Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
1. Remote Code Injection in SAAS CMS (<=3.0)
The writeLog function in fn_common.php in GPS Tracking Software (self hosted) through 3.0 allows remote attackers to inject arbitrary PHP code via a crafted request that is mishandled during admin log viewing, as demonstrated by
<?php system($_GET[cmd]); ?>
in a login request. Each POST request goes through mysql_real_escape_string() function which will add slashes behind quotes so the payload code shouldn't include any quote. The header of the file where code is injected allows only Admin to view the file which makes it less of a RCE. But there is another vulnerability (explained below) which allows an attacker to hijack account hence making the RCE exploitable with 100% success.
2. Admin Account Hijack in SAAS CMS (2.x) GPS Tracking Software (self hosted) 2.x has a password reset procedure that immediately resets passwords upon an unauthenticated request, and then sends e-mail with a predictable (date-based) password to the admin, which makes it easier for remote attackers to obtain access by predicting this new password. This is related to the use of gmdate for password creation in fn_connect.php.

This comment has been minimized.

Copy link

Imranjunnaid commented Jun 4, 2018

do you have source code for the app

if you have and having an expertise with this code then you can contact me on my whatsapp no : +923214464418


This comment has been minimized.

Copy link
Owner Author

pak0s commented Dec 3, 2018

Sorry brother I saw your response late. I do have source code but its vulnerable and since its SAAS so I don't have the updated one.


This comment has been minimized.

Copy link

pinakin7664 commented Feb 11, 2019

i want to this script

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.