Full website takeover
Got full access of server
This is the blog shows that impact when the upload functionality is not implement properly.
Using fuff I found login page that too admin login :)
By simple SQLi injection able to bypass login ( ‘ or 1=1 — ).
In admin panel there are lot of options is there including uploading images. So I decide to upload web shell and gain access of entire site.
After uploading the shell I located to home directory of the site and add small tag in index page ( homepage of site).
Here we have all privileges. like We can download, edit and delete all stuffs in that server.