Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the wp-pagenavi domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/u918112125/domains/exploit.company/public_html/wp-includes/functions.php on line 6114
Petrol Pump Management Software v1.0 - Remote Code Execution (RCE) - exploit.company
header-logo
Suggest Exploit
vendor:
Petrol Pump Management Software
by:
Sandeep Vishwakarma
6.1
CVSS
HIGH
Remote Code Execution (RCE)
434
CWE
Product Name: Petrol Pump Management Software
Affected Version From: v1.0
Affected Version To: v1.0
Patch Exists: NO
Related CWE: CVE-2024-29410
CPE: a:petrol_pump_management_software:petrol_pump_management_software:1.0
Metasploit:
Other Scripts:
Platforms Tested: Windows 10
2024

Petrol Pump Management Software v1.0 – Remote Code Execution (RCE)

Petrol Pump Management Software v1.0 is vulnerable to Remote Code Execution (RCE) due to a file upload flaw. An attacker can upload a malicious payload to the logo Photos parameter in the web_crud.php component, allowing them to execute arbitrary code on the server. By exploiting this vulnerability, an attacker can potentially take full control of the application.

Mitigation:

To mitigate this vulnerability, it is recommended to sanitize and validate user inputs, restrict file upload types, implement proper file upload handling mechanisms, and regularly update the software to patch security flaws.
Source

Exploit-DB raw data:

# Exploit Title: Petrol Pump Management Software v1.0 - Remote Code Execution (RCE)
# Date: 02/04/2024
# Exploit Author: Sandeep Vishwakarma
# Vendor Homepage: https://www.sourcecodester.com
# Software Link:https://www.sourcecodester.com/php/17180/petrol-pump-management-software-free-download.html
# Version: v1.0
# Tested on: Windows 10
# CVE: CVE-2024-29410
# Description: File Upload vulnerability in Petrol Pump Management Software v.1.0 allows an attacker to execute arbitrary code via a crafted payload to the logo Photos parameter in the web_crud.php component.
# POC:
1. Here we go to : http://127.0.0.1/fuelflow/index.php
2. Now login with default username=mayuri.infospace@gmail.com and Password=admin
3. Now go to "http://127.0.0.1/fuelflow/admin/web.php"
4. Upload the san.php file in "Image" field
5. Phpinfo will be present in "http://localhost/fuelflow/assets/images/phpinfo.php" page
6. The content of san.php file is given below: <?php phpinfo();?>

# Reference:
https://github.com/hackersroot/CVE-PoC/blob/main/CVE-2024-29410.md

Navigation

Suggest Exploit

Services By CQR