Voting system 1.0 remote code execution (unauthenticated) Vulnerability / Exploit
/
/
/
Exploits / Vulnerability Discovered : 2021-05-07 |
Type : webapps |
Platform : php
This exploit / vulnerability Voting system 1.0 remote code execution (unauthenticated) is for educational purposes only and if it is used you will do on your own risk!
[+] Code ...
# Exploit Title: Voting System 1.0 - Remote Code Execution (Unauthenticated)
# Date: 07/05/2021
# Exploit Author: secure77
# Vendor Homepage: https://www.sourcecodester.com/php/12306/voting-system-using-php.html
# Software Link: https://www.sourcecodester.com/download-code?nid=12306&title=Voting+System+using+PHP%2FMySQLi+with+Source+Code
# Version: 1.0
# Tested on: Linux Debian 5.10.28-1kali1 (2021-04-12) x86_64 // PHP Version 7.4.15 & Built-in HTTP server // mysql Ver 15.1 Distrib 10.5.9-MariaDB
Unauthenticated file upload is possible via /admin/candidates_add.php that can use for RCE.
Your upload will be stored at /images/ and is also accessible without authentication.
########################### Vulnerable code ############################
<?php
include 'includes/session.php';