http:\/\/server\/api\/media-library-pro\/uploads OR http:\/\/server\/media-library-pro\/uploads<\/p>\n
Note: The URL can be changed by developer.<\/p>\n
Upload a PHP webshell or shell file with 3 parameters: (uuid, name and file), the JSON response will contain \u201coriginal_url\u201d, access the URL in the browser to get the shell access.<\/p>\n
#######################################################################################################
\nAdditional Information for setup, test and solutions: https:\/\/cybersecthreat.com\/2022\/03\/14\/cve-2021-45040\/
\n#######################################################################################################<\/p>\n","protected":false},"excerpt":{"rendered":"
# Exploit Title: Laravel Media Library Pro <=2.1.6 – Arbitrary File Upload (Unauthenticated) # Google Dork: – # Date: Mar 13, 2022 # Exploit Author: Kelvin Yip <kelvin@cybersecthreat.com> # Vendor Homepage: https:\/\/spatie.be\/ # Software Link: https:\/\/spatie.be\/products\/media-library-pro # Version: <=1.17.10 & <=2.1.6 # Tested on: Laradock (PHP 8.0) inside Ubuntu 20.04 # CVE : CVE-2021-45040 ####################################################################################################### …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-21777","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/21777","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=21777"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/21777\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=21777"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=21777"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=21777"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}