Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the wp-import-export-lite domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/u918112125/domains/exploit.company/public_html/wp-includes/functions.php on line 6121

Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the insert-headers-and-footers domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/u918112125/domains/exploit.company/public_html/wp-includes/functions.php on line 6121

Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the wp-pagenavi domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/u918112125/domains/exploit.company/public_html/wp-includes/functions.php on line 6121
Petrol Pump Management Software v1.0 - Remote Code Execution via File Upload - exploit.company
header-logo
Suggest Exploit
vendor:
Petrol Pump Management Software
by:
Shubham Pandey
6.1
CVSS
HIGH
Remote Code Execution
78
CWE
Product Name: Petrol Pump Management Software
Affected Version From: 1
Affected Version To: 1
Patch Exists: NO
Related CWE: CVE-2024-27747
CPE: a:petrol_pump_management_software:petrol_pump_management_software:1.0
Metasploit:
Other Scripts:
Platforms Tested: Windows, Linux
2024

Petrol Pump Management Software v1.0 – Remote Code Execution via File Upload

A file upload vulnerability in Petrol Pump Management Software v1.0 allows an attacker to run malicious code by uploading a specifically crafted payload to the email Image parameter in the profile.php component.

Mitigation:

To mitigate this vulnerability, restrict file uploads to only allow specific file types, validate file content to ensure it does not contain executable code, and sanitize user inputs to prevent code injection.
Source

Exploit-DB raw data:

# Exploit Title: Petrol Pump Management Software v1.0 - Remote Code Execution via File Upload 
# Date: 01-03-2024
# Exploit Author: Shubham Pandey
# Vendor Homepage: https://www.sourcecodester.com
# Software Link: https://www.sourcecodester.com/php/17180/petrol-pump-management-software-free-download.html
# Version: 1.0
# Tested on: Windows, Linux
# CVE : CVE-2024-27747
# Description: File Upload vulnerability in Petrol Pump Management Software v.1.0 allows an attacker to execute arbitrary code via a crafted payload to the email Image parameter in the profile.php component.
# POC:
1. Here we go to : http://localhost/fuelflow/index.php
2. Now login with default username=mayuri.infospace@gmail.com and
Password=admin
3. Now go to "http://localhost/fuelflow/admin/profile.php"
4. Upload the phpinfo.php file in "Image" field
5. Phpinfo will be present in "
http://localhost/fuelflow/assets/images/phpinfo.php" page
6. The content of phpinfo.php file is given below:
<?php phpinfo();?>
# Reference:
https://github.com/shubham-s-pandey/CVE_POC/blob/main/CVE-2024-27747.md

Navigation

Suggest Exploit

Services By CQR

cqrsecured