Petrol Pump Management Software v1.0 - Remote Code Execution via File Upload

Exploit Author: Shubham Pandey Analysis Author: www.bubbleslearn.ir Category: Remote Language: PHP Published Date: 2024-03-03 
# Exploit Title: Petrol Pump Management Software v1.0 - Remote Code Execution via File Upload 
# Date: 01-03-2024
# Exploit Author: Shubham Pandey
# Vendor Homepage: https://www.sourcecodester.com
# Software Link: https://www.sourcecodester.com/php/17180/petrol-pump-management-software-free-download.html
# Version: 1.0
# Tested on: Windows, Linux
# CVE : CVE-2024-27747
# Description: File Upload vulnerability in Petrol Pump Management Software v.1.0 allows an attacker to execute arbitrary code via a crafted payload to the email Image parameter in the profile.php component.
# POC:
1. Here we go to : http://localhost/fuelflow/index.php
2. Now login with default username=mayuri.infospace@gmail.com and
Password=admin
3. Now go to "http://localhost/fuelflow/admin/profile.php"
4. Upload the phpinfo.php file in "Image" field
5. Phpinfo will be present in "
http://localhost/fuelflow/assets/images/phpinfo.php" page
6. The content of phpinfo.php file is given below:
<?php phpinfo();?>
# Reference:
https://github.com/shubham-s-pandey/CVE_POC/blob/main/CVE-2024-27747.md


Exploiting the File Upload Vulnerability in Petrol Pump Management Software v1.0: A Deep Dive into Remote Code Execution

Security researchers and ethical hackers alike have long recognized that software applications—especially those built on open-source platforms—often harbor hidden vulnerabilities that can be exploited for malicious purposes. One such case is the Petrol Pump Management Software v1.0, a widely used system for managing fuel station operations, which has recently been identified as vulnerable to remote code execution via file upload. This exploit, formally known as CVE-2024-27747, highlights a critical flaw in the application's file upload mechanism, allowing attackers to execute arbitrary code on the server.

Understanding the Vulnerability: File Upload and the Image Parameter

At the core of this exploit lies a seemingly innocuous feature: the Image field in the profile.php component of the software. This field is designed to allow users to upload images for profile customization—typically for user avatars or branding. However, due to a lack of proper validation and sanitization, the application fails to restrict file types, allowing malicious users to upload PHP scripts instead of images.

Here's how the vulnerability manifests:

  • Attackers can upload a file named phpinfo.php with the payload <?php phpinfo();?>.
  • Once uploaded, the file is stored in the assets/images/ directory.
  • Due to the absence of file type filtering, the server treats this file as executable.
  • When accessed via a browser, the file runs and exposes detailed information about the PHP environment, including server configuration, installed extensions, and environment variables.

Why This is a Critical Security Flaw

While phpinfo() may appear harmless at first glance, its presence reveals a deeper issue: the system lacks input validation and security checks. This means that any file uploaded through the Image field—regardless of extension—can be executed by the server. This is a classic example of unrestricted file upload vulnerability, which has been a recurring problem in web applications.

According to OWASP (Open Web Application Security Project), this vulnerability falls under the Top 10 category—specifically Injection and File Upload—as it allows attackers to bypass authentication and execute code without needing to exploit other vulnerabilities.

Exploit Steps: A Step-by-Step POC

Let’s walk through the proof-of-concept (POC) as outlined by Shubham Pandey:


1. Navigate to: http://localhost/fuelflow/index.php
2. Login with default credentials: username = mayuri.infospace@gmail.com, password = admin
3. Access the admin panel: http://localhost/fuelflow/admin/profile.php
4. Upload a file named phpinfo.php in the "Image" field
5. The file is saved in: http://localhost/fuelflow/assets/images/phpinfo.php
6. Access the file via browser: http://localhost/fuelflow/assets/images/phpinfo.php

Once the file is accessed, the phpinfo() output appears in the browser, revealing sensitive server information. This demonstrates that the server is not filtering file types and is executing PHP scripts.

What makes this particularly dangerous is that any malicious payload—such as a shell.php or backdoor.php—could be uploaded and executed with similar ease. For instance:

Such a file would allow attackers to execute commands via URL parameters, giving full control over the server.

Real-World Implications and Use Cases

Imagine a scenario where an attacker gains access to a fuel station's management system. With this vulnerability, they can:

  • Access sensitive data such as transaction logs, user data, and payment records.
  • Modify or delete critical data.
  • Install persistent backdoors for future access.
  • Exfiltrate data to external servers.

These capabilities make the exploit not just a theoretical concern but a real threat to organizations relying on this software for daily operations.

Technical Analysis: Why the Vulnerability Exists

Upon analysis, the root cause lies in the file upload logic that lacks:

  • Server-side file type validation (e.g., only allow jpg, png, gif).
  • File extension filtering.
  • Content inspection (e.g., checking for PHP code).
  • Secure file storage (e.g., storing files in non-executable directories).

Instead, the system merely accepts any file uploaded through the Image field and stores it in a publicly accessible directory. This creates a pathway to remote code execution.

Security Recommendations and Fixes

For developers and administrators, the following measures are essential to prevent such exploits:

Recommended FixExplanation
Implement file type filteringOnly allow specific extensions like jpg, png, gif for image uploads.
Disable execution of uploaded filesStore files in a directory that cannot be executed by the web server.
Use a whitelist approachValidate file content and type before allowing upload.
Use a secure upload mechanismImplement secure hashing or renaming of files to prevent predictable access.

Additionally, developers should use secure coding practices such as:


// Example of secure file upload
if (isset($_FILES['image']) && $_FILES['image']['name']) {
    $filename = basename($_FILES['image']['name']);
    $filetype = pathinfo($filename, PATHINFO_EXTENSION);
    if ($filetype !== 'jpg' && $filetype !== 'png' && $filetype !== 'gif') {
        die('Invalid file type');
    }
    // Move file to a non-executable directory
    $upload_dir = 'uploads/';
    $target_file = $upload_dir . $filename;
    move_uploaded_file($_FILES['image']['tmp_name'], $target_file);
}

These modifications ensure that malicious files cannot be executed, significantly reducing risk.

Conclusion: The Importance of Security Testing

As the CVE-2024-27747 demonstrates, even seemingly simple features—like image upload—can become critical security weaknesses if not properly secured. This case underscores the importance of:

  • Regular penetration testing.
  • Code review and audit.
  • Security awareness in development.

Software developers must prioritize security over convenience. The Petrol Pump Management Software v1.0 is a prime example of how a lack of security can lead to remote code execution—potentially compromising entire systems.

For organizations using this software, immediate patching and audit are essential. For developers, implementing secure file upload mechanisms is a must. This vulnerability should serve as a reminder that any file upload feature must be treated with caution.