Petrol Pump Management Software v1.0 Remote Code Execution via File Upload
2024-3-4 06:9:58 Author: cxsecurity.com(查看原文) 阅读量:15 收藏

# Exploit Title: Petrol Pump Management Software v1.0 - Remote Code Execution via File Upload # Date: 01-03-2024 # Exploit Author: Shubham Pandey # Vendor Homepage: https://www.sourcecodester.com # Software Link: https://www.sourcecodester.com/php/17180/petrol-pump-management-software-free-download.html # Version: 1.0 # Tested on: Windows, Linux # CVE : CVE-2024-27747 # Description: File Upload vulnerability in Petrol Pump Management Software v.1.0 allows an attacker to execute arbitrary code via a crafted payload to the email Image parameter in the profile.php component. # POC: 1. Here we go to : http://localhost/fuelflow/index.php 2. Now login with default [email protected] and Password=admin 3. Now go to "http://localhost/fuelflow/admin/profile.php" 4. Upload the phpinfo.php file in "Image" field 5. Phpinfo will be present in " http://localhost/fuelflow/assets/images/phpinfo.php" page 6. The content of phpinfo.php file is given below: <?php phpinfo();?> # Reference: https://github.com/shubham-s-pandey/CVE_POC/blob/main/CVE-2024-27747.md



 

Thanks for you comment!
Your message is in quarantine 48 hours.


文章来源: https://cxsecurity.com/issue/WLB-2024030004
如有侵权请联系:admin#unsafe.sh