header-logo
Suggest Exploit
vendor:
Petrol Pump Management Software
by:
Shubham Pandey
6.1
CVSS
HIGH
Remote Code Execution
78
CWE
Product Name: Petrol Pump Management Software
Affected Version From: 1
Affected Version To: 1
Patch Exists: NO
Related CWE: CVE-2024-27747
CPE: a:petrol_pump_management_software:petrol_pump_management_software:1.0
Metasploit:
Other Scripts:
Platforms Tested: Windows, Linux
2024

Petrol Pump Management Software v1.0 – Remote Code Execution via File Upload

A file upload vulnerability in Petrol Pump Management Software v1.0 allows an attacker to run malicious code by uploading a specifically crafted payload to the email Image parameter in the profile.php component.

Mitigation:

To mitigate this vulnerability, restrict file uploads to only allow specific file types, validate file content to ensure it does not contain executable code, and sanitize user inputs to prevent code injection.
Source

Exploit-DB raw data:

# Exploit Title: Petrol Pump Management Software v1.0 - Remote Code Execution via File Upload 
# Date: 01-03-2024
# Exploit Author: Shubham Pandey
# Vendor Homepage: https://www.sourcecodester.com
# Software Link: https://www.sourcecodester.com/php/17180/petrol-pump-management-software-free-download.html
# Version: 1.0
# Tested on: Windows, Linux
# CVE : CVE-2024-27747
# Description: File Upload vulnerability in Petrol Pump Management Software v.1.0 allows an attacker to execute arbitrary code via a crafted payload to the email Image parameter in the profile.php component.
# POC:
1. Here we go to : http://localhost/fuelflow/index.php
2. Now login with default username=mayuri.infospace@gmail.com and
Password=admin
3. Now go to "http://localhost/fuelflow/admin/profile.php"
4. Upload the phpinfo.php file in "Image" field
5. Phpinfo will be present in "
http://localhost/fuelflow/assets/images/phpinfo.php" page
6. The content of phpinfo.php file is given below:
<?php phpinfo();?>
# Reference:
https://github.com/shubham-s-pandey/CVE_POC/blob/main/CVE-2024-27747.md

Navigation

Suggest Exploit

Services By CQR