Petrol Pump Management Software v1.0 Remote Code Execution via File Upload

2024.03.03
Risk: High
Local: No
Remote: Yes
CWE: CWE-264

# Exploit Title: Petrol Pump Management Software v1.0 - Remote Code Execution via File Upload # Date: 01-03-2024 # Exploit Author: Shubham Pandey # Vendor Homepage: https://www.sourcecodester.com # Software Link: https://www.sourcecodester.com/php/17180/petrol-pump-management-software-free-download.html # Version: 1.0 # Tested on: Windows, Linux # CVE : CVE-2024-27747 # Description: File Upload vulnerability in Petrol Pump Management Software v.1.0 allows an attacker to execute arbitrary code via a crafted payload to the email Image parameter in the profile.php component. # POC: 1. Here we go to : http://localhost/fuelflow/index.php 2. Now login with default username=mayuri.infospace@gmail.com and Password=admin 3. Now go to "http://localhost/fuelflow/admin/profile.php" 4. Upload the phpinfo.php file in "Image" field 5. Phpinfo will be present in " http://localhost/fuelflow/assets/images/phpinfo.php" page 6. The content of phpinfo.php file is given below: <?php phpinfo();?> # Reference: https://github.com/shubham-s-pandey/CVE_POC/blob/main/CVE-2024-27747.md


Vote for this issue:
100%
0%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top