# Exploit Title: Petrol Pump Management Software v1.0 - Remote Code Execution (RCE) # Date: 02/04/2024 # Exploit Author: Sandeep Vishwakarma # Vendor Homepage: https://www.sourcecodester.com # Software Link:https://www.sourcecodester.com/php/17180/petrol-pump-management-software-free-download.html # Version: v1.0 # Tested on: Windows 10 # Description: File Upload vulnerability in Petrol Pump Management Software v.1.0 allows an attacker to execute arbitrary code via a crafted payload to the logo Photos parameter in the web_crud.php component. # POC: 1. Here we go to : http://127.0.0.1/fuelflow/index.php 2. Now login with default username=mayuri.infospace@gmail.com and Password=admin 3. Now go to "http://127.0.0.1/fuelflow/admin/web.php" 4. Upload the san.php file in "Image" field 5. Phpinfo will be present in "http://localhost/fuelflow/assets/images/phpinfo.php" page 6. The content of san.php file is given below: <?php phpinfo();?> # Reference: https://github.com/hackersroot/CVE-PoC/blob/main/CVE-2024-29410.md
Credits and Partners
All rights reserved nPulse.net 2009 - 2024
Powered by: MVCP 2.0-RC / BVCP / ASPF-MILTER / PHP 7.4 / NGINX / FreeBSD
